I do! So don't hack me!

It's a good idea, but with the number of people out there who get hit with over-draft fees (illegitimately or otherwise), I'd think this would increase that risk unless one were careful.

@rpm773: i guess you could find a bank who allows you to disable overdraft...

I'm doing just that with my ING Electric Orange checking account! Now only if there were a way to opt out of their $250 overdraft program...

Can't you protect yourself by just only using a credit card to fund your paypal? Or do you have to give them your bank info in order to "verify" yourself?

I've decided to go forward with my own "Trusted Sender Program." Gmail allows you to add labels to your actual email address, for instance "emailadress+crap@gmail.com" or "emailadress+registrationforcrap@gmail.com." I do this frequently when signing up for internet freebies using "emailaddress+crap@gmail.com"

Right now I'm in the process of updating all my online bank accounts to "emailadress+registerbankingemail@gmail.com" and I will only use it for financial institutions, this way if I get an email requesting back information from anyone not using that address I know it's phishing and to be on the safe side I'll check out the one's that come to that address.

The only downside is some intuitions recognize the + character as an invalid email address.

In the same idea as paperbuyer, I have a personal domain that allows catch all email.
so each credit card and bank and brokerage account has a specific email address on that domain.

But most important, NEVER REPLY TO EMAIL FROM FINANCIAL INSTITUTIONS BY CLICKING LINKS.

type in the good known address of your institution. any thing they'd want you to do in an email, they'd want you to do during an independent login. buteven then, question it.

frankly, security on most financial websites is not ideal. one that is, is tradeking. they have a picture that must match what you pick and you type in your password by pressing keys on the screen with your mouse, not your keyboard. plus they tag your computer, if you want, so that logging in from an untagged computer requires you to answer a security question.

Another good, free option is opendns.com You basically configure your router or computer to use their DNS services, and they have an extensive list of phishing and scam websites which are then blocked at the domain level.

@psyop63b: I verified when they sent me a letter in the mail and I logged in and entered the code.

This would be a great idea if i had a better bank.

In fact, I just got a phishing email purporting to be from Paypal a few days ago. It contained dire warnings about account security and had a link button to follow to 'fix' the errors.

Since it looked pretty fishy, I logged in on the normal Paypal site and found no such warnings. I looked under their FAQ about phishing/spoofing and saw that no email will ever come from them headed with 'Dear Paypal user" (which is what the email I received stated). So, I forwarded the email to their fraud account for them to investigate.

The troubling thing is that this was actually a very well-done phishing email. There were no grammatical or spelling mistakes, all of the icons and html looked proper and there was no suspicious alt-text on the links. I can only imagine how many people probably fell for it.

@Ronin-Democrat: This is similar to Bank of America's log-in security. There's a "sitekey" picture that let's you verify that you're on the BoA website before you punch in your password. Basically, if the sitekey doesn't match the picture you chose, it's a fake. BoA also has the computer tagging function as well.

However, for the password, you have to type it in. Is there really a benefit to pressing keys with your mouse? I can only see it protecting you if there's a keylogger on your computer.

@Ronin-Democrat:
This, a thousand times over.

Part of the problem is that when they draft e-mail, some institutions still have the links. I had an e-mail that my first response was "phish". It was the first time I had actually had something that matched an account I had. Three hours later with some serious internet digging, it really was real and not a phish.

@psyop63b: If you live in Canada or the US, you MUST link a bank account to your paypal to become fully verified, linking a credit card will verify your address, but not the account. Otherwise you have a spending limit imposed until you verify (this is not a per transaction limit, this is an account limit)

@PaperBuyer: Another downsize is that scammers and spammers do recognize the + character (and the - character for other email servers). They know by removing that character and what follows, they get your base email address. You can know its phishing or spam, but you still get it.

Likewise, for people so infected, the infection code could autorespond to these special email addresses behind the screen.

This is still good to use, but everyone needs to understand the limitations. It's not perfect for all aspects of financial safety.

@btrthnnothing: The sitekey picture is still no good for infected computers. Once a scammer is running your computer, you are no longer safe. They can let you access your bank, log in there, even if that login includes "please click on the picture of a member of your family" (from among 100 pictures), and still take money out of your account by doing behind-the-screen transactions while showing you the first numbers that were on your account when you logged in. No bank firewall will protect you.

I use San Diego County Credit Union and just asked them to open an extra checking account for me, which they were happy to do. You have your main umbrella account which contains various subaccounts like savings, checking, and home equity. So now I just have two checking subaccounts, one of which is named Online Payments.

