[n_u_l_l]

> ## Confirm some info about yourself

> You’ll need to answer some questions to verify your identity. These questions come from a public database dating back as far as 20 years. They may be about property, places, or people you know. We don’t save or store the questions or answers in our system.

https://www.paypal.com/us/cshelp/article/why-do-i-have-to-co...

Interesting. This would mean that they actually have the data to confirm whether it is correct.

[feoren]

> You’ll need to answer some questions to verify your identity. These questions come from a public database dating back as far as 20 years.

Wait, I need to verify my identity by regurgitating public information about me? However PayPal scraped up that information, an attacker could as well. This is absolutely security theater.

[neltnerb]

Not only are you correct, their database has wrong info about me that I've had to memorize the wrong answers to in order to prove who I am.

It's not great.

[jibe]

I was the victim of identity theft in the 90s, and I often get questions based on the address, and fake credit accounts the thief opened. Super frustrating.

[EvanAnderson]

Similar scenario here. While my ex-wife and I were separated, pre-divorce, she thoughtfully applied for credit in my name and gave the address where she was living. Now I have to either choose to lie or fail this type of identity verification. I should really take the time to contact the credit bureaus and get it fixed.

[jjeaff]

I'm sure they are using the same type of database that the credit reporting companies provide. Not only does it often contain incorrect information, it sometimes asks me detailed financial questions about my adult siblings. How in the hell should I know what mortgage company my brother has used in the past? And it is NOT my job to contact him and find out so you can cover your ass with fake security theater.

[prottog]

Hilarious, in the sense that I have to laugh because otherwise I would cry.

[nsxwolf]

How did you learn the answers?

[neltnerb]

My last name is unusual enough that I recognized the street names that family had lived on from the set of options.

So not my address, but real ones that extended family members lived at. Just not me.

[sumtechguy]

Guess I am in trouble then if I ever get stuck into something like that. My 'public' information whenever I query it is a blend of at least 3 other people. Of which only one I know. One DB thinks I am married to my mother-in-law.

[cge]

While I've seen these sorts of verification methods quite rarely, what's very frustrating about them is that in my experiences, the questions both make assumptions about what information is private for a person, and also come from rudimentary matching on public databases, which can easily result in questions you wouldn't be expected to the know the answer to.

In one case, while, I think, signing up for something that should not have required strong security, I think an online account for a shipper, I was asked for the birth date of a 'relative who lived with me'. Only, she didn't live with me: she was my ex-aunt, who had not spoken to any of us since her divorce when I was around 8, and who had moved out of the house, and out of the state, around two decades before we moved into it. The matching appears to have been entirely based on two people with the same last name having been recorded at the same address at some points over the course of 20 years, with no cross-referencing of other data or whether the dates were at all near each other. And given how common my last name is, it would not have been too surprising to have simply been asked the birth date of a complete stranger.

I actually called the company to find out how to get an account without answering this rather infeasible question, and they pointed out that if I just tried creating an account again, it would ask me a different set of ridiculous questions. I did, and while I don't recall what the questions were, I do recall they were such that a basic search for my name online would have immediately answered them, providing no identity verification whatsoever.

[jjeaff]

I had one recently that asked what mortgage company my brother had used in the past.

[TOMDM]

I might be misunderstanding, but what's the value in asking someone to verify identity via info available in a public database?

[paddw]

Stops low-effort scams. Other than that, zero.

[jjeaff]

It's not quite public. You usually would need to setup a company and pay for access to it. Presumably from one of the credit companies.

[TheNewsIsHere]

> Interesting. This would mean that they actually have the data to confirm whether it is correct.

I don’t find that surprising. I’ve hired a private investigator in the past. The amount of data US consumer reporting agencies have goes back decades. They will happily sell it to you as long as you agree not to use data older than regulatory thresholds. Credit reporting tends to have 5-7 year thresholds, so many people think that’s all they have. They keep it for much longer, and just make you agree you won’t use data older than the applicable threshold.

The reports I gotten from my PI have had biographical data going back to the late eighties. They’ve even provided SSNs and DOBs with nothing more than a name and general address match.

[PaulDavisThe1st]

I've interacted with multiple financial services that do the same thing. This is not unique to paypal.

[lesquivemeau]

Is this database actually a thing ? A private company asking these questions is already worrying on its own but them already having the answer really feels like over-reaching. I'm pretty sure it's a US thing because there would be no way this would be legal in the EU but i'm tempted to do a GDPR request to PayPal

[garbagecoder]

Some of it is credit report stuff, it some of it is public records like tax rolls.

You can look up an individual’s salary in Finland online whether they work public sector or not.

It’s all creepy, but like my name on the deed of my house not being a secret is a good thing.