

Ask HN: How to prevent PayPal handing your email address to the merchant? - cantrevealname

I have a unique email address for PayPal--different from my normal email address--that I want to keep secret. The problem is that every time I make a purchase, the merchant gets this email address (in addition to the normal email address I gave to the merchant). I know that merchants get it because I get junk mail at my secret PayPal address from merchants I did business with.<p>Is there no way to make a PayPal payment without PayPal handing my email address over to the merchant?<p>As a related question, why do I have to trust the merchant to redirect me to PayPal&#x27;s website to make the payment? There are many ways I can get fooled into entering my PayPal password directly into merchant&#x27;s website. For example, the merchant opens the PayPal site in a frame or pop-up, so you can&#x27;t verify that it&#x27;s really PayPal. I know that I can right-click and check the certificate (assuming that right-link is not blocked). But isn&#x27;t there a way I can open my <i>own</i> browser window, login to PayPal, and give some sort of invoice number to PayPal to direct payment to the merchant?
======
hakanderyal
Paypal restricts iframe embedding. They have a method called Adaptive
Payment[1], which enables you to pay directly on merchant's site via a mini
browser window or lightbox, but this option requires you to be logged in to
Paypal already. If you aren't already logged in, it opens a new window for you
to log in.

Never, ever enter your Paypal password into the merchant's site.

I don't think it is possible to hide your paypal email address when doing
payments.

[1]: [https://developer.paypal.com/docs/classic/adaptive-
payments/...](https://developer.paypal.com/docs/classic/adaptive-
payments/integration-guide/APIntro/)

~~~
cantrevealname
> I don't think it is possible to hide your paypal email address when doing
> payments.

OK, thank you.

Regarding the Adaptive Payment suggestion, it seems that it's still under
control of the merchant, and if the merchant site was nefarious they could
fake an Adaptive Payment for me to log into.

You're correct in saying that I should never enter my PayPal password into the
merchant's site. I also don't want the merchant to re-direct me. I don't want
the merchant to open an Adaptive Payment window for me. I want to open a
completely separate browser window and login to PayPal myself, and then pay
the merchant by looking up the merchant's ID or using an invoice number
provided by the merchant. Is there no way to do that?

~~~
hakanderyal
> Is there no way to do that?

Nope, there isn't a way to do that.

If you want this because you are concerned about the security, the current way
it works is pretty secure.

Even if the merchant redirects you, it opens a new browser window/tab of
Paypal's own web page. You can check the identity with https indicator in you
browser bar. You enter your password there, logging in to Paypal yourself.
Merchant redirecting you doesn't affect the security in any way.

------
chrisBob
Create an email address just for paypal transactions. There is no other way
because PayPal will always send your email address so the merchant can update
you about the purchase. This is a feature that makes sense to me.

~~~
cantrevealname
It seems that you're saying that there's no way to do what I want. OK, thanks,
but I'll clarify two points:

> Create an email address just for paypal transactions.

Yes, that's exactly what I have. I have an email address just for PayPal
transactions. However, that same email is what allows me to login to PayPal.
That's why I want to keep it secret for added security.

> so the merchant can update you about the purchase

I give my normal (non-PayPal) email address to the merchant on their order
form. So they do have a way to contact me.

------
staunch
IIRC they also hand over your physical address, even in cases it's not even
being used for shipping anything.

It's very unlikely that PayPal let's you change this dynamically or disable
it. They probably consider it a feature.

