

Innovation Nation: WePay is the anti-PayPal - pg
http://money.cnn.com/2010/10/12/technology/wepay/index.htm

======
dbul
Someone I know recently told me about her nightmare when she was collecting
money for a class reunion via PayPal last month: she had to register as a non-
profit, and PayPal wanted her water bill to prove that they were indeed a non-
profit despite being recognized by the government as one. So much hassle; I
wish I had known she was going to do that so I could have told her about
WePay, especially with this kind of customer service:

    
    
      A call to WePay's customer service department quickly
      sorted out the problem. Plus, the company gave him $20
      for the inconvenience.

------
wccrawford
This is not an 'anti-PayPal' in any way, shape or form.

They offer a service that PayPal doesn't yet. It is not opposed to PayPal and
it doesn't replace PayPal's services at all.

~~~
pg
Presumably the author means anti- in the sense it's used in anti-matter, not
the sense it's used in anti-globalization.

~~~
triii
When WePay & PayPal touch they'll annihilate eachother with a huge burst of
energy? :)

Too bad headlines need to be clickable rather than accurate.

~~~
pg
Obviously I mean in the sense of a complement. And it is an