About a year ago, I bought clothes online using PayPal for my mother (and shipped to her address). PayPal blocked the transaction and temporarily suspended my account until I could verify a detail. When I logged in to verify, it was asking for the recipient's (my mother's) birth date. I thought it odd that they would ask, and also know, the birth date of someone PayPal has no association with.
I called their support (finding a human to talk to was difficult) to ask for the reason why I would need to give out my mother's birth date. I was asking for other ways I could verify and that I shouldn't be asked to give out someone else's PII. The support person started to become defensive, sarcastically asking "you don't even know your mom's own birthday!?".
I could tell this person saw nothing wrong with the ask and thought I was being intentionally combative. I ended up conceding and giving the information. Since then, I've stopped using PayPal as a payment method.
I always thought this incident strange and have wondered about how their verification method works.
> You’ll need to answer some questions to verify your identity. These questions come from a public database dating back as far as 20 years. They may be about property, places, or people you know. We don’t save or store the questions or answers in our system.
> You’ll need to answer some questions to verify your identity. These questions come from a public database dating back as far as 20 years.
Wait, I need to verify my identity by regurgitating public information about me? However PayPal scraped up that information, an attacker could as well. This is absolutely security theater.
I was the victim of identity theft in the 90s, and I often get questions based on the address, and fake credit accounts the thief opened. Super frustrating.
Similar scenario here. While my ex-wife and I were separated, pre-divorce, she thoughtfully applied for credit in my name and gave the address where she was living. Now I have to either choose to lie or fail this type of identity verification. I should really take the time to contact the credit bureaus and get it fixed.
I'm sure they are using the same type of database that the credit reporting companies provide. Not only does it often contain incorrect information, it sometimes asks me detailed financial questions about my adult siblings. How in the hell should I know what mortgage company my brother has used in the past? And it is NOT my job to contact him and find out so you can cover your ass with fake security theater.
Guess I am in trouble then if I ever get stuck into something like that. My 'public' information whenever I query it is a blend of at least 3 other people. Of which only one I know. One DB thinks I am married to my mother-in-law.
While I've seen these sorts of verification methods quite rarely, what's very frustrating about them is that in my experiences, the questions both make assumptions about what information is private for a person, and also come from rudimentary matching on public databases, which can easily result in questions you wouldn't be expected to the know the answer to.
In one case, while, I think, signing up for something that should not have required strong security, I think an online account for a shipper, I was asked for the birth date of a 'relative who lived with me'. Only, she didn't live with me: she was my ex-aunt, who had not spoken to any of us since her divorce when I was around 8, and who had moved out of the house, and out of the state, around two decades before we moved into it. The matching appears to have been entirely based on two people with the same last name having been recorded at the same address at some points over the course of 20 years, with no cross-referencing of other data or whether the dates were at all near each other. And given how common my last name is, it would not have been too surprising to have simply been asked the birth date of a complete stranger.
I actually called the company to find out how to get an account without answering this rather infeasible question, and they pointed out that if I just tried creating an account again, it would ask me a different set of ridiculous questions. I did, and while I don't recall what the questions were, I do recall they were such that a basic search for my name online would have immediately answered them, providing no identity verification whatsoever.
> Interesting. This would mean that they actually have the data to confirm whether it is correct.
I don’t find that surprising. I’ve hired a private investigator in the past. The amount of data US consumer reporting agencies have goes back decades. They will happily sell it to you as long as you agree not to use data older than regulatory thresholds. Credit reporting tends to have 5-7 year thresholds, so many people think that’s all they have. They keep it for much longer, and just make you agree you won’t use data older than the applicable threshold.
The reports I gotten from my PI have had biographical data going back to the late eighties. They’ve even provided SSNs and DOBs with nothing more than a name and general address match.
Is this database actually a thing ? A private company asking these questions is already worrying on its own but them already having the answer really feels like over-reaching. I'm pretty sure it's a US thing because there would be no way this would be legal in the EU but i'm tempted to do a GDPR request to PayPal
Do they even know your mom's birthdate? Can't you just give them a random date?
Also, if you bought something at a webshop, why does PayPal know who it's being sent to? They just need to know you and the webshop, don't they? Who the webshop sends it to is between you and the webshop.
Reminds me when I went to pick up my first UK passport when I gained citizenship. The passport office had no interest in looking at my foreign passport to verify my identity. Instead they asked me a series of question about my family, what profession they have, etc, that I know they couldn't have the answer to, unless they did some investigations that I think were highly unlikely given the volume of applications after the Brexit vote.
I think instead they were just checking if I looked like I was answering the question confidently or if I looked like I was trying to make things up.
Oh yeah, they do that all the time. I have dual citizenship and they’ve asked me a few times upon leaving the UK where I was staying, who I was with, what those people’s professions were, etc. I think it’s just random spot-checks to see if you look nervous. But if you get annoyed with them and tell them you’re a citizen they stop.
Buy item from using junk email address and shipping address of person B.
On delivery day, wait near person B's home, and grab the package when UPS delivers it. If person B manages to get to the package first, scammer is only out some time.
Junk email and 3rd party mailing address - harder to track scammer. Of course, this ignores IP address and similar - smart scammer would also use Tor and other tools to obfuscate the online transactions.
That's a good point, I don't actually know. I just assumed yes because they would ask. I also didn't want to complicate the process of releasing the funds – perhaps that was naive.
I believe in this checkout flow, it kicked me over to PayPal where I could specify the shipping address there. PayPal probably relays the address back to the merchant, akin to checking out with Apple Pay where you specify a shipping address via the Wallet app.
Sometimes when a credit card payment is handled by Paypal they ask for my first name. I enter my initials, since that's what actually on my credit card and is what I always use when making payments with it, but they don't accept it. Maybe somehow they know my actual first name, but I'm not going to give it to them so I then abort the payment.
Indeed, if you use privacy.com to get a temporary credit card (this is for totally legit purposes, folks!), you can use any name and address on the form you enter it in. Only the credit card #, expiration date, and security code are verified.
> I enter my initials, since that's what actually on my credit card and is what I always use when making payments with it, but they don't accept it
They (or probably just the form) don't like dots and/or too few characters in the field.
As sibling says you can actually enter anything you want in the "CARDHOLDER NAME" field 99% of times. For years I type "$BANK NAME" or "$BANKNAME CARD" (note the space) there and I never been denied.
Interesting. I have tried all combinations with and without spaces or dots, but I don't think I ever considered entering something not truthful, even though I have done that in other online forms thousands of times (one favourite is entering the street address of the organization I'm interacting with instead of my own when ordering non-physical goods; and fake birth dates of course). There's something about payments that apparently I consider more "holy" than other things.
Back in the day you could [sometimes] see FIRSTNAME L. in the sales receipt, but that was when the magstripe was the only option. Apparently it was a form of anti-fraud measure back in 20th century so someone could see what is printed on the card and what is written in the receipt (aaaaand what?).
With the move to teh chip cards and later to PayPass (which doesn't even transmit your card number in any meaningful way) rendered inclusion of anything viable there meaningless.
> There's something about payments that apparently I consider more "holy" than other things.
WEll there is always some idiot what would make it hard for everyone else. Like web designers who do ahve a very... interesting understanding of the outside world (people with Verylonglastnames-SometimesDoubledUp? living on Cultist Monks Revolution of May 1111 year Street? Don't kid me, they don't exist!). Or admins who made you think twice to enter bullshit in the form because the scary red letters says you would need a national ID to receive the package (and names there and in the receipt should be the same!) only for the courier just give the package and be on his merry way not even bothering to check anything (and sometimes forgetting to take money for the package paid in cash, lol).
For now I only know where you need to give your real (ie printed on the card, not your real one, lolagain) name is when the card data is processed manually. The only country where I know it still exists is US of A, last year friend of mine needed to fill out a PDF form (thankfully electronic without the need to print and send it physically!) to pay for Untappd Business.
