Comment by terlisimo
8 years ago
I had a sort-of related experience with PayPal where the machine said "No."
I've been using it for at least 10 years at that point.
What I did was try to pay for some cheap VPS hosting in Italy. The transaction was denied. I thought there was some problem with my CC, so I immediately tried to do a $1 transaction with some other company and it went without a hitch.
So I contacted PayPal support about it and the next day I actually get a phone call from one of their support staff.
He says my transaction was flagged as "suspicious" by the fraud prevention system. So I asked, okay... but now a Human has looked at it, can you manually approve the transaction? The answer was "No, I am not allowed to tell you why".
I was incredulous, so I asked "Wait... you acknowledge that I'm not a scammer or a terrorist (since my PP account still worked and does to this day), and the party I'm trying to purchase from is obviously not either since they're still accepting PP, but The Machine thinks there is something fishy about us two specifically and there is no way for someone to manually approve this transaction?"
And he said something to the tune of "Yes. I'm sorry, but there is nothing I or anyone at PP can do about it, and for security reasons we're unable to offer further details."
So yeah. This was just a minor nuisance for me, I purchased similar services elsewhere. But the whole thing was a real eye-opener. That was the day I realized that there is no pleading or reasoning with The Machine.
> and for security reasons we're unable to offer further details
To give a little behind-the-scenes here, I worked for a bit for a web hosting company that had this as standard policy. This was because, before it was put in place, scammers would actually use coordinated campaigns of support calls with otherwise legitimate accounts in order to extract piecemeal details about how the company's fraud investigations worked, then reorganize their scamming to precisely evade the time periods and credit card checks used at the time.
This was how Simplii and BMO (two Canadian banks) were hacked earlier this year.
> The hackers explained that they were able to breach the banks’ sub-par security by using an algorithm to generate account numbers and then posing as customers who had forgotten their passwords.
“They were giving too much permission to half-authenticated account which enabled us to grab all these information,” the email said, adding that the system “was not checking if a password was valid until the security question were input correctly.”
Source: https://www.ccn.com/hackers-demand-1-million-in-xrp-after-br...
That part makes total sense. It doesn’t make sense that a human could not override.
At my company, there was a specially-trained fraud department that could handle cases like that, with specially arranged hoop-jumping to prevent social engineering for information. I would expect that Paypal has something similar, but maybe the phone drone in that case was too untrained or unmotivated to transfer things to them.
Financial fraud prevention gambits are complicated.
It may be possible that PP thought someone else was using your account.
What should happen in these scenarios is simply a validation of some kind ie payment only goes through if you click on the email your received.
I used to travel to SF from Canada a lot and my bank would block my Visa even though I told them not to.
In the US there's no password in Visas, i.e. no chip-and-pin, which is totally crazy = huge fraud.
It's funny to think in the Silicon Valley, top tech companies in the world ... everyone is still using that old mag stripe stuff when pretty much the rest of the world has moved on.
The US largely migrated to chip and signature in 2015. I think a large majority of credit card uses today are chip in the US because the issuers quickly sent out chip cards, most terminals got updated to use them, and swipe is rejected often if chip is available.
To be clear, this is chip (and sometimes signature for large purchases) but not chip-and-pin, so the original statement of no passwords generally holds true, but the mag stripes are generally not used anymore.
There are still idiot retailers that won't support the chip for debit transactions. Or even stupider, some let you choose between credit or a debit after inserting to the chip reader and reject you for choosing debit.
Mag strips are often used by ATMs and machines that you stuff cards into for tickets (train, museum etc).m I don’t know why but I’ve never encountered an ATM that uses the chip. I’m an MRI radiographer with expertise in the area of mag strip erasure. Chips are fine though and work after repeated exposure to 3T magnets.
4 replies →
> swipe is rejected often if chip is available.
It's the other way around. If you try the chip 3+ times, and it doesn't work, you can swipe the card, and the swipe transaction will work.
When the more secure method fails, it falls back to the less secure one. It's lunacy.
7 replies →
Put your chip card quickly in and out three times, next the machine will tell you to “swipe your card”.
3 replies →
I tried to delink my bank account from PayPal, so I could close it, and it refused cos I apparently owed $1.27 even tho my balance said $0. I tried to add a credit card but it was flagged as suspicious. Contacting PayPal they said I needed to go into the bank and put some money, my account so PayPal could take it. But I had already closed the bank account.
After PayPal refusing to help. I resolved it by opening a new PayPal account. Adding my credit card (not flagged suspicious) and transfer $2 to the account. Then I could delink the bank account and close it. Then I closed the new account I opened.
Curious, why did you care? I think I'd just leave the account open.
I never knew I had a negative balance. Until after 2 years of it using PayPal they sent me a random email to inform me I had 30 days before they would pass it to debt collectors. So I figured better to close the account. Never use PayPal anyway.
3 replies →
I've heard nothing but bad things about PayPal and how they often hold your own money hostage. Why don't people switch to alternatives? Are there no good ones?
The reason sellers don't go elsewhere is that buyers really like it, because it gives buyers a lot of power.
I've had them be annoying to me before. My favorite PP fact I found out the hard way: never put the string 'aleph' in the note field. Apparently that's flagged as a Terror-Word(tm), and it held up a transaction of mine for over a month.
I still use them, but only under modified-casino rules: never play with money you can't lose. Have a separate bank account just for them, so they can't get up to shenanigans with more than you intend; never depend on them for anything time sensitive; and never send money anyone depends on for anything important.
Never hold a PP balance. If you receive money into your PP account, treat it as unavailable unless you successfully spend it on goods or services. Never link your PP account to a bank account. Only fund your PP account with a credit card, so you have some protection when things go wrong.
The problem is that securily sending someone's money to someone else while avoiding fraud is hard. So you have a service that is difficult and expensive (for the merchant typically), or you have one that sucks for some users but good enough for most.
For what it's worth, I've never had a bad experience with PayPal. I've heard all the horror stories, but nothing has come close to that. I sold something on Ebay once and the buyer didn't receive the item, and did what he should and reported it to Ebay/PayPal. Paypal started the dispute resolution process, and I uploaded a receipt of me sending it. The dispute was resolved in my favour.
I started accepting donations from a community gaming website via PayPal and I was very hesitant about using it due to the bad stories I've heard. A couple of months and a couple of hundreds of dollars later, no problems yet.
The biggest 'problem' I've had with PayPal is moving to a new country. You can't add International cards to your account, and you can't change the country of your PayPal account. The only solution for me was to create a new account, which is fine I guess.
But then I guess you never have a bad experience until you do.
We had a problem where after about 10 years, PayPal suddenly decided that our account was in the wrong country, and the only solution was to close it. Kafkaesque.
I wrote about it here: https://www.cogini.com/blog/paypal-know-your-customer-failur...
> I sold something on Ebay once and the buyer didn't receive the item, and did what he should and reported it to Ebay/PayPal. Paypal started the dispute resolution process, and I uploaded a receipt of me sending it. The dispute was resolved in my favour.
How is that not a bad experience for a buyer who never got an item he paid for?
5 replies →
If you accept PayPal as a merchant, every dollar you have received is 100% at risk until you have a) received it in your bank account, and b) removed it from any account for which PayPal has the information necessary to perform ACH withdrawals. For merchants, PayPal is a nightmare.
As far as alternatives, customers seem to love PayPal, because they side with buyers effectively 100% of the time in any disputes. So even if there were a convenient PayPal clone (which there isn't, at least in the US), you still wouldn't match the conversion rate that PayPal has, as many people will only use PayPal.
So, you can either accept a lower conversion rate by going with something like Stripe (because users don't want to enter their CC information directly on small merchant sites), or you can accept PayPal and be essentially guaranteed that at some point your account will be closed and you'll be screwed out of a significant amount of revenue. Currently, these are the bad choices that merchants face.
"effectively 100%"... "essentially guaranteed"... Com'on, that's not true.
I've won disputes on PayPal as a seller.
Companies have been using PayPal for over a decade without their accounts being closed.
You're talking nonsense.
1 reply →
Suppose I sell things on my website, and you visit it and buy something. You pay with a credit card. Maybe I accept credit cards directly and you pay that way, or maybe I accept PayPal and you pay me that way, and pay PayPal with a credit card.
Now suppose it turns out I have misrepresented the items I sell. When your item arrives, you find that my site was pretty much fraud. You try to contact me to demand a refund...but no one answers the phone or responds to email. That's because I took all the money from you and the rest of the people I deceived and moved far away, to someplace safe from extradition to the US and that won't enforce US civil judgments.
So you call up your credit card company, tell them what happened, and they quickly refund your money. As do the credit card companies of all the other people I took advantage of.
Where does the credit card company get the money for all those refunds? They aren't going to get it from me. They certainly have no interest in eating those losses themselves.
What they do is require a business that accepts credit cards to have an account at a "merchant bank". When someone pays that business by credit card, the credit card company does not pay the business directly. They pay the merchant bank, which pays the business.
In order to be allowed to do this, the merchant bank has to enter into a contract with the credit card company that says that the merchant bank will pay the credit card company for all refunds and chargebacks. The merchant bank will try to get the refund money from the business, but if they fail they have to make up the difference.
The way merchant banks do this is they hold back some of the money they receive from the credit card company for the business, to build up a buffer to cover refunds and chargebacks. As the business establishes a track record and the merchant bank becomes more confident in its estimates of the refund/chargeback risk for the business, they will adjust the amount they hold in reserve.
I don't know exactly how it works when a buyer uses a credit card to pay PayPal, but somewhere between the credit card company and the seller there is an entity taking the role of the merchant bank and guaranteeing that the credit card company won't be left holding the bag if the seller can't cover refunds/chargebacks.
I suspect that the entity is PayPal itself, and most of the incidents you hear about of them holding some seller's money is them increasing the reserve because there was some change in his selling pattern that suggested the current reserve was no longer in line with their estimates of his refund/chargeback risk.
