Growling at PayPal

We signed up for a Pay­Pal account ages ago and never got around to using to process pay­ments (we’ve got a mer­chant facil­ity with Comm­Bank so there was no great urgency to the situation) — and since set­ting it up the per­son respon­si­ble has moved on.

Our unver­i­fied account has never processed a sin­gle pay­ment, and yet with the amount of ID they require for some­thing as sim­ple as a con­tact name change you could get a pass­port in some countries.

Busi­ness Con­tact Name Change
To process your name change request, you need to fax in addi­tional infor­ma­tion. Please pro­vide a cur­rent photo iden­ti­fi­ca­tion and one of the other fol­low­ing documents:

  • A copy of a valid photo iden­ti­fi­ca­tion show­ing your new name.
  • Accept­able forms of photo iden­ti­fi­ca­tion are a driver’s license, pass­port or any other state or gov­ern­ment issued photo identification.
  • A copy of a recent util­ity bill show­ing your new name and address exactly as they appear on your Pay­Pal account.
  • A copy of a recent bank state­ment for the bank account listed on your Pay­Pal account (if applicable).

Please include a let­ter on com­pany sta­tionery indi­cat­ing the pri­mary email address, cur­rent name, address and tele­phone num­ber on the Pay­Pal account, the rea­son for the name change, and the new busi­ness con­tact name.

So that we can process your request effi­ciently, please ensure that your doc­u­ments are valid and leg­i­ble. As always, any per­sonal iden­ti­fi­ca­tion infor­ma­tion that you sub­mit to Pay­Pal will remain secure and will never be trans­mit­ted to any third party.

Pay­Pal have never had a rep as a par­tic­u­larly cus­tomer friendly organ­i­sa­tion, but this isn’t even ben­e­fi­cial to them! With no trans­ac­tions in the past and less doc­u­men­ta­tion than this required for estab­lish­ing a NEW account it doesn’t pose any cred­i­ble threat so far as hijacked accounts/money laundering/whatever goes, and they need to spend time review­ing doc­u­ments sent in a thor­oughly non­stan­dard way. The bank account ver­i­fi­ca­tion process is pretty good in terms of automa­tion (albeit risky — you’re essen­tially giv­ing Pay­Pal license to do what­ever with all funds in that account) — this is most cer­tainly not.

Any­one have any good, low % fee or cost/transaction way of hook­ing into CBA’s Evolve sys­tem? The appli­ca­tion doesn’t war­rant us spend­ing heaps set­ting it up just yet, and Pay­Pal are good at mak­ing things way too risky and dif­fi­cult. Grumble.

# by Josh on October 19th, 2009 Tags: , , , , , , , , , , , ,
| No Comments »

Cheap secure authentication

Verisign OTP from PayPal

These things can be had from Pay­Pal for about five bucks. Or $7.50 if you’re an Aussie. Verisign will flog them off to you for $30, if you’d like, but basi­cally Pay­Pal rocks for this kinda stuff. It’s a one-time pass­word token that effec­tively enhances your authen­ti­ca­tion by a mas­sive degree. It’s cool because it works with Pay­Pal and eBay. It’s cooler (and worth­while) because you can poten­tially use it with OpenID.

Essen­tially, it’s a ran­dom num­ber seeded with a unique key that gets appended to your reg­u­lar pass­word. This defeats key­log­gers and pretty much all kinds of phish­ing cur­rently out there. These kinds of devices have been used in cor­po­rate VPN/dial-in sce­nar­ios for years now (pre­dom­i­nantly, in the sit­u­a­tions I’m aware of, with tech­nol­ogy by RSA SecureID), but this is the first I’ve seen of it from Verisign.

And, sure, it’s only as secure as phys­i­cal secu­rity or the end­points them­selves are, but it’s a mas­sive step up from “what’s your cat’s name?” two-factor auth (though, unfor­tu­nately, I think PayPal/eBay offer that as a backup).

I’ve ordered mine and will prob­a­bly be hav­ing a play with OpenID imple­men­ta­tions of it (backed by Verisign’s PIP ser­vice, but not overly tied to it because of OpenID’s identity-delegation abil­ity) once it arrives (10 busi­ness days).

Can’t help but won­der what Verisign’s rates for these things are in a stand­alone sense. Nor­mally on 5 year con­tracts, but in terms of cost-per-token. Seems like a great way to defeat the idiot users who insist on hav­ing pass­words that are bla­tantly obvi­ous (argue all you like about strength poli­cies: it’s often not fea­si­ble when bal­anced against sup­port load for resul­tant for­got­ten passwords).

Also, to those who argue Pay­Pal = evil, if you’re in Aus­tralia then please… don’t. Unlike in the US, here they’ve basi­cally got the same finan­cial report­ing oblig­a­tions as any bank does, and cus­tomer ser­vice nec­es­sar­ily to match it. All the hor­ror sto­ries from the ‘States (not that I think them uni­ver­sally untrue!) pretty much couldn’t hap­pen here or they’d be chucked out of the coun­try. And, whilst they’re so heav­ily sub­si­dis­ing (or at least obtain­ing bulk dis­counts for) this kinda tech, that’s cool with me.

# by Josh on February 8th, 2008 Tags: , , , , , , ,
| 1 Comment »