Help me to help you

Priorities – funny old thing. This is a story of PayPal taking a week to respond to real time assistance.

Monday – five days ago – we discovered an account with spoofed details that had managed to get through the fraud filters. The account was merrily delivering a PayPal phishing page.

We had the code base, the details used to connect, complete logging, and a list at that point of about 600 PayPal users account names and passwords. Furthermore we had a green light to assist in any way possible regarding the matter… even down as far as monitoring IP’s and honeypots.

Rather than just shut the thing down and erase – I made a backup, and contacted our account manager.

His auto responder came back with another email address to use. So I mailed that.

The mail was very much of a “we have the following details, tools, mechanisms, trace of user, and they are continuing to try and create accounts – we can certainly assist you if you are looking to track this, but obviously time is of the essence.”

Thursday came and I called them up. Sure, calling them up, hens teeth on contact details so had to use a personal account to gain access.

Getting bounced from an call centre (India) to security (Northern Ireland), and told that I did not need to do anything and that they would chase it up with the account managers involved. They could not give me an email to send the information over to as it was too specific for phishing emails. Fair enough – albeit now a very very cold trail by now.

I received an email telling me to forward it over to spoof@paypal.com – which I am pretty sure I could have been given on the phone. So Thursday off went the whole shooting match – an archive of logs, mails, code, tools, and captured account details.

Today came the response….

Thank you for being a proactive contributor by reporting
suspicious-looking emails to PayPal’s Abuse Department. Our security
team is working to identify if the email you forwarded to us is a
malicious email.

Paypal Will Always:

– Address our customers by their first and last name or business name of
their PayPal account

Paypal Will Never:

– Send an email to: “Undisclosed Recipients” or more than one email
address
– Ask you to download a form or file to resolve an issue
– Ask in an email to verify an account using Personal Information such
as Name, Date of Birth, Driver’s License, or Address
– Ask in an email to verify an account using Bank Account Information
such as Bank Name, Routing Number, or Bank Account PIN Number...

… an autoresponder, the next morning. Nice. I in no way feel patronised… I feel so valued… it was looking so good for the first paragraph wasn’t it?

So – this begs the question as to whether they give a monkey’s? From their point of view – I guess not. They charge back the funds, the client is out of pocket for the period until they are refunded – what have they got to loose? I guess their mechanism is geared to clearing up messes after the event, as their FAQ would suggest, or stopping it with heuristics at the point of payment.

So – why bother? Would I have got a better response by just posting the list of users and the code used online?

Maybe so.

Priorities for them are clearly not the priorities for the rest of us.

Maybe its just me – maybe I am being unrealistic, but what I do know is I wont be investing so much time in trying to assist next time. Furthermore I am pretty sure I wont be alone in that experience or outlook.

Trackbacks & Pings

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this:
Skip to toolbar