[Security\Privacy issue] We need hide e-mail, use nickname, phone or id instead on send payment page

v00d00m4nv00d00m4n Posts: 1Member
Please add ability to enter numeric id or nickname instead of e-mail for payments on load page.

The biggest flaw of Pyoneer is the fact people need to expose their e-mail in case they want to recieve payments, this is big security risk (especially considering the fact Payoneer does not have 2 factor authorisation and no sms\app code confirmation). where any hacker, who sees e-mail of recipient could try to hack e-mail account to gain access to payoneer account.

In case someone using automated links for donations like

load payoneer com/[email protected]&amount=20

on their sites or inside some software as alternative to paypal donation buttons (actualy i registered on payoneer just because i hate paypal scaming scemes and because there is no way to hide my email from potential hackers and spammers) e-mails could be automatically crawled and added to spam databases

Expositions of e-mail could be used to search people in other networks, such as facebook or vk, and this is where most of people would have answers to secret questions exposed to hacker.

So once you reveal e-mail it could lead to hack of mail account, for search of answers to secret questions and to regeneration of new password to access Payoneer. this is very unsecure scheme that needs to be changes ASAP.

Another problem related to this - is the fact account tied in to one e-mail account and could not be changed. In case e-mail account would be lost for some reasons (many services loves to delete e-mail accounts after 6 month or 1 years of inactivity and even making it available to re-use by other persons, for example russian mail ru does that nasty thing), so e-mail should be changable, and there should be another constant id used that will be associated with person no matter what e-mail is used and this id should be usable on load page as alternative to e-mail.

Actually you already has such unique numeric ids, all you have to do - enable them to be used as login name as addition to e-mail both on any login page and on load page.

But numeric ids harder to remember and easy to misstype, so there must be added 3rd alternative way - unique alias names\nicknames. Actually you can automatically import them from this forum accounts in case both e-mails match, for accounts that used forum (login should not be unified, but you can use some sync of both accounts and oauth technique, so that user loged into main payoneer account could be autologged to community account, and change of nickname in any account should apply to both) for rest accounts that was not registered here you should just add form to enter unique alias nickname, and for anyone who will register on forum later, yet agin in case of match of both e-mails. nickname should be automatically taken from payoneer main account.

Cellphone number registered here could be used as yet another alternative to log in and recieve money.

One more thing you should do - on password restore page you should ask both nickname alias or numeric id and e-mail plus cellphone number before goin to secret questions.

This, in case if e-mail was not exposed to public and attacked only knows nickname, id, or cellphone, e-mail would be safe from hacking and other login variations would not be accessible to hacker. This will make accounts less hackable and will keep privacy of people better than usage of e-mail only, and ofcours there would not be any spam after this.

Please do this as soon as possible, at least start from numeric id implementation on load and login page, since everyone already has this and you dont need to implement completely new login system, that would be easy and fast minor change of existing, phone as login and unique nickname as loging should follow next.

And please add security options with 2 row of checkoxes, that will give us control of which login we want to use and where like this

Type of login | Use to log in | Use to recieve\send money
Email |checkbox | checkbox
Id | checkbox | checkbox
phone | checkbox | checkbox
nickname | checkbox | checkbox

Such security settings would allow us to expose some kind of login\id that could be use only for recieving or sending money, but can be used to log in, so anyone who knows such login, would not be able to log in with this login :smiley:


And i almost forgot, when you implement any of this or all of this, dont forget to add aguments for load page for autofill forms, so as alternative to this

load payoneer com/[email protected]

we could use any of these:

load payoneer com/?phone=+1111111111
load payoneer com/?nickname=CoolUser123
(case insesitive please)
load payoneer com/?id=12345678

it would be also nice if you will add feature that would allow us to tie in any number of additional e-mails and phone numbers to same payoneer account.

For example i use one email as primary, and other for google specific account features, there is private email for authorisations and public one for communication, i would love to use both and so that both would bring money to one and same account on payoneer. Same for phones, i uses one number for business, another for private matters as in-calls only. and one more for cheaper international out-calls, and i want any one of the to be used as login to recieve payments.

Please help us to keep our privacy and security!

P.S. - the only thing that Paypal does better than you is the fact that at least with business account you can hide email and use id there, but if you will make whole list of aliases i mentioned, you will beat paypal to death because of better privacy and security.

Comments

  • FanFocusATgmailCOMFanFocusATgmailCOM Posts: 12Member ✭✭
    Wow, a very well thought out suggestion.
    Never Give Up Or Give In... Never.
  • SivanSivan Posts: 642Administrator ✭✭✭✭✭✭✭
    Hi @v00d00m4n. First of all, let me thank you for taking the time and effort in sharing your details and well though feedback. I will make sure to pass it on, and we will look into it.
Sign In or Register to comment.