Righard Zwienenberg, Chief Research Officer at Norman posted this on Norman Security Blog, Thanks to Mr.Fagerlid for sharing:
I have been a user of PayPal for many years, actually ever since PayPal opened its services for international users. PayPal, originally only for US citizens, is now used worldwide with local offices in many countries.
From the Dutch affiliate, I just received the next message from PayPal (the actual message was in Dutch, see picture below):
Dear Righard Zwienenberg,
It pleases us that you have chosen to pay using PayPal. You can ease paying with PayPal by adding your bank account, next to your credit card. PayPal advises to add your bank account so you can benefit of all advantages:
- Paying with your bank-account is safe as your bank-details will not be shared with the receiver
- If you confirmed your bank account, your payment and cashing limits are removed. This does not apply to credit cards.
- You control the expenses by a clear overview on your bank-statements when you have paid for something using PayPal.
- It is easy to cash money from your PayPal account.
Now what is wrong with this e-mail? Absolutely nothing. As a matter of fact, it was send to the correct e-mail address (the one I do use and only use for PayPal), I was addressed with my full name rather as “Dear customer” or whatever they tend to use in phishing e-mails, the “reply-to address” is set to the same address as the “from”, nothing is spoofed, nothing is forged, all is correct.
All??? All, except for the content of the e-mail advising me to connect my bank-account rather than my credit card to my PayPal account.
Paying with your bank-account is safe as your bank-details will not be shared with the receiver
Now this happens to be true to when you use PayPal with your credit card.
If you confirmed your bank account, your payment and cashing limits are removed. This does not apply to credit cards.
I actually like the limit put on credit cards. I use one specific credit card for PayPal transactions. Whenever my PayPal credentials are somehow stolen and someone is misusing that to pay for something, my ultimate damage will be the limit of the credit card. When misusage of the account been established, the credit card company will reimburse me (this besides the possible payment-security by PayPal). But if my bank account is connected to my PayPal account, the limit of the damage will be my balance (and credit the bank is giving me). And since the recipient will be PayPal (as an intermediate) and a recipient that has been many times used before, the fraud detection on “rogue” payments of the bank will not kick in.
You control the expenses by a clear overview on your bank-statements when you have paid for something using PayPal.
My credit card statement also gives a very nice overview as well.
It is easy to cash money from your PayPal account.
Likewise it is easy to put money on your credit card.
So why this message from the Dutch affiliate of PayPal? I assume it has something to do with the commission the different credit cards are collecting on every payment. Some of them can be as high as 5%. And when you authorize PayPal to get the money from your bank account instead, it would mean significantly less cost for PayPal. And the higher risks are for you in case your PayPal credentials are stolen and misused.
I will stick to using a dedicated credit card with a firm limit for my PayPal payments. It does give me a much more secure feeling…