[Nottingham] T-shirt purchase and more pertinently, PayPal rant

Neal Ponton neal at tutamail.com
Wed Jul 6 05:25:35 UTC 2016


Following my recent enquiry about a GNU/Linux T-shirt I'm pleased to say that 
I've been on eBay and bought one with the standard Stallman GNU logo on it.

What I'm not pleased to say is that I'm now locked out of my PayPal account. 
I've had my PayPal account (and matching eBay account) for over a decade and 
I've learned (and been burned) in the past that; after buying something from 
eBay using PayPal it's best to go directly to the PayPal website and make 
sure that you're logged out. In the past I've managed to open a tab straight 
to my PayPal summary page, because eBay has cheekily kept me logged in after 
buying something. I think they may have sorted out this quirk a few years 
ago, but it definitely was a thing, and I always like to check.

So I pay for my T shirt (bottle green, sartorial chums!), and head on over to 
PayPal in a different tab to check that I'm still not logged in. I'm 
presented with the PayPal login screen, but this time it has a banner saying 
that there's been suspicious activity on my PayPal account because someone's 
logged in from Rugby, UK.

Immediately I snort to myself "yeah, you idiots, that's because I'm currently 
connected via VPN that happens to be based in Rugby. Nothing suspicious 

So PayPal now want me to change my password because of their incorrect 
assumption that I'm being hacked from where my VPN connection is.

I store my passwords in Keepass and they are piped through to Firefox using a 
combination of the PassIFox plugin for Firefox , and also using an AES binary 
that you have to manually 'sudo mv' into the Keepass  /usr/lib directory 
(it's on GitHub, called KeePassHttp.plgx).
PassIFox and KeePassHttp.plgx then communicate with each other when a 
password needs to be decrypted from the vault and injected into the browser.

Firefox password manager is disabled and when the password is piped through 
from Keepass it's AES decrypted in the time it takes to be pumped into the 
browser login box. It's a pretty neat system once you get it set up. The only 
annoyance is that it sometimes borks Firefox Sync because the sync password 
is stored outside of Firefox. An annoyance I can live with by manually 
signing into Firefox sync every now and then.

So, I sigh to myself, before begrudgingly generating a new random 
alphanumeric password to use for PayPal. Then PayPal tells me I haven't 
included any special characters. "Whoops! Fair enough!" I think, and get 
Keepass to generate something which probably contained a plethora of special 
characters. I enter my second attempt at changing my password and by now 
PayPal have had it with me. My account is locked and I'm vainly trying to 
call an 0800 number at 5 in the morning to speak to a PayPal call center, 
which was (un)surprisingly a dead end.

I'll sort it out at a later date. But isn't it wonderful that one of the 
Internet's biggest payment processors don't even acknowledge that their users 
might be using a VPN?

My T-shirt is in the post. It probably won't fit, but thanks for listening to 
me vent my spleen about PayPal.

I feel (slightly) more cleansed!


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/nottingham/attachments/20160706/7f00d77b/attachment.html>

More information about the Nottingham mailing list