Sunday, April 14, 2013

I closed my PayPal account. You probably should too.

In the old days I did casual hookups -- of new net accounts and services.

Now, of course, every net identity and related service is a security risk; the hookup era is history. A recent WordPress attack, for example, meant I had to review the security on current and unused WordPress accounts.

The rising cost of account security, including multiple systems for doing two factor authentication, means we all want as few net identities and services as possible, and we want to limit them to companies with good security policies. (Until recently, that didn't include Apple. They're showing signs of improvement.)

So, on general principles alone, it would have been a good idea to get rid of my unused PayPal account. I set it up in 2005 and by November of that year PayPal had earned my lasting distrust. It's weird that I kept it around, even though I did give it an extremely robust and unique password. My only defense is that 2005 was a long time ago.

Truth is, I didn't get around to deleting my old account until I read a Cringely post on how PayPal mismanaged a hacked account of his. It's a litany of fail.

That's when I discovered that my PayPal password, which was something like "I8qRb7yw93OSD4iUHt2b", no longer worked. Evidently my (robust) PayPal password had been quietly reset sometime in the past few years -- either that or my account had been hacked.

PayPal let me do a password reset today based on the original email; the new password came with the usual security-reducing 'secret questions'. Then I had to agree to an electronic notification policy that's probably years old. Finally I was able to close my PayPal account.

If you don't use PayPal routinely, you should close yours too.

Next up: My Amazon commerce account ...

[1] OAUTH is not a cure; it brings different vulnerabilities. Even I'm not very good at reviewing OAUTH access against my various net identities.

No comments: