Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: How to prevent PayPal handing your email address to the merchant?
2 points by cantrevealname on Nov 2, 2014 | hide | past | favorite | 6 comments
I have a unique email address for PayPal--different from my normal email address--that I want to keep secret. The problem is that every time I make a purchase, the merchant gets this email address (in addition to the normal email address I gave to the merchant). I know that merchants get it because I get junk mail at my secret PayPal address from merchants I did business with.

Is there no way to make a PayPal payment without PayPal handing my email address over to the merchant?

As a related question, why do I have to trust the merchant to redirect me to PayPal's website to make the payment? There are many ways I can get fooled into entering my PayPal password directly into merchant's website. For example, the merchant opens the PayPal site in a frame or pop-up, so you can't verify that it's really PayPal. I know that I can right-click and check the certificate (assuming that right-link is not blocked). But isn't there a way I can open my own browser window, login to PayPal, and give some sort of invoice number to PayPal to direct payment to the merchant?




Paypal restricts iframe embedding. They have a method called Adaptive Payment[1], which enables you to pay directly on merchant's site via a mini browser window or lightbox, but this option requires you to be logged in to Paypal already. If you aren't already logged in, it opens a new window for you to log in.

Never, ever enter your Paypal password into the merchant's site.

I don't think it is possible to hide your paypal email address when doing payments.

[1]: https://developer.paypal.com/docs/classic/adaptive-payments/...


> I don't think it is possible to hide your paypal email address when doing payments.

OK, thank you.

Regarding the Adaptive Payment suggestion, it seems that it's still under control of the merchant, and if the merchant site was nefarious they could fake an Adaptive Payment for me to log into.

You're correct in saying that I should never enter my PayPal password into the merchant's site. I also don't want the merchant to re-direct me. I don't want the merchant to open an Adaptive Payment window for me. I want to open a completely separate browser window and login to PayPal myself, and then pay the merchant by looking up the merchant's ID or using an invoice number provided by the merchant. Is there no way to do that?


> Is there no way to do that?

Nope, there isn't a way to do that.

If you want this because you are concerned about the security, the current way it works is pretty secure.

Even if the merchant redirects you, it opens a new browser window/tab of Paypal's own web page. You can check the identity with https indicator in you browser bar. You enter your password there, logging in to Paypal yourself. Merchant redirecting you doesn't affect the security in any way.


Create an email address just for paypal transactions. There is no other way because PayPal will always send your email address so the merchant can update you about the purchase. This is a feature that makes sense to me.


It seems that you're saying that there's no way to do what I want. OK, thanks, but I'll clarify two points:

> Create an email address just for paypal transactions.

Yes, that's exactly what I have. I have an email address just for PayPal transactions. However, that same email is what allows me to login to PayPal. That's why I want to keep it secret for added security.

> so the merchant can update you about the purchase

I give my normal (non-PayPal) email address to the merchant on their order form. So they do have a way to contact me.


IIRC they also hand over your physical address, even in cases it's not even being used for shipping anything.

It's very unlikely that PayPal let's you change this dynamically or disable it. They probably consider it a feature.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: