Security!=privacy
First of all, contrary what the title says, this is not about security, but privacy. These two things are not only not interchangeable, but are - in some way - at the opposite ends of the same spectrum: security always almost comes at the cost of privacy, and you can only increase one if you lower your requirements on the other. It's because of the simple fact that security depends on being able to identify the persons who are asking for access. So, you can only increase security at the cost of loosening privacy requirements, and vice versa (if privacy is a top factor, you can't really have good security).
And there lies actually a culprit. Obviously the clueless "expert" doesn't get it, but all that information are collected by the PayPal app so it's easier for them to spot fraudulent transaction request from unauthorized devices and unauthorized users. Because stealing a user's password might be rather easy (even using basic phishing techniques), but figuring out all the other data collected by the app, like device IDs, network IDs, etc. and duplicating them, are not so much (easy). When they do not match, PayPal can flag the transaction and run possibly extra checks on it - all in order to protect the legitimate user's money.
Also, the security "expert" worrying about PayPal knowing your device IDs is rather funny. Because you know, PayPal already knows who you are and what you're doing. Why? Because you registered your credit card and holder name with them, they also have your email address, and possibly your business name and real name. They also know what you bought and where you bough it (with your PayPal account). So by knowing also you SSID they can't "invade" your privacy any more, than they could already.
So, all these privacy issues brought up by this "expert" are not actually privacy issues. They're rather issues of knowledge and of credibility, and they pinpoint a basic problem with today's tech journalism. Namely, that why on Earth does a technology news site pick up a story or "analysis" from somebody so clueless about privacy and security implications, and does re-publish it, without all the proper commentary and corrections?
Biting the hand that feeds IT
