You call this security? You’ve got to be kidding me

I just got off the phone with PayPal’s customer service department.

The reason I was on the phone in the first place – because you probably know how much I absolutely love talking to customer service representatives – is that I was trying to be a good Netizen.

I received a couple – not one – of emails originating from Paypal’s service for password resets. This is not a foreign thing, especially for someone that has his email address all over the web. It’s usually some scripting hacker trying to get access to my stuff.

The problem is that at the bottom of the email, there is this section:

If you didn’t ask us for help with your password, let us know right away. Reporting it is important because it helps us prevent fraudsters from stealing your information.

The bolded text was a link to the Paypal site, where I was prompted to Log in, and received a phone number and a Web PIN.

Called the number, had to work my way through an annoying IVR until I was able to say “agent”, where I finally got transferred to a lady with one hell of a heavy accent, methinks Indian.

I explained that I had received these emails and had not requested them. She told me that I simply should ignore them, and I have nothing to worry about, as long as I am able to log into the site.

After being a little firm and asking, why did I receive them if I did not ask for them, she then told me that she ran a search to see if anyone else has the same email as me in their system. Needless to say, I would have been VERY surprised if she said that there was someone else with the same email. I know about databases and keys, for crying out loud.
She then reiterated that I could simply ignore the emails, and that I should even delete them.

At this point, I got a little annoyed. I asked her to consider that I had received this email, and am asked by her company to tell them immediately if I did not request it. To prevent fraudsters, apparently. I got a little wordy, and I guess she latched on to the word “fraud” and figured out the next solution for me.

She asked that I forward the emails to [email protected] – and that an investigative team will get on it immediately. Dare I believe?

Anyways, I did as she asked, and don’t expect to see any kind of meaningful response.

Bottom line is – if your email team is deciding on adding wording to an email that causes your call center to get asked about it, let them know to expect certain kinds of calls and get a better, more “security-inspiring” response that “just ignore it, delete it”.

Thanks, PayPal. I hope you don’t ignore and delete my money, too.

  • Michelle

    I hate PayPal’s customer service. They gave me a world of trouble because I *dared* use my PayPal account from the US, instead of only from Israel where I first created it. In the end, they told me to break their own license agreement and create a US account for myself alongside my Israeli one. I had to demand that they put a note on both accounts about this, just in case they decide to block either or both of them for breaking the agreement… e.e

  • Mike, are you sure that the password reset emails weren’t phishing emails themselves rather than the response of the actual site to password reset requests with your email?

    Are you sure you were really at PayPal’s real website when you went to report this and put your login details in?