PayPal recently emailed me to say that my account password had been disabled as a “random” security precaution. To re-enable it, I would have to reconfirm my credit card details and then receive a snail-mail letter in order to verify my address, and of course pick a new password.
Now let’s just think about this. When a PayPal account is compromised by the Ukrainian mafia or whoever, we can assume that they make use of it very quickly. Probably within minutes, certainly in less than a day. Who knows when the victim is going to get suspicious and change their password or notify their bank? Sitting on a compromised account has no upside and potentially a large downside.
In order for a particular random cancellation to be effective, it would have to occur by chance at the exact moment the account was compromised. If it happened beforehand, it would have zero effect (the new password would be compromised rather than the old one). If it happened more than a few hours afterward, the account would already be drained and any protection would be useless. The odds of a particular random check providing any protection are astronomical.
Of course, maybe they’re just lying to me. That would be a whole lot better.