While I want to appreciate PayPal's security assistance, I feel there are numerous problems with this issue: From another thread: "Just to follow up and end this topic, PayPal customer support replied that whenever it suspects an unauthorized login it will force you to change the password whether you want to or not. For those of you using multiple mobile devices expect to spend some time keeping track of your passwords!" First - yes, of course there's the problem that a "new device" automatically means "you MUST change your password". PayPal should at LEAST be sophisticated enough to recognize my wifi network is the same as ALL the other devices I have ever connected with. I wasn't in public. It's a modern "smart" world and we all bring home new devices quite frequently. That shouldn't mean a password reset every time. Second - I don't even know for sure that the Chromebook was the problem! They provided me with ZERO details. I'm assuming that it's the Chromebook, simply because that was a difference, and it seems to correspond to common complaints in this forum. But if it was a login from some network in Zimbabwe or something - then maybe I should know about it! I want to know about it either way, in fact. Why can't I? Third - I have hundreds of passwords, and try to keep them unique - that requires a password manager, which is on my phone. Which I didn't have on me, because it's late at night and I really just wanted to send a friend a quick support donation. I simply couldn't do it on my Chromebook - option A was to get up and get my phone, change my password and FINALLY make the payment on the Chromebook, and update the password manager entry on my phone... or option B was STILL to get my phone, find the info on that, make the payment on my phone - and that's if the simple ATTEMPT to log in with my Chromebook didn't force me to change the password on my phone at any rate! Fourth - I couldn't even simply send one payment? I logged in, my password was correct, I was on my home network - nothing was suspicious. I was going to make a TEN DOLLAR "I'm sorry" donation. Maybe consider a payment threshold (to respect that yes, it might be suspicious if a foreign device logged in then tried to pay, say, ten THOUSAND dollars, for example. And then I'd know - next time, or sometime before next time, set some time aside, with the password manager on me, to change my password - because next time it won't be optional. Something so I'm not stuck standing outside in the rain even though the key used to work in the lock. Fifth - what if I was externally alerted by some other means (email, for example) and just wanted (or NEEDED!) to log in to CHECK the list of recent payments, to put my mind at ease that my account WASN'T compromised? I couldn't even log in to LOOK at my payment history, which is a security concern. The forced password change shouldn't prevent me from viewing activity, even in a truly suspicious scenario that locks the account down from making payment activity. I'm confident that all of this is going to be spun as "It's not a design flaw, it's a feature", but would like to have these concerns raised to your design team to help make improvements that both minimize inconvenience while improving security from the customer perspective - as opposed to simply mitigating liability from PayPal's perspective, as this current draconian set of code does today. Thanks.
... View more