Wednesday, September 17, 2014

the PayPal pot calling the Apple Pay kettle black

so if you haven't heard yet, PayPal took out a full page ad in the New York Times trying to drag Apple Pay's name through the mud based on Apple's unfortunate celebrity nude selfie leak. This despite the fact that PayPal happily hands out your email address to anyone you have a transaction with. In essence, PayPal has been leaking email addresses for years and not doing anything about it, so they shouldn't get to criticize others for leaking personal information.

what's the big deal about email addresses? while it's true that we often have to give every site we do a transaction on an email address, we don't have to give them all the same address. in fact, giving each site a different email address happens to be a pretty good way to avoid spam, but more importantly it's a good way to avoid phishing emails, and that's important where PayPal is concerned because PayPal one of the most phished brands in existence.

unfortunately, because PayPal wants all parties in a transaction to be able to communicate with each other, they do the laziest, most brain-dead thing one can imagine to accomplish this: they hand out your PayPal email address to others, which is pretty much the worst email address to do that with. i have actually had to change the disposable email address i use with PayPal because they are apparently incapable of keeping that address out of the hands of spammers, phishers, and other email-based miscreants. furthermore, i also use their service less because i don't want to have to clean up after their mess.

at some point i may have to start creating disposable PayPal accounts and use prepaid debt cards with them. certainly if i were trying to hide from massive spy agencies then that would be the way to go, but if i'm only concerned with mitigating email-borne threats i really shouldn't have to go to that much trouble. there are other, more intelligent things that PayPal could, even should be doing.

  • they could share the email address of your choosing, rather than the one you registered with their service unconditionally. that way you could provide the same address you probably already provided that other party when you created an account on their site. it shouldn't be too difficult for them to verify that address before sharing it with the other party since they already verify the one you register with.
  • they could offer their own private messaging service so that communication could be done through their servers (which would no doubt aid in conflict resolution).
  • they could provide a disposable email forwarding service such that the party you're interacting with gets a unique {something} address that forwards the mail on to the email address you registered on PayPal with, and once the transaction is completed to everyone's satisfaction the address is deactivated.
they don't do anything like that, however. here's what you can do right now with the facilities PayPal makes available. it's a more painful and less intuitive process than anything proposed above, but it does work.
  1. before you choose to pay for something with PayPal, log into PayPal and add an email address (the one you want shared with the party you're doing a transaction with) to your profile. PayPal limits you to 8 addresses.
  2. confirm the address by opening the confirmation link that was sent to that address
  3. make that address the primary email address for your account
  4. confirm the change in primary email address (if you have a card associated with your PayPal account, PayPal may ask you to enter the full card number)
  5. at this point you can use PayPal to pay for something and the email address that will be shared with the other party is the one you just added to your PayPal account
  6. once you've paid with PayPal you will probably want to log back into PayPal, change the primary email address back to what it originally was (and confirm the change once again) and then remove the address you added for the purposes of your purchase. the reason you'll likely want to do this is because PayPal sends emails to every address it has on record for you, and those duplicate emails will get old fast.
most people aren't even going to be aware that they can do this to keep their real PayPal email address a secret from 3rd parties. as a result all manner of email-borne threats can and eventually will wind up in what would otherwise have been a trusted email inbox. make no mistake, this isn't PayPal providing a way to keep that email address private, this is a way of manipulating PayPal's features to achieve that effect. there are too many unnecessary steps involved for this to be the intended use scenario.

as such, PayPal is leaking a valuable email address by default every time you pay for something. yes Apple's selfie SNAFU was embarrassing to people, and yes if Apple doesn't do something about that now that they're becoming a payment platform it could be not just embarrassing but financially costly for victims, but PayPal is already assisting in similarly costly outcomes right now (not to mention potential malware outcomes) so they really have no right to be criticizing Apple. Apple, at least, is taking steps to correct their problems - what is PayPal doing?