Paypal Email Security Flaw and Potential Fraud

[macinacious]

You can add any email address you like to your Paypal account as long as it is not in use by someone else within Paypal. That seems to be the only check that is made.

The email can be an address that does not belong to you - you can add the president of the United States email to your account, provided he does not have a Paypal account attached to that email, or indeed the Pope. You can add a ficticious, temporary or disposable email.

The email will not be "confirmed" (unless that person eg the president confirms it) but causes significant problems.

For example - the rightful owner of that email will not now be able to use that email in their Paypal account. So you can block the President, for example, or anyone from opening an account.

If by chance the president were to confirm that email then I could siphon off any payments paid to his email.

This could be prevented by Paypal only allowing you to add additional email addresses to your account by interactive confirmation when you attempt to add them to your account.

 

[Fredd-E]

source: https://www.paypal.com/us/selfhelp/article/How-do-I-confirm-my-email-address-FAQ1485

---
You’ll need to confirm your email address before you can send or receive money.

Here's how:

1. Go to your Settings.
2. Click Update next to the email address you want to confirm.
3. Click Confirm this email and we'll send you an email.
4. In the email we send you, click the Confirm your email button to complete the confirmation process.

You will automatically return to the PayPal site where you will be asked to enter your password and the confirmation process will be complete.

Once your email address is confirmed, you can accept payments and the money you receive will show in your PayPal balance. However, you’ll still need to link a bank account or card to your PayPal account before you can send payments. When you send a payment that is greater than your PayPal balance, the difference will come from the bank account or card you link.
---

 

[cswifx]

source: https://www.paypal.com/us/selfhelp/article/How-do-I-confirm-my-email-address-FAQ1485

---
You’ll need to confirm your email address before you can send or receive money.

Here's how:

1. Go to your Settings.
2. Click Update next to the email address you want to confirm.
3. Click Confirm this email and we'll send you an email.
4. In the email we send you, click the Confirm your email button to complete the confirmation process.

You will automatically return to the PayPal site where you will be asked to enter your password and the confirmation process will be complete.

Once your email address is confirmed, you can accept payments and the money you receive will show in your PayPal balance. However, you’ll still need to link a bank account or card to your PayPal account before you can send payments. When you send a payment that is greater than your PayPal balance, the difference will come from the bank account or card you link.
---

I think OP is making a point about how even an unconfirmed PayPal account can withhold the actual email's owner from creating a legitimate PayPal account for themselves, due to the fact that an account for their email already exists. It's a very valid point.

 

[Tech198]

Its not a valid point...

If the user has an unconfirmed Paypal account, why does it exist and NOT confirmed after all this time? If the user cannot access it, then he/she has other problems with getting the password, and account should be deleted before using same email on a legit Paypal account..

This is not an issue. It's security. The same as u cannot use the same credit card on other paypal accounts either for the same reason.

If it's a legit paypal account, then the user would know, or be able to verify this info to begin with.

FYI.. I thought when adding an email, that user must confirm it before use... Otherwise i would say that is another flaw...

eg... you don't need to confirm any email addresses, and u can still use a limited Paypal account.... This is actually not how it should be done.. if security is Paypal's policy.

 

[cswifx]

Its not a valid point...

If the user has an unconfirmed Paypal account, why does it exist and NOT confirmed after all this time? If the user cannot access it, then he/she has other problems with getting the password, and account should be deleted before using same email on a legit Paypal account..

This is not an issue. It's security. The same as u cannot use the same credit card on other paypal accounts either for the same reason.

If it's a legit paypal account, then the user would know, or be able to verify this info to begin with.

FYI.. I thought when adding an email, that user must confirm it before use... Otherwise i would say that is another flaw...

eg... you don't need to confirm any email addresses, and u can still use a limited Paypal account.... This is actually not how it should be done.. if security is Paypal's policy.

So... You dismiss my point and agree with it?

 

[ApfelKuchen]

This situation (I wouldn't call it a security flaw) is hardly limited to PayPal. While someone could conceivably use this as a method of maliciously blocking the legitimate address-owner's use of their address, it's most likely just plain human error.

Maybe that erroneously-used address belongs to someone else. If it does, that person may have received the verification email, which explains what to do "If you did not make this request..." Even if they didn't get the email, if they ever try to use that address and learn that it's already in use, there's generally a process for correcting the situation.

The question is, should the service actively search account records for unverified email addresses and automatically delete them? There are various pros and cons to that - people can have legitimate problems receiving the verification email, so some sort of grace period is needed to prevent premature deletion. What happens to the deleted email addresses; should their re-use be embargoed for a certain period, or can they be used immediately?

The problem is, such a "fix" for accidental use does little to prevent the kind of malicious use the OP described. Those with malicious intent would wait until the address was again available for use, and mis-use it once more.

This could be prevented by Paypal only allowing you to add additional email addresses to your account by interactive confirmation when you attempt to add them to your account.

First, this wouldn't prevent accidental/malicious use of a name when creating a new account. Second, just how would that interactive confirmation work? How do you confirm "ownership" of a particular email address, other than by proving you have access to that address (the existing verification email process)? It already is "interactive." What the service could do is put a timer on the "interactive" response period. "We sent a verification email to that address. If you don't respond within X minutes/hours/days, account creation will fail/the address will automatically be removed from your account."

The trouble is, services try to avoid "friction" in the account creation/management process - the harder it is to do something, the fewer customers they'll have. If the account creation/modification process times-out before the customer can resolve legitimate issues they may have receiving the verification email (technical issues, forgotten passwords, etc.), the customer may abandon the attempt altogether.