If you have to give PayPal banking information make sure it's a separate bank from your "main" one - it should be easy enough to get a free online bank account you can use as an intermediary.
Another reason to remove your bank details is one-time login codes. PayPal is testing a feature that lets users log in using a 6-digit code sent over SMS, bypassing both password and TOTP/hardware authenticator, and the feature can’t be disabled.
I refuse to use SMS as a second factor, so using it as the _only_ factor for what is effectively a bank account is absolutely batshit insane. They’ve completely lost their mind.
Like google, they badly want your mobile number, for
tracking and additional Pii/identity purposes. This is what it boils down to, not security.
I cannot log in without a phone any more to paypal. At all. My mobile phone doesn't even work on my property, I live in a rural area, with no cell phone service for 1km.
I have a phone. Email. I could set up 2fa via the internet.
Nope.
Because of course, cell phones are always reachable?!
Receiving SMS via the Internet is possible by enabling WiFi Calling. It is a game changer for locations with good wired Internet but poor cell coverage.
Of course it doesn't change the fact that using SMS for security should be illegal.
I have an old-ish paypal account with no phone number attached and while they prompt me every time I have not supplied one. There was a period of a month or two a couple of years ago when I couldn't use paypal at all without providing a phone, but I was quite willing to live without paypal. Mysteriously when I tried to log in a few months later it let me.
People enforcing SMS login/MFA don't care. As someone who's frequently away my home country, I often find it difficult to log into services that are necessary for my survival (like banking), let alone regular apps which more and more frequently are ditching email address signup in favour of mobile numbers (BeReal, Artifact etc).
At _minimum_ I need to swap the physical SIM card in my phone which for some reason breaks iMessage for a few days every time I do it. However roaming doesn't work in every country, so, sometimes I'm just fucked.
eSIM could make the first problem easier, but it actually makes it harder. With a physical SIM, if I lose or break my phone I still have my home SIM so I can still access SMS on a new phone. With eSIM, if I lose or break my phone my home SIM is lost along with it. No problem, just provision a new eSIM, that's the whole point right? Well, one of my telcos doesn't support eSIM yet, but they enforce SMS MFA, so I can see where this is going. I'll only be able to provision a new sim if I have access to the old one. Absolutely braindead. Another of my telcos doesn't allow eSIMs to be provisioned digitally; you need to obtain a physical QR code from a shop or have it posted to an address within the country (they won't send one overseas). It's actually unbelievable how telcos have managed to make eSIMs less convenient than physical SIMs. Anyway, this means I need to return to my home country if I lose or break my phone because without SMS I won't be able to access banking.
This is beyond infuriating, but I'm an edge case so no one cares. It should be illegal for critical services, banking/finance/govt etc to depend on SMS.
Do you get charged for _receiving_ texts when traveling internationally? Maybe it's different here in Europe, but as far as I know, I only get charged for active things - sending texts, making calls, accepting calls. Passive things - receiving texts, getting calls (but not accepting them) - do not incur any charges.
It depends on the telco. I have a telco that requires me to have an active roaming plan to receive SMS/calls. Which is about $5 a day from memory (I don’t use it overseas). Another telco has no requirements and no charge to receive SMS/calls overseas as long as the number is active.
That's weird - PayPal has been doing the opposite to me: Making me do both reCatptcha and hCaptcha in addition to my password and TOTP. Seriously, who the fuck needs not one captcha after valid login information but fucking two.
I'm not sure how folks regard privacy.com (the domain is a little... lofty?) but I use that to present my bank to PayPal as if it was a credit card. I change charge limits on the fly to be just a bit more than I need.
I got halfway through the "Privacy.com" sign up process and discovered they wanted my online banking username and password to access funds, with some ridiculous alternative like mailing a paper check
At the very least one would expect the bank to be salting and hashing - PrivacyDotCom presumably has to keep the plaintext in some form in order to use them!
As a secondary concern, the bank has occasional 2fa, and definitely does some kind of anomaly detection. Primed by the ickiness of the user/pass request I just had a mental image of some hacky Selenium script on an AWS IP address filling out the login form and getting my online banking disabled proactively.
privacy.com is just like VPNs. It's not private; you're "just" moving the pieces. That's not to say that these things aren't useful, but caveat emptor.
- Basically none of the banking functions were available outside the app
- The app itself was buggy. There was some sort of "vault" or whatever they called it that had attractive interest rates (the reason I signed up), and after wasting hours of my life over a few weeks with customer support I decided it would never work
- Unlike any other bank-like service I've used, you can't just get mailed a check and close the account. Neat idea maybe, but at the time the app was buggy and wouldn't let you withdraw fully if you had anything in savings because of some sort of minimum balance nonsense
- You can't use the app if they think your phone isn't sufficiently secure. This is more on Apple/Google for caving to that bullshit, but IMO an app with its own security model shouldn't have any clue how you access your phone
- Deposits were capped to like $10 for the first day, $100 for the second, and so on. I don't remember the exact schedule, but it meant that instead of just depositing an old 401k I had to design over a period of time a series of increasingly large deposits of some other money (just like a fraudster would do? ELI5, what are they actually preventing?) just to be able to throw a check into the account
- Deposits to and withdrawals from Revolut took an obscene number of days, nobody on either side of the transaction could tell where the money was (magically available in neither account), and the transactions were 10x longer when I was trying to leave
And on and on. Like, I'm sure they're fine on average, and they're probably better than when I tried last time, but I haven't had a worse banking experience yet anywhere by a longshot. The basics for an online bank are logging in, depositing money, and withdrawing money, and neither the basics nor the fancy features they sold me on were very functional.
