Major security flaw - the system keeps re-enabling auto login even after I keep turning it off
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've been dealing with customer support all day over this issue and they say they can do nothing but I want to raise it here as well since it's a major security flaw. Paypal is a financial site and therefore security controls should be very strong. I always log out whenever I complete a transaction and I never click the "stay logged in" button that's always presented. Now, every time I log in, I get an email saying "We've made it easier for you to check out with PayPal. Since we recognize this device, we'll automatically log you in so you can skip typing your password at checkout! ... If this is a shared device, or you don't want us to automatically log you in, we recommend that you turn this feature off." I go in and manually turn the feature off. Then the next time I log in to make a transaction, I get the same email again, the feature is re-enabled again, and I have to go in to manually turn it off again. This is totally unacceptable. I'm the only one who should be able to determine if my device is trusted and and if I want to enable auto login. I was told that there's nothing they can do and that I'll simply have to manually disable the feature every time. This is a major security flaw and it's a big deal. I was told that my concern has been escalated but I'm posting this here in the hopes of raising the visibility of this issue. Thanks.
- Labels:
-
Login Issues
-
Profile & Settings
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And wouldn't you know it, just when I thought I had it sorted Paypal let me down again. Onwards with the Australian Financial Complaints Authority then (and they can keep their $50 'take this and be quiet' payment).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I got this back from FCA (UK). Passing the buck a bit but might help. I had to remove all links as forum doesnt like it.
Thank you for contacting the Financial Conduct Authority (FCA) about your concerns with the security practices of PayPal.
I understand that you wish to make the FCA aware of a security flaw with Paypal that keeps re-enabling logins on 'trusted devices' even though the device has been logged out or removed. You have provided a link to the Paypal community that shows many others are experiencing the same issue.
I appreciate why you are seeking this help and I have provided some guidance below which I hope will help you.
PayPal (Europe) Sarl et Cie SCA
I have searched our financial services register, which is a public record of firm we authorise and regulate. I’ve been able to find an entry for PayPal (Europe) Sarl et Cie SCA who have the status of Temporary Permission. PayPal is regulated in another European Economic Area authorised (EEA) country – Luxembourg, they can offer certain products or services in the UK. They must meet minimum standards agreed across all EEA countries.
As firms are obliged to update their contact details with the FCA annually, I would strongly recommend reviewing our register entry to ensure the contact details you are using fir them are correct.
Your query
I have found the rule, SYSC 3.1 that outlines that firms must have reasonable systems and controls in place.
Under the General Data Protection Requirements (GDPR), consumers have the right to ask an organisation how they are using and or storing their personal information. The competent authority for the GDPR is the Information Commissioners office (ICO).
Next steps
You may wish to speak with the ICO regarding your concerns about keeping your data safe, and the obligations that firms have in complying with this. The ICO is the UK's independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
You may also wish to contact the home-state regulator for PayPal to fully address your concerns to, which is the Financial Sector Supervisory Commission, as they have direct oversight of them. Please see their contact details below:
Tel: [removed]
Email:
If you feel the firm are not treating you fairly or, have breached any of our rules, then you may wish to go through the formal complaints process After this has been exhausted, you may have the option to escalate the case with the financial ombudsman service.
What I've done with the information
I have shared the information you provided with my colleagues who supervise PayPal. We expect financial services firms such as PayPal to follow our rules and meet our standards when dealing with consumers. We appreciate members of the public raising their concerns with us, because this can be a valuable source of intelligence which better enables us to supervise the conduct of the firms and individuals we regulate.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sounds like the FCA haven't understood the problem. It's not an issue of keeping your data safe. It's an issue of Paypal changing your security settings and keeping your account (and therefore your money) unsafe if your device was stolen/misplaced.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Sumwunelse, @worf2, and @j_a_s,
Thank you all for your posts. I'm sorry to hear that your One Touch autologin was reenabled after turning it off. I'll be happy to help.
