From Paypal to the Poorhouse in One Easy Hour
Last week, when my friend Jeff came into work, he found numerous emails waiting for him from Paypal, confirming transactions he'd never made. A malicious hacker had gained access to his Paypal account, and used it to buy thousands of dollars worth of video games. In the process, they depleted his entire bank account. Overdrew it, even.
Jeff, a 35 year-old video editor from San Francisco, immediately contacted Paypal, his bank, and the recipients of his hard-earned cash. In the last case, he notified each that it was a fraudulent transaction, and all were canceled. All the money went right back, and Paypal notified Jeff that it would refund his money.
Yay! You might say. Hurray for Paypal! Hurray for Jeff!
But you'd be premature. See, Paypal, as per its policy, won't refund Jeff's money for up to 60 days. In the interim, he's left with a balance of negative $760, plus more than $200 in overdraft fees. Meanwhile, Paypal notes that it is "processing" the fraudulent transaction.
So how did it happen? Probably phishing. Paypal insists that this must have been the case. While Jeff doesn't recall ever responding to a phishing request, and does not think that he has done so; he isn't positive and he does not deny it.
Vox users might scoff at this. Idiot, you may think. How could someone possibly be so dumb as to repond to a phishing scam? To which I reply: would you advise your grandmother to link her savings to Paypal?
You don't matter, Voxie. You are an elitist. A one-percenter. Nobody cares about you. They care about your neighbor. Your accountant. Your childhood friend. Your dry-cleaner. Your maid.
Here's the thing: we are beyond the era of sophisticated and unsophisticated computer users. Or at least we should be. For if you want to be a truly successful online company, you have to not only get my business, but also my father's--an AOL user for 13 years with no plans to switch. It is easy for us, who have used the Internet since its pre-Web days, to forget how much things have changed. Today, more Americans go online than vote.
Computing is ubiquitous, and each of us should be entitled to the same level of security online that we demand in the real world. When a seldom-used account suddenly lights up and goes beserk on a GTA: San Andreas purchasing spree to the tune of a few grand; Paypal should have a built-in system to put the brakes on. Moreover, it should have better protections to prevent fraud in the first place.
(Something along the lines of a site key comes immediately to mind, but I'm not going to offer solutions here, because quite frankly I don't have any. Well, I have one, but it's not one that Paypal is likely to encourage.)
Instead, what Paypal has--aside from Jeff's money--is a 60 day policy for refunds. Got kids who need feeding? Sorry. 60 days. Nor will Paypal agree to help him with any of the overdraft fees he's racked up. That's between you and your bank, says Paypal.
All of which is well within Paypal's rights. They have a policy, and they are abiding by it. But the thing is: the policy stinks.
Jeff has been talking to me about this since the morning it happened, and one common thread has run through it: Paypal has treated him like a criminal rather than a customer.
His bank was great, he says. The merchants, too, all of whom immediately refunded the money. Paypal, on the other hand, has done nothing but grow more beligerant each time he calls, he says, and extend the waiting time "processing" will take. What was once 10-15 days is now 60 30.
I've been a credit card fraud victim before, and I came away from the experience completely impressed with how well my bank took care of me, despite the fact that it was my fault. (I left my debit card on a store counter once.) I was never on the hook for the money, and it held my hand throughout the entire process. Similarly, when I was mugged a few years ago, my bank and credit card companies not only assured me that I would never be held responsible for any fraudulent charges or bad checks, but also inquired to make sure that I had the money I needed to get by on a day to day basis while my accounts were all closed and re-opened.
Now, I like Paypal, and I use Paypal. A lot. It's very convenient. But Jeff's experience scared the hell out of me. I had not read its policy before, quite frankly, and upon doing so, I took what I deemed to be a neccessary step to protect myself: I transferred some money to my Paypal account from my bank so I can continue to easily make purchases online, and then I de-authorized my bank account.
This might be overkill on my part. I'm not going to respond to a phishing message. Hell, I don't even repond to legitimate emails from friends and employers. But until Paypal comes up with a better way to protect my bank account from fraud, I'm not letting them touch it again.
UPDATE: Jeff says it's to be 30 days now. Um. I guess that's much better?
Comments
good post. sorry for your friend...!
Thanks for the 'heads-up', but how awful for your friend! Although de-authorizing your bank account might make some think it overkill, I think I'll do the same!
very interesting story. the other day, wellsfargo called me. it was one of those wierd automated calls and i hung up when it started asking for information, seeing as i don't even carry the wf card with me. i called wf to see if the call was legit -- it turns out someone had acquired my card number and tried a one-time, $3500 transaction for shoes. WF saw the oddity and immediately stopped me, which is what Paypal should have done. I'm going to disengage my account number immediately as well, since I use paypal maybe three times a year and usually through a card, not a checking account.
I think the problem here, maybe, is that Paypal is a transaction facilitator, not a credit card company itself, so it assumes that it shouldn't behave in the same way as a credit card company or a bank would do.
It quite obvious, however, that this practice isn't doing well by its customers, especially considering the sheer growth of incresinly sophisticaled phishing scams.
I'm just glad that my credit card has a low limit, that it's the only account that I have tied to Paypal (not that I'd want to if I could, but I can't tie my savings/current account anyway as I'm not with a US bank) and that I've gotten into the habit of checking my Paypal account manually when I get an especially convincing e-mail.