Paypal Pre-Approved Payment Agreements

I don’t know whether anybody else has come across this, but it’s new to me.

I’ve been happily using Paypal for years now, and yesterday I used it to buy 3 apps for my new Blackberry 9300 from Blackberry App World. Today I wanted to buy another app from the same place. This time I was asked to register with the site, though, and when I attempted to pay it was no longer possible for me to do so via Paypal without entering into what was later explained to me by Paypal as a pre-approved payment agreement. Blackberry App World wanted me to authorise them to withdraw up to $1,500 per transaction (!) automatically from my Paypal account, rather than directing me to the Paypal site in the usual way so that I could authorise the transactions.

I wasn’t willing to do that, so I cancelled the purchase and rang Paypal to ask what it was all about. Apparently this is something Paypal has introduced, initially for the convenience of Ebay (so that they could simply withdraw from Sellers’ Paypal accounts the sums due to them in fees, rather than having to ask the sellers to authorise them), and it seems it’s now being extended to other online vendors. When I pointed out that I’d bought 3 things from the same site y/day without any problem at all, the woman I spoke to at Paypal explained that that’s why Blackberry App World had attempted to introduce the new arrangement today i.e. it was more convenient to them to do it this way.

Um… doh?! Can directing people to the Paypal site so that they can authorise their own payments really be so very inconvenient? Will it be less inconvenient when people decide to buy their products elsewhere, I wonder? Because surely it can’t just be me who isn’t willing to hand over the key to my bank account in that way…?

Maybe I’m unduly cautious, but it sounds like madness to me. Entering into that sort of agreement is like handing over one’s Paypal password to strangers… isn’t it? To me, the whole point of having a password is to be sure that only *I* can authorise payments from my bank account, via Paypal, to vendors or others. To me this sounds like signing up for an online account with Tesco and handing over my bank card and pin number at the same time.

Perhaps it’s an age thing. I brought this issue up on a Blackberry forum to see whether anybody else has come across it, and it seems that people there (the ones who replied, anyway) feel it’s all perfectly okay, and that at some stage one has to simply be willing to trust the system. Well I feel that there’s already an element of trust involved in sharing my account details with Paypal and relying upon them not to misuse them. Handing them over to any old vendor who’d quite like to have free access to my bank account feels like a step too far. The older I get, the weirder the world appears to become… *g*

11 Responses to Paypal Pre-Approved Payment Agreements

  1. Robin says:

    Sounds dodgy to me as well. Ditch the Blackberry, get an iPhone. 🙂

    • peewiglet says:

      Heh… I’d like an iPhone, but I can’t really justify the expense at the moment. After all, there’s the new Kindle, and also the new Sansa Clip+… *g*

  2. JH says:

    Nice image 🙂

  3. Gibson says:

    I wouldn’t be prepared to do that either. I was considering buying a Blackberry, but won’t be doing it now, so thanks.

  4. Alan Rayner says:

    I have a Blackberry, Sheila has a HTC desire. The Blackberry is not a patch on the HTC.
    As for the Paypal fiasco, if i every have a message to do this i will ditch Paypal. Cheeky Blighters.
    And what hassle will it cause the customer when an error payment of $1500 dollars, pounds whatever, gets authorized, as is bound to happen soon or later.
    I dread to think. Paypal i think are on dodgy ground.

  5. Andrew W says:

    I have a Blackberry Stoem 2. Well did anyway, it is being repaired again at the moment. I quite like the phone, but NO WAY I am going to give them open access to accounts without my specific approval. I had 2 cards scammed in the last 18 months, I’m not going down that hassle route again.
    Looks like an HTC or maybe Galaxy S when I change in September, unless they do a U turn on this little caper.

  6. Andrew W says:

    I meant of course Blackberry Storm 2 (digital dyslexia).

  7. […] I had what felt to me like a disturbing Paypal-related experience a couple of weeks ago, which I described here. […]

  8. James O. Whitlock says:

    I think it’s actually a far worse security hole than you describe. I only just discovered it and the headline I would write is “Unapproved Preauthorizations for PayPal Charges – A Gaping Hole in PayPal Security” or “PayPal Accepts Merchant’s Word of Preauthorized Payments Without Customer Confirmation or Notification”, both of which accurately describe what I’m finding. I’m also finding the same terrifyingly poor customer service at PayPal (no email addresses, no incident numbers, just a Web form for walled-in communications that cannot be shared with those concerned, like the merchants involved) in spite of astonishingly good customer service from some of the larger merchants who also want to know why they’ve been given pre-approved payment authorizations when they claim they don’t ask for them.

    Until this point, I would have recommended PayPal to anyone, hands down, over any credit card I’ve ever used, especially if you use the PayPal security dongle — I’ve never seen such good security for online transactions. But this issue?? Good grief! My grandma could purchase a pillow from Macy’s only to find that Macy’s has been given (without permission from or notification to grandma) authorization to make unspecified future charges against her account. Her only defense appears to be checking the obscure “My preapproved payments” page at PayPal every day to make sure that merchants have not taken advantage of the hole — although she certainly could contest any charges that were actually made with that mechanism. Nonetheless, until we get this sorted out and until there’s better notification and verification (“Did you really want to authorize Merchant-X to make future charges without your explicit authorization? If so, please login to PayPal now, with your security dongle, and confirm that.”) I can no longer recommend PayPal to normal non-techie people, and certainly not to grandmothers.

    I think we need to kick up a HUGE public fuss about this until we get sensible and responsible corrective action from PayPal. If anyone else would like to join me in making this issue more visible, please contact me at “jowhitlock” AT geemale (you know what that should look like) and maybe we can band together on this and make enough noise to bring the PayPal folks out of their walled private garden.

    In my normal life, I’m a 40 year veteran of IT development, starting with OS and hardware development just after vacuum tubes but before integrated circuits. For the last 35+ years I’ve been AD of computing services for central computing at a large public research university, having built network engineering, microcomputer maintenance and a few other groups. In my entire career, I don’t think I’ve ever seen such a poor business practice coupled with such poor customer service from such an otherwise astonishingly good company. I sincerely hope we can “fix” this problem so I can go back to unhesitatingly recommending PayPal and their otherwise exceptionally good security.

    Does anyone have any good ideas for how we can accelerate the elevation of this matter into greater visibility in the blogosphere? I’m too old to know those methods but that seems to be the path to getting corporate attention these days.

    In the meantime, keep your grandma away from PayPal, even if you managed to teach her how to use a security dongle since it won’t help with this hole.

    Thanks & Best — Jim Whitlock

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: