This morning I sent a gift via PayPal to a family member, one to whom I had never sent one in the past. The transaction was initiated using the PayPal iOS app. It included an out of band one time password and was from a device that PayPal recognized. Almost immediately, I got an e-mail confirming the transaction. About an hour later, I received an SMS message from PayPal asking me to confirm that I had initiated the transaction. When the charge hits my little four branch community bank, I will receive another e-mail and another SMS from them. Incidentally, I also got a "thank you" e-mail from the family member.
If I had used a new device to initiate my transaction, the web instead of the app, or changed my e-mail, cell number, or bank accounts, PayPal would have confirmed those activities. For changes to my e-mail or cell number in my PayPal profile, PayPal would confirm those changes to the other address and for the address changed to both the new and the old addresses. So will, for example, American Express, Fidelity, BoA, and Chase.
How much of this is by design, I do not know. What I do know is that, if my transaction was not properly authorized, PayPal, my bank, and I would have ample opportunity to learn about it on a timely basis.
Having two or more addresses for our customers, two ways to get a message to a device carried in one's hand, pocket, or purse, makes this control more effective than ever. The cheap and fast communication provided by the modern public networks makes them so efficient that it could be considered negligent, even reckless, not to use them.
What continues to concern me is that when I go to fraud conferences, I may be the only one to talk about "out of band confirmations," perhaps the single most powerful fraud detection mechanism that we have.
Please put this tool in your kit. Promote it every chance you get. Ensure that it is included in all your applications. Confirm all transactions and new or changed user profile data. Confirm to every address that you have. Confirm address changes, postal, e-mail, phone numbers, and device identities, to both the old and the new address.