A few days ago, I received the following email from address paypal#paypal.com and with subject "IMMEDIATE ATTENTION REQUIRED: PayPal service upgrades.".
I have reason to believe it is a phishing attempt. Please find my notes in the end and try to justify why I'm right or wrong.
The only part of the mail that I removed was my name in the third line.
PayPal service upgrades.
,
As we have previously communicated to you, PayPal is upgrading the
certificate for www.paypal.com to SHA-256. This endpoint is also used
by merchants using the Instant Payment Notification (IPN) product.
This upgrade is scheduled for 9/30/2015; however, we may need to
change this date on short notice to you to align to the industry
security standard.
You’re receiving this notification because you’ve been identified as a
merchant who has used IPN endpoints within the past year. If you have
not made the necessary changes, we urge you to do so right away to
avoid a disruption of your service!
Because these changes are technical in nature, we advise that you
consult with your individuals responsible for your PayPal integration.
They will be able to identify what, if any, changes are needed. Please
share this email and the hyperlinks below with your technical contact
for evaluation.
Testing in the Sandbox is one of the best ways to make sure your
integration works. Sandbox endpoints have been upgraded to accept
secure connections by the SHA-256 Certificates.
Full technical details can be found in our Merchant Security System
Upgrade Guide. In addition, our 2015-2016 SSL Certificate Change
microsite contains a schedule of our service upgrade plan.
Thanks for your patience as we continue to improve our services.
Please do not reply to this email. We are unable to respond to
inquiries sent to this address. For immediate answers to your
questions, visit our Help Center by clicking "Help" on any PayPal
page. Copyright © 2014 PayPal. All rights reserved. PayPal (Europe)
S.á r.l. et Cie, S.C.A., Société en Commandite par Actions. Registered
office: 22-24 Boulevard Royal, L-2449, Luxembourg, R.C.S. Luxembourg B
118 349.
Here's why I think it's fake:
They just address the customer by name, no "Dear" etc.
Copyright 2014? strange...
The phrase "we may need to change this date on short notice to you to align to the industry security standard" has a minor mistake (IMO, although I'm not a native English speaker) and doesn't sound like a company's policy. Talking about maybe changing a date is not professional.
The subject... come on, caps?
The links are to a strange domain, the certificate of which is issued by a different company than paypal.com's. One serves a pdf.
I think it's a pretty elaborate phishing attempt, but it strikes me that in online discussions about it (dating back many months), representatives of various companies treat it as legit.
So, am I missing something?
Yes that is a Legitimate email from PayPal.
For additional details, see this recent Stack Question:
How can I tell if my paypal certificate is SHA-256?
The PayPal Merchant Technical Support Site has additional information on the Certificate Upgrade and how to test your server.
Also if you ever wonder if an email is from PayPal you can forward the email to Spoof#paypal.com or the new email Review#paypal.com.
Related
We use the Facebook API in our web app to provide a "publish to Facebook group" feature directly from the web app. Customers can publish the results they are achieving thanks to our products in our group.
To implement this very simple feature we had to duck, provide screen recordings, send business registration papers, give login credentials, describe the process from every perspective, crawl and bent.
Then
on Dec 15, we received the following message:
"We’re now requiring an admin of your business, [....], to complete access verification. This is a new process that asks for information about how you use the Meta business assets and information of your clients, so we can verify that your business is a Tech Provider."
Also in the same message:
"This typically takes around 10 minutes to complete and you’ll only need to do this once."
Since then I filled in the form 9 times, with serious effort. But every 5 days it just get rejected without a clear reason given, and there is no chance to contact a Facebook support.
Does anyone know how to fill in the "Access Verification - prove you are a Tech Provider form", so I will get accepted?
The actual questions that they keep asking are:
Add details about how your business will use Platform Data (i.e., any info or data you obtain from us) to enable a product or service on behalf of your clients.
Describe how your clients use your product or service.
I already tried the solution proposed here:
Stuck in Facebooks Access Verification hell
quoting their questions, but it has been in vain...