I think people don't switch to alternatives because the alternatives, at least the ones that provide strong consumer protection, almost all have the same or similar mechanisms to try to make sure that if the seller is bad it is the seller who pays.
They could switch to alternatives that do pay the seller directly with no mechanism for a refund other than asking the seller, such as most cryptocurrencies, but then they would probably lose a lot of buyers unless they were very well established businesses with outstanding reputations. (But if that were the case, then they probably could accept credit cards without their merchant bank requiring a large reserve).
Taking money from paypal is a risk, as there's a period of time it's in paypal before you extract it Sending money to a store on paypal doesn't seem to be a problem
As I understand it, expensive processes required for compliance with financial system/anti-money laundering laws make a moat for most money transmitting businesses. That moat prevents upstarts from challenging incumbents effectively.
Presumably someday cryptocurrencies will be able to fill the PayPal niche, but that requires a more robust buyer-merchant ecosystem than exists at present.
Bitcoin was floated as a solution for people who were wronged by PayPal and the banks, before the speculators moved in.
Bitcoin shifts all the counterparty risk to the buyer. PayPal shifts most of the counterparty risk to the seller.
As a buyer, I don't care for that feature of Bitcoin.
3 replies →
If that was an aim it would be naive not to predict speculators would arrive, as they are there for everything else.
Using a bank and had similar experiences. BBVA flagged flights booked on Southwest as gambling. Nothing they could do about it.
Because there is a disconnect between reality and what you hear. PayPal is fantastic.
I purchased the board game "Cuba" from someone on gumtree (we're both Australian) and paid them with Paypal. For the transaction note I wrote "Cuba" and my (Australian) address.
This is what I received from Paypal:
To ensure that activity and transactions comply with current regulations, PayPal is requesting that you provide the following information via email to ComplianceTransactions@paypal.com
1. Purpose of payment XXXXXXXXXXXX attempted on 29 May 2016 in the amount of 53.00 AUD, including a complete and detailed explanation of the goods or services you intended to purchase. Please also explain the transaction message: "Cuba and postage to 4113. <my address>."
They obviously have a block on the word "Cuba" and there was some back and forth to let the transaction through.
> I realized that there is no pleading or reasoning with The Machine.
Weapons of Math Destruction was one of the most eye opening books I read recently. It's all about how Machines when set up with self-reinforcing models can become a real big problem.
And how the fact nobody quite understands how The Machine makes decisions isn't helping either.
Examples of these abound, from the article to the Ethereum DAO "hack" and too often (just look a bit lower in the comment section) the response is "The Machine is working as it should." I feel like automation is great but don't forget that people are still people and someone should be able to lift the lid and fix things themselves.
My solution would be to not rely too much on these systems, but at the very least, at least include escape hatches and big red emergency buttons. Engineers do, why can't hackers do this?
> Engineers do, why can't hackers do this?
That can be difficult if security features rely on humans not being able to subvert the process, I think. But for other processes, this should be the default!
I make and upload electronic music to SoundCloud. Once I sent a joke DM to my friend, another SoundCloud user, mimicking a typical spam post at the time. SoundCloud's spam filtration system autobanned and deleted my account. I had it back a couple days later but a bunch of stuff is still off with my account(fewer plays, likes, followers, etc).
That's just the thing.
Once we let the machines make the decisions, and rely on them to do a "better job" there will be cases like this where it's just cheaper and easier to just follow the program and explain what happened.
Actually we are building a zoo for ourselves where humans will make no decisions at all about anything of consequence!
Remember when the United Airlines system flagged specific passengers for removal? Throughout every step of the process employees were blocked or discouraged from exercising common sense to come up with a creative solution and bargain with passengers.
https://en.wikipedia.org/wiki/United_Express_Flight_3411_inc...
I'm incredibly sad at how much of my programming goes into monitoring the performance of my coworkers. The worst part is when I write a new tool and take a look at it before management does. Usually only 1 or 2 people are doing the tasks that management is asking everyone to do daily.
My former boss was once a programmer. Then he became a manager, so he wrote tools to help monitor his department. That went well for years. Then another manager was brought in to "help" him, and months later he was fired. I guess it was kind of obvious, but it still made an impression on me how cold blooded it was.
The metrics* gathered on us were pretty meaningless, and didn't meet the cardinal rule of being actionable, but we still had to go over them each and every week. And some of the actual work was producing reports on productivity for other parts of the company in different places.
*Despite the fact we were programmers and every person in the department had a different role, we were scored based on tickets done and tickets that failed qa.
I had a related experience wherein I asked Paypal for a debit card. They denied my request and locked my account (with money in it) until I provided a multitude of documents to verify my identity and ownership of my bank account.
Of course, they could provide no information about why this happened or how to avoid it. I became a lot more conservative about using Paypal again, and never did make another request for a debit card.
Actually the more i read about Paypal, the less I want to use it.
I try to pay with my prepaid card directly whenever I can.