Happy to hear the virtual debit cards work for you :)
> And there appears to be a lot less protection for you as their customer.
They have EU banking licenses (depending on where you are a different one applies to you), but they are a regular bank with all the protections that includes for a customer - if they go bankrupt, your money is guaranteed up to a certain extent; they can't just close your account and keep the money like PayPal do, etc. etc..
They may have the licenses, but do they actually do business under them? They did not in the past. So it always looked just like a fun ploy to gain some credibility.
> They may have the licenses, but do they actually do business under them? They did not in the past
What do you mean? They provide banking services, they cannot do that without a banking license to do it under. They used to only have one, in Lithuania, and use it for all operations, but now they have a bunch more and the most appropriate applies (e.g. I'm in France, and I'm under the French one).
What free online banks would you trust more than (rightfully untrustworthy) Paypal? Adding a free online bank account sounds like a way to add more points of failure.
The point is to have a bank account with nearly no balance, so PayPal can't drain it, or if they do they don't get much. Then you can transfer cash from PayPal to that account, and then from that account to your real bank.
But if that intermediary bank account has a negative balance, you cannot just ignore it. The bank _will_ come after you for their money. So far what does it protect you?
When PayPal goes to make the withdrawal, the bank doesn't have to let them and give the account a negative balance. Usually you can turn off overdraft and withdrawals will bounce if the funds aren't there.
This doesn't stop PayPal from reversing a previous inbound transfer they decide shouldn't have happened, but it ought to stop PayPal unilaterally deciding they would like some of your money.
The main argument for another small bank account to interface with PayPals of this world is not that it cannot fail, but if it does it is an easily survivable event.
PayPal cannot take more money out of your account than what is in the account. If you have $500 in an account the bank will not let PayPal withdraw $5000 from it. It's not different from writing a check for $5000, which will just bounce.
The bank is not in the business of allowing overdrafts and then somehow collecting the difference.
No bank will honor your check for more money than is in your account. The amount in your account gives a hard stop on the amount you can lose.
Having a separate account with enough for the current Paypal transaction (that you refill from the main bank account as needed, in a few mouse clicks) means you limit your losses from a transaction gone wrong with a major company.
Can a malicious player try pulling money from your main account? Absolutely. But the chances of a large company, like Paypal, hitting you like this on an account not registered with them is zero. And your bank's fraud protection should stop an attempt to pull a large sum from your account by an unknown company in a sketchy country.
Oh, boy, can they ever! And the fees can be hefty. Even with a credit union back in the early 2000s, we were talking $10 _per day_, I don't expect it has gotten any cheaper.
Yes, and banks routinely charge $35 for each transaction on an overdrawn account. This is particularly easy to do if multiple people share a bank account with a low balance.
Very good advice. Paypal can be convenient, and even necessary, for certain websites that only accept paypal as payment (yes, they exist). I keep $5 in the bank account I have connected to paypal for exactly this reason.
The only two things you need to take money out of an account are the routing number and account number.
There are a lot of checks on top of that which individual banks may or may not implement or care about, but at the end of the day those two numbers get you 99% of the way there. And for an organization the size of PayPal they're really going to be given the benefit of the doubt by banks.
In Australia they technically need a direct debit authority, but PayPal is above the law in Australia so our dispute process is through our local bank. It works, but it's very tedious and the bank will try to push you towards the PayPal dispute process. It's much better not to link it to a bank account at all, use a credit card because that way it's two US corps fighting with each other when there's a problem.
I think that was why Donald Knuth stopped issuing checks for rewards for people finding errors in his books -- people would post images of the checks online to brag about having received them, and then criminals would initiate fraudulent ACH transfers.
Also not sure why that's not more common in comparison to credit card fraud.
Edit: I guess credit card fraud can be easier to cash out (for physical goods or services), while ACH fraud requires mules to act as intermediaries to receive the fraudulent deposits, which might be harder to come by and sustain.
They certainly try. But it's not like there are no protections in place.
The US banking system can be summarized as "withdraw first, ask questions later." The whole system is based around auditing after the fact. If at the end of the day (or week, or month), the numbers don't balance out, a flag is raised, and someone investigates it. And in many cases, there is a waiting period before you can access funds transferred.
Outside the US, people find this whole thing crazy, but that's how it is and it actually works well enough. My understanding is that banks are moving to a more modern system, but it's a slow process given how much is built around the current system.
they do 100%. back in June i got charged $30,000 by a fake "home depot". I disputed the charge, but that wasn't fun. the cs reps told me it was not through a debit card but via acct+routing number which got leaked somehow.
must be some US thing, because this is literally crazy to think about to allow withdrawal without authorization
might also be a reason why US banks always seem nosy as fuck, calling people about transactions, blocking stuff, etc. instead of just giving the account owner a safe way to perform transfers/authorizations/set limits
