A lovely information leak on Paypal's front-page is if you attempt to login with a banned account, and any password whatsoever, it gives you a nice error message saying that account is banned (therefore confirming the account exists, info leak #1) and also gives the current account balance (info leak #2).
I know this because my account is banned.
Why's my account banned? Because in 2006 I received an unsolicited phone call from somewhere in Nebraska claiming to be Paypal and informing me they needed to verify my account credentials. I played along with the obvious phishing attempt for a few minutes until they demanded the email and mailing address on my account to "verify I was the account holder". I told the woman on the other end to go fuck herself and hung up. Turns out it was Paypal and they banned me for failing account verification.
Why doesn't PayPal and other services add a Verified Paypal code to a user's account page. And train users to login during these phone calls and ask the caller for the code?
The training itself - if you're being verified, you should do the same of the caller - would have immense societal value.
IIRC PayPal used to be particularly bad about obliviously sending emails and phoning users; asking for contact info, or other info that shouldn't be communicated in such a way.
I know this because my account is banned.
Why's my account banned? Because in 2006 I received an unsolicited phone call from somewhere in Nebraska claiming to be Paypal and informing me they needed to verify my account credentials. I played along with the obvious phishing attempt for a few minutes until they demanded the email and mailing address on my account to "verify I was the account holder". I told the woman on the other end to go fuck herself and hung up. Turns out it was Paypal and they banned me for failing account verification.
Fuck Paypal.