Wait what? They track an individual's payments based purely on TransactionID? 
That seems like a recipe for disaster!!?! And also prevents users from using RBF etc
Many of the services I used do this and some of them are long-established companies. What I noticed is that those services either generate a new unique address for each new deposit or accept 0 confirmation transactions. I don't remember facing this problem when the deposit address is permanent.That seems like a recipe for disaster!!?! And also prevents users from using RBF etc
In fact it makes sense if they have tons of addresses to monitor and they consolidate their inputs regularly.
I'm not sure how that company survive when malleability attack happened few years ago
I don't think it's in the customer's interest to conduct a malleability attack when using a service which accepts only the first seen transaction ID as valid.