

Ignoring the amount customers confirm is no security bug according to PayPal - david_b
http://seclists.org/bugtraq/2014/Jul/85

======
benmorris
I've implemented express checkout on a few carts I've written. It isn't
possible to calculate the shipping cost/method until the user gives at at
minimum their zip code and country. So basically the flow of Express Checkout
doesn't allow this since that information is sent back once they authorize a
charge and return to your site. At that point the customer is prompted with an
order confirmation, final total and to select their shipping information. When
they click confirm the charge is actually made. Express Checkout is extremely
popular on all of the sites I've worked with and is probably quickest payment
method people can use. In the 6+ years we've been using it we have not had one
single complaint about charging the wrong amount shown on the PayPal
confirmation page. Customers understand they must select their shipping method
and I would rather not have them enter duplicate information.

I am confused how this "bug" is any different that using something like the
payments pro API. Sure your cart page says you'll charge X amount, there is
NOTHING keeping you from charging some other arbitrary amount when they press
pay.

~~~
lawl
I wouldn't mind entering my ZIP to precalculate the shipping costs. But
seriously, Shipping costs are a lame excuse. There is nothing that stops
paypal to call back to the shop to get the shipping costs. Or just make a CORS
request from the browser itself and have the shop sign the shipping costs so
paypal knows.

> Sure your cart page says you'll charge X amount, there is NOTHING keeping
> you from charging some other arbitrary amount when they press pay.

Which is exactly why I only use shops with paypal where I see the amount
charged on paypal.com if I don't completely trust the shop. I was under the
impression that this was the value paypal provides. Apparently I was wrong.
Might as well get a prepaid credit card now.

------
beejiu
This is how it has always been; it's written in the documentation. I don't
personally consider this a bug, since a retailer could feasibly accept a
credit card and charge whatever they want to it. The fact the PayPal allows
the amount to be changed is not dangerous, because PayPal holds the liability
and any charges can be reversed. Furthermore, the business who charges
consumers without consent will be committing fraud.

~~~
Hermel
> any charges can be reversed

Good luck with that. It's very hard to get your money back when the merchant
knows how to answer Paypal's questions. I failed at doing so when a merchant
sold me something he could not deliver and then insisted on giving me a
voucher instead returning my money.

~~~
MichaelApproved
This story is going to need more detail because one of the biggest complaints
merchants have is how PayPal will pretty much always side with the customer.

~~~
arkonaut
Agree here - That has always been one of the thorns in accepting PayPal on any
decent scale. At least with chargebacks, you can fight them and win about 50%
of the time with the right docs. PayPal barely entertains dialogue.

~~~
Hermel
What happened is that I wanted to register a domain using www.mediaon.com, but
that failed because someone else registered the same domain in the meantime
using another company. When I asked for my money back because they failed to
register the domain, they refused, saying that firstly it wasn't there fault
(which is technically true) and secondly that I would be free to use the paid
money to register another domain. That's in direct contradiction to their
"money-back guarantee". Anyway, Paypal sided with them. It seemed to me that
they exactly knew what to tell PayPal and PayPal does not seem to be very
consumer-friendly when it comes to digital products (the policy for physical
products differs).

------
bencoder
I recently integrated paypal. I did a test to see how much extra we could
charge if the customer chose an obscure shipping address and there didn't
appear to be any limits like I was expecting(I was expecting a percentage +-
of the "confirmed" amount).

I asked paypal and they confirmed that there's no limit.

It is a little weird, but since paypal always sides with customers in
disputes, it's probably not so bad if you get hit with this.

------
mathias
I spotted this earlier this week when ordering a t-shirt through TeeSpring
using PayPal. I authorized a payment of 22.95 USD. Here’s a screenshot from
the payment confirmation email I received:
[http://i.imgur.com/BGjKcsW.png](http://i.imgur.com/BGjKcsW.png) The math
doesn’t quite add up.

------
splitbrain
This confuses the heck out of me every time I have to work with the Paypal
API. I never understood why they implemented it this way. It makes absolutely
no sense IMHO but has always been this way. I'm surprised that this isn't used
much more often for fraud.

~~~
beejiu
Some businesses store their delivery costs at PayPal (by country), rather than
on their own servers. Hence, they have to go to PayPal to determine these
costs. But then, that's just rather poor implementation on part of the
retailer.

------
habosa
Seems like the sort of trust system that is common in restaurants.

1) You get the check with a total of food and drink.

2) The waiter/waitress takes your card to the register for authorization.

3) You get your card back.

4) You hand-write the tip amount and total, then walk away. You trust the
merchant to charge the amount you wrote.

5) The restaurant charges the amount you wrote, but you don't know this for
sure until you check your statement.

~~~
kuschku
Here in Germany it works like this:

1) You get the check with a total 2) the waiter hands you a mobile card
terminal (like this: [http://pay-tec.de/cms/paytec/wp-
content/uploads/2014/04/1.jp...](http://pay-tec.de/cms/paytec/wp-
content/uploads/2014/04/1.jpg) ) 3) You put your card in the terminal 4)
waiter enters amount to pay + what you said you'd tip 5) You see the total,
enter your PIN, press confirm 6) waiter hands you back your card.

~~~
alistairSH
The US lags behind in card payment systems. We usually hand the card over to
the wait staff, they carry it away to a remote terminal (and we trust that
they don't copy the card while in their possession), then we manually enter a
tip after the fact.

------
arrel
This is the magic if market dynamics. If a business fraudulently takes
advantage of this they will not build up a customer base, paypal will shut
down their account, and money will be refunded. PayPal is taking most of the
risk so that businesses can be flexible and provide a better experience.

It's not a bug, it's the way things should work with more services. PayPal's
product may be outdated in many ways, but this is not one of them.

------
jdong
This is hardly an issue with a system that by design allows payment reversals.
If you get defrauded, just chargeback.

~~~
arjie
Now I have to pay, then verify each payment manually. This is the job I
thought PayPal was doing for me. Instead they've created more work since now I
have to check two places to make sure charges are correct: my credit card
statement and PayPal.

------
LeicaLatte
They don't have David Marcus anymore to respond in these forums. Poor PayPal.

~~~
anujnayar
Hi - its Anuj Nayar, senior director of global initiatives at PayPal. I have
been reading this string with interest. We offer both buyer and seller
protection to try and make sure we cover everyone. We do not always side with
the buyer. On the restaurant payment side, we have been rolling out mobile
payments solutions at places around the world, that let you check out and pay
from your phone (inc tip). You are notified via text and email as soon as it
goes through.

~~~
LeicaLatte
👍