I use that for dealing with useful scammers like Paypal who like to go in and just empty out accounts now and then. It's worked great so far - when I need to move money into the online checking account from the real checking account I can do that with SDCCU's web interface.

@boomerang86: My electric orange only shows a $165 overdraft protection.

Also can't you link paypal to a savings account? My ing savings accounts don't show any overdraft protection.

@PaperBuyer: it's safter to never click links in e-mail from companies you have accounts with.

When you get an e-mail, go to your browser and use a previously saved favorite that goes to the real bank. Login and see if what the note says is true.

@Skaperen: It's true that if our computer is infected or someone was able to somehow remote access my computer or leave a tracer or anything like that, nothing would stop them from getting our information if we have it on the computer.

The issue I was talking about is recognizing a phishing website, which is a website designed to trick someone into entering their sensitive information into a fake log-in. The sitekey is not designed for the bank to verify who we are, the sitekey is designed for ourselves to verify that we know that the website we're on is an official website. Most phishing schemes aren't "in your computer", rather just deceiving people into giving away their password. If someone were to actually hack into your computer, it is a completely different issue as that is now "hacking" instead of "phishing".

Before I even got PayPal I set up a new checking account at my bank just for online services like them. I keep very little money in that account, and if any money gets deposited I transfer it out the same day. I can transfer money in, too, of course. Sure, I could lose $20, but I can live with that.

We had this idea years ago, but we called it a "condom account" (you know, for protection when a sleazy business tries to fuck you). The idea is you have a small amount of money you keep in it. Then you can give that account to your gym, paypal, or other places that require direct access to an account.

If it's a checking account, you could do direct deposit into it of a small dollar amount (say, $50 per paycheck) and then write a check against it to transfer it to another account, or possibly through an online transaction, when it gets too much money built up. Or you can just add cash once in a while to make sure there's enough to cover whatever will be charged against it.

But we like the idea of going a step further and using an entirely different bank than the one we use for our "real" accounts.

I've been doing this for years to protect myself from ACH draft agreements that get out of control. Once you authorize a draft, the bank won't help you if the authorized party takes more than they're entitled to. I set up a secondary account for bank drafts for things like insurance and car payments; if I have problems with a vendor, I can just close the account.

I've had one of these for at least 9 years - I added a second checking account with no overdraft protection at one of my credit unions (at a company I left 7 years ago). Paypal has that account, and when I'm making purchases I go in via the CU web site, transfer money to the second account and make my purchase.

I've never even gotten checks for the account, though I did find out from them what the MICR line for checks would be.

@btrthnnothing: And the sitekey is vulnerable to man-in-the-middle attacks from phishing sites where they just transfer everything back and forth between you and the bank, and log everything they're interested in. They try to secure against this with the "secret" questions, but that has its hacks as well.

My solution is a separate computer on a separate router/subnet that I only do financials on. No email. No web browsing to any non-financial site or any financial site where I don't already have an account. There are still ways to get at me, but basic phishing and malware attacks won't work unless one of my financial providers gets hacked. Plus I run noScript, so XSS (probably) won't work either.

@Kevinv: your ING overdraft LOC is based on your credit history and they can increase it if you ask.

I'm not understanding something - how do you defend your firewall/condom account from overdraft charges? Aren't you still saddled with those charges if mischief occur?

This is the worst recommendation I've ever seen on this site.

I used to have my PayPal account linked to am empty bank account. One time a charge came through and I got hit with an NSF fee from my bank. They rejected the charge and PayPal retried it again the next day causing another NSF fee.

I'm willing to bet that there is no bank on the planet that this would work with.

i do all my online shopping/banking/financial stuff on a separate computer running linux. i dont do much else on it. and i dont do things like that on my main (windows vista) computer.

Okay, I'm going to go out on a limb here...

Is there anyone that would be sophisticated enough to set up a firewall checking account for Paypal - and yet be stupid enough to fall for a phishing e-mail?

i did something like this w/ paypal after somehow my paypal got hacked and the thief did 10 $20 widthdrawals from my Regions Bank checking account. I had a BOFA checking account I was going to close soon (opened it for a $75 opening bonus). so I linked paypal to it, confirmed it, etc. removed the regions bank association in paypal. then called up BOFA and closed the checking account. so now there's no acct that paypal can widthdraw from, and I always pay via pypal w/ a credit card to get cashback points so it didn't matter anyway.