Regarding "enable settings in PayPal to place payments on hold for manual review" - how to do that, because on paypal.com/cgi-bin/customerprofileweb?cmd=profile-pref it's not available such thing, maybe from elsewhere? PP account from European and EUR payments generally. http://i.imgur.com/JR0aQg3.jpg
Also Lastschrift is a German payment method made through PayPal again, so again EJ receive the IPN and so on. The general problem is that those users are mentioned into the PP transaction as "PayPal Unregistered" and no such option (tick on EJ) to block them, I mean to NOT send the code to them when they're unregistered on PP (having a Verified PP acc). Browse some more info on the net about this.
I have just checked the IPN history for a transaction like this ]Payment From:
Some Name (The sender of this payment is Non-U.S. - Unregistered)]. For "payer_status" says "payer_status=unverified", so definitely in EJ from somewhere need to be set a rule where to block sending the code to Unverified payers, right :)?
Also - could you get the IPN status from eBay transactions in order to match the address from eB and PP, and to put such tick on EJ. So if the address matches on both places, to send the code. And another tick for the name (if name matches, again to send the code, optional setting, because there're families that allow children to use their own name as PP or eB name).
Regarding the SMS verification, any info here? Manual review - even if I do that somehow - doesn't helps because in my niche there're 10+ Chinese/HKs sellers with 200k+ feedbacks, even natural Germans can't beat them or have competitors from Germany, so they send the code in 1-5 minutes, some sellers - up to 30. I don't have any people working for me, neither could be on the PC 24/7/365, so EJ sending the code in 30s is good but still - not possible to verify the other's party.
For example that "Invoice ID" from EJ that is sent to the buyer could be entered in some website linked with TeleSign. So the buyer to enter the that unique code in that website, where he enters his shipping address, name, phone and Invoice ID. He receives back to his phone and SMS code which he enters the page and passes to the unique code/key. But he won't receives and SMS or so if his cellphone location is not in the GeoIP (detected) area where is he from, so therefore - blocked sending the code and the script to automatically refund the transaction, because it's 90% sure that is fraudulent. Hijackers can enter name, address, etc., BUT they can't enter the phone. Why?
Because let's say the original owner of the PP/eB acc is in Berlin. The hijacker is from Hamburg. He enters his Hamburg's phone but the script says that his address is in Berlin street bla bla, so therefore won't receive the SMS Code or will be automaticallly blocked. Or such things, I'm sure that when many digital stores are using this TeleSign thing, then it should be working (don't have any in-depth details, tho). So that kind of option might be added as a separate application/module/script or whatever to EJ. And to be used from eBay digital code sellers.
About the "provider from which I obtain the codes i he could deactivate them" - no such option. They're scanned and writen in .txt from the Retail Game PC Boxes purchased in bulk or wholesale from big suppliers. No such option for reporting stolen or so, providers can't disable/ban/etc. them, neither to be "removed" from any user accounts that may have been applied to.