And the UK's belief an entire street address always fits into a single short line is a bane for many foreigners. Every country seems to think they're the norm.
> why does PayPal know who it's being sent to? They just need to know you and the webshop, don't they? Who the webshop sends it to is between you and the webshop.
No, it's not, because the buyer has chosen to use PayPal's services for protection, and in order for the merchant to fulfill their end of the deal and also receive PayPal's protection (against chargebacks, disputes, etc) the merchant is required to ship to the address on the order (which PayPal has a record of for verification).
If you offer PayPal as a checkout option, you are required to follow their rules for fulfillment, otherwise you risk losing a PayPal dispute if filed later on.
This sounds awful. I honestly don’t know my mom’s birthday and perhaps interestingly she doesn’t technically know it either. Papers lost (and probably made up) multiple times when her family fled her home and then country before ending up here.
And she definitely has a birthday on her driver’s license now, but I think she might have to look at it to make sure she got it right.
I stopped keeping track after 21. I have no idea how old I am as I don’t really celebrate my birthday. All I know for sure is that I turned 21 over ten years ago…
Sounds pretty certain that you would never be asked this question, since it is not a matter of public record (or at least, not the public records these systems tend to use)
One assumption could be that there are certain products/services that have age related regulations and Paypal needs to comply. Maybe, if your product or supplier wasn't on that list but you still got asked for a birthdate there was a misconfiguration in that regulation rule set...
One should assume that while they have your money they'll look for anything to use to keep it. Companies are literally legal devices for diffusing responsibility and hiding what the right hand knows from the left hand to remove the intent from what would be fraud.
They play all the games people here report - support reps who are nearly unreachable and who all refuse to read previous communication so everything starts from scratch, randomly just closing the case, etc.
It'd be hilarious if you could torture a paypal exec with their own company's treatment. Put a wheel lock on their car because you claim a similar looking car was stolen on the other side of the country. Refuse to take the lock off their car until they can explain the origin of the car's brandname. Relock the car immediately after unlocking it because they attempted to drive away too soon. Relock it the next time because they didn't drive away soon enough. Lock all of their cars because there's been "too much activity" on their vehicles.
Most likely all of it. It is usually laundered through startups and other types with little to lose or who put little effort into reading or complying with legal agreements. These companies then sell it to more legitimate companies who don't realize where the data comes from and it all just ends up in a bunch of big databases that sell access to whoever wants it.
Was PayPal trying to verify your identity or that you know your recipient's identity (who's coincidentally your mother)?
I'm surprised if PayPal expected you to know your recipient's birthday, but
"What's your mother's birthday?" would be a common question to verify your identity. They should have moved on to another question if you had a moral objection.
On the other hand, scammers will often ship goods to a nearby address and pick them up off the porch, so verifying that you know your recipient might actually be a fraud countermeasure.
This is what likely triggered it. People that steal PayPal credentials change the shipping address to something other than the address on the PayPal account.
Reminds me of a property management company reaching out to verify some details from one of my guys, who had applied to rent one of their properties.
Did they call and ask to verify his listed employment? Naw. They sent me an email with a scan of his whole-ass rental application, complete with SSN and everything, unredacted.
I called them out on it and they completely brushed off my complaints.
I also got yelled at when trying to get a quote on auto insurance over the phone because I didn't know my dad's birthday. (Identity verification?) The man ardently supports <anti LGBT political party> and me and half my friends are LGBT, you think I buy him gifts?
I called their support (finding a human to talk to was difficult) to ask for the reason why I would need to give out my mother's birth date. I was asking for other ways I could verify and that I shouldn't be asked to give out someone else's PII. The support person started to become defensive, sarcastically asking "you don't even know your mom's own birthday!?".
I could tell this person saw nothing wrong with the ask and thought I was being intentionally combative. I ended up conceding and giving the information. Since then, I've stopped using PayPal as a payment method.
I always thought this incident strange and have wondered about how their verification method works.