If you have opted to remove On Touch but it has re-enabled, please complete the disconnection steps again and then clear cookies and cache in any browsers used to access the site. It sounds like there may be a cookie that caused it to reenable.
Additionally, when conducting any transactions in the future, ensure that the "stay logged in" option is not enabled.
I hope this is helpful in ensuring that On Touch is deactivated.
Olivia
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nope, been there, done that, no help. Tried other browsers inluding Duckduckgo (no cookies).
Your method of disabling doesnt relate to menu available on my account (UK). There is no mention of "one touch" anywhere.
If you mean
SKIP EXTRA APPROVALS FOR FASTER PAYMENTS
Then what you get there is a popup that is blank apart from "companies" and "contacts" . Clicking on either of these produces no results.
Why is it that it is always somebody elses fault?? Read some of the other comments on this thread.
PLEASE REMOVE THIS STUPID FEATURE. I NEVER ASKED FOR IT IN THE FIRST PLACE.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
moderator
my "Update next to Auto Logins" has disappeared altogether because i kept turning it off in "security" now i have to save an old email which still has the link
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Olivia,
As above, we have all attempted the 'solutions' offered without success.
I'm not using Onetouch, whatever that is.
Every time I make a purchase, Paypal changes my security settings without my consent and makes my account vulnerable to unauthorised users.
PLEASE STOP DOING THIS!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have been using Paypal for more than 15 years now and this issue is about to cause me to close my account
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's December 2023 and this continues to happen and their response is always the same "login and turn it off" which I do everytime.
I've been complaining about it for over a year.
Here are some responses from Paypal
-------------------------------------------------
If you would like to opt out of the single single sign on, here is how.
Log in and click your name in the upper right corner.
Then choose Profile Settings. In your profile there is a section named "Stay logged in for faster purchases"
Once you go into this section you can turn off the ONE TOUCH service on all your devices.
I hope this info helps.
Have a good day!
Sincerely,
Dean
-----------------------------------------------------
Why do I need to login to turn off AUTO LOGIN that was TURNED ON by PAYPAL?!?
Does that even make sense?!?
It does not.
I've made a purchase. Five minutes later Paypal turns ON Auto Login and emails me about it. I have to RE LOG IN to turn it OFF.
Totally counter-intuitive.
WTF?!!
------------------------------------------------------
Hello, J
Thanks for the note.
In review of your logins today, the account was not logged in using the one touch or auto login service of PayPal.
This typically means it is occurring on the browser or a device setting.
Here is my recommendation since I see you are using Google Chrome as your browser.
Open your Google Chrome browser, and click the 3 dots on the far top right. Then scroll down and click SETTINGS. From your Settings section choose AUTOFILL and PASSWORDS.
Then choose PASSWORD MANAGER. Google has a default settings that automatically will log you into websites. Toggle the AUTO SIGN IN or SIGN IN AUTOMATICALLY so that it is GREY and NOT BLUE.
Also in the Password Manager section if you see PayPal's website listed below in your saved passwords, you can delete these on Google.
I hope this helps with your issue.
Thank you for contacting us.
-------------------------------------------------------
Each time it happens, they close the ticket I open and state that one is already open which never gets addressed. I found this thread as a last ditch effort to bring attention to this. It is CLEARLY a security breach because it turns this on ON any device you make a transaction from, even if it's a public one. This is b.s. and Paypal clearly does NOT care.
Are they trying to destroy themselves?
Haven't Found your Answer?
It happens. Hit the "Login to Ask the community" button to create a question for the PayPal community.
- how to turn off autologin in Managing Account
- Can't access my account due to an invalide phone number in Managing Account
- .Can't withdraw funds from Fiverr to PayPal, the error "Refused by service provider" is written. in Transactions
- Is PayPal really willing to help when you lose your telephone number? in Managing Account
- Is there a way to auto turn off One Touch when PayPal turns it on without my permission? in Managing Account