Thursday, January 15, 2015

Too Secure? Paypal shows how...

It has been a while since I found the time to add a blog post, but today I came across some security procedures that gave me the perfect occasion to pick things up again.

Everyone who has followed cyber news the past year will have noticed that data breaches, compromised credit cards, compromised online accounts and all kind of similar subjects are hot topics. Its only normal that online account security has increased for that reason, typically involving two-step verification (alternative email addresses, SMS verification and similar). This can be annoying (have you ever tried to sign in to your Microsoft account from a different country? Yes? Then you know what I'm talking about), but I think we can all agree that such extra security measures are necessary. Or at least that is what I thought, until today.....

Today I wanted to log in to my PayPal account, which I had not done for the past 6 months. After I correctly entered my login credentials, I was redirected to a page that explained me that, in order to confirm I am really the account holder, they needed to call me. Sounds simple enough, except that I no longer own the number that was listed there because I switched to a different service provider last year. And no, astonishing as it may sound, I did not immediately jump to my PayPal account back then to change my telephone number, much as I'd wish to, I don't have a database of online accounts that contain my phone number. I naively assumed PayPal, being a reputable company, would have an option that allows you to introduce your old phone number (which was mostly x-ed out in the web form) and replace it with an updated number.

After peering at the screen and all it options for 5 minutes, I discovered that PayPal doesn't offer that option, my only option was to contact customer service. Of course, to contact customer service they want you to log in, which consequently showed me the "phone verification" screen again. I finally managed to find an email address and contacted them.

Five minutes after sending my support request, including a clear description of my problem, I received an (automated) reply, explaining me that the solution is really simple, I just had to log in and change my phone number in my profile. Sigh.....
But, fortunately the mail also told me that, if this automated message did somehow not resolve my problem, I could reply to it and a support employee would get back to me. So, I replied, explained everything again and sure enough this morning I received a call from PayPal. A very polite support person verified my identity and gave me a security code that should allow me to reset my password, which should fix the problem. And, admitted, the password reset went flawless, there was just this one little problem; after successfully changing my password I still received the phone verification screen so nothing was resolved.

I sent an email yet again, and I naively thought that for sure it would be handy to send them a screenshot (one image can tell more than a thousand words). Handy or not, I promptly received a reply that explained how for security reasons (by that time I was starting to hate that term) they couldn't receive images in email messages.
Not giving up at that, I dutifully copy-pasted the message on screen and sent that instead. Ten minutes later I received another reply: they had removed the old phone number from my account so I should be able to log in now.
And true, the phone verification screen was gone. Now I just got the following:
Of course I mailed them again with the text of the error message. Ten minutes later I received a reply. They had tried to call me, but I hadn't replied, if I kindly could call them instead. I'm absolutely convinced they had tried to call me on the old number, after all I had only explained four times by then that it was no longer in use. But, me being an understanding human being, I gave them a call instead.

I really don't want to withhold what security verification they have on their support line (including entering associated bank account number and telephone numbers), but that would make this post even longer than it is already. After a lot of typing, retyping and please-wait-a-moment music, I finally got hold of another very polite support person. I explained them everything again and they went to talk to "someone" about this (in my experience that means: I don't know what the heck to do about this so I need to talk to my supervisor). After ten minutes they were back. They had found the problem. I was not logging in from the country where my associated bank account is registered. That is correct, and some years ago I already sent them copies of ID, utility bills and what not to explain that fact.

Okay, in that case the solution was real simple: I just had to go to the country where I have my bank account and when I'm there, contact them again. Sounds easy, but not if that is a country you don't live in for the most part of a year.

The support person gave me the following splendid explanation: "You know, this really is for your own good. At PayPal we hold security in the highest regard. This really is necessary with today's attempts at online fraud. The fact that we have imposed these restrictions on your account should therefore make you happy."
Because they already had handed me the solution to my problem and because I already had decided that keeping an account I use maybe twice a year for purchases I can make with my VISA card as well, is not productive, I only remarked that, nevertheless, it appears to me that having such tight security that it will lock out the owner, even though a number of checks have been passed to verify the identity of the account holder, is a bit pointless.

In Conclusion...

On the bright side: my account is so secure that even I cannot access it! Therefore I don't have any reason to be afraid an attacker will gain access to it.

On the not-so-bright side: after the remarks of the last helpful support person, I decided to do a very simple test. Working in security I have a VPN that allows me to select the country I connect to. I connected to the country my bank is located in, I accessed PayPal and sure enough I was able to reach my account without any problem or verification at all.

As a side note, PayPal doesn't like VPNs either, since I don't like PayPal very much anymore and already closed my account, I'm not too worried about that though... Oh, and we all know that real hackers never would be so sneaky as to use a VPN, TOR or something similar to commit their fraud right??

Oops, I guess my account isn't as secure as I (and PayPal support) thought...