The time is running out, in some days Facebook is going to block the API if we don't pass this verification process, but I don't know what else we can try...
I tried to contact Facebook, but this seems to be impossible. Some forms (App Review Support) just give a generic error message.
I tried to post a request of help to the Facebook Developer Group, but they rejected the request because it's not related to a development issue.
Same when I tried to open a ticket with the Facebook tech support for a bug; they answered that it's not a technical issue.
There is no guide from Facebook on how they want this information to be provided.
I have been researching online but I cannot find a clear statement. Is a US-based company allowed to publish apps on Huawei App Store or does the ban forbid it?
The following table describes whether the services of registration, identity verification, Merchant Service, Payment Service, and Account Service are supported in each country or region for enterprise developers. A check (√) indicates that the service is supported.
We can see that Huawei does not ban forbid on US-based company enterprise developers. US enterprises support account registration, which means they can release applications.
For details about the application release process and specifications, see:
Official website.
Creating an App.
Copyright Qualification Review Requirements.
Sure you can if you get Copyright Certificate in china. But how to do that ? Well probably best would be to pay some chinese company for that so they basically will have copyright registered on them, otherwise looks like not so easy, because of great bureaucratic wall of China.
This is good guide that actually explains it quickly:
Can I get a Software Copyright Certificate if I’m not a Chinese company?
Yes, the copyright owner can be a foreign company or legal person, but
you must submit the legal proof certified by the local Chinese
consulate or notarized by the local notary office.
So basically you can and cannot, means that you cannot on your own, you need someone from china to help you. I believe that was their intention to make it more difficult for foreigners and more profitable for china businesses. And also let's not forget number of other special rules you have to obey in terms of app user interface and functionality to be accepted on mainland China.
https://medium.com/huawei-developers/the-ultimate-guide-to-register-software-copyright-certificates-in-china-45571448fc9f
I am working on a project and my clients want to have the Message centre of Paypal integrated into their system so they won't need to log in every time on PayPal account to check their emails and reply.
I can not find any available option on their developer portal for a call similar to that. But I thought to ask here as may someone had better luck finding that.
Much appreciated.
There is a customer Disputes API for handling that part of backend administration. This is typically only useful for large/enterprise merchants.
Other things require logging into the account. User logins with specific/limited roles can be created.
Is there any way to use some paypal api for validation of username in paypal?
Google didn't give much :( and using such method isn't comfortable, cause there are too many requested parameters(for example, i know user's email, but i don't even want to know his adress,etc.).
PayPal doesn't provide such an API and for a very good reason.
Remember - it's being constantly under a lot of pressure from scammers around the world that are trying to steal other people's money. Just imagine the phishing power one might get by being able to pre-validate the email addresses to see if they really are current PayPal users and then crafting a targetted email attack on them...
Such an API (to see if a random email address is registered with a PayPal account holder) does not and never will exist for security reasons. With possibly one exception - "trusted partners", where PayPal partners up with a big and established entity and allows special API permissions (based on secure credentials), but this is not something a mere mortal could ever hope for.
Furthermore, if a workaround is discovered that allows to do just that - rest assured PayPal will patch that hole ASAP to avoid security breach.
My company plainly meets the acquirements to enrol in Bizspark. Yet so far I have not been able to.
I first applied via a Networking partner but heard nothing back and then discovered the Networking partner I picked did not have contact details on their website so I re-applied with a different live ID directly to Microsoft and again did not receive a response apart from the initial acknowledgement.
Waited a few weeks and then tried again picking another Networking partner. They graciously responded with a link to enrol.
Now a moth later I am about to give up. I have a website (Although I dont yet need one as I have nothing to sell) and a working email address with the same domain. Do the Bizspark team notify people if they have been declined?
where are you located ? It took me more than a month here (Australia) to get approval from a networking partner. You should contact more than 1 partner (if accepted by any, let the others know that you already get an approval) as the first partner didnt reply me and I had to try the second one.
I dont think they will reply you if your application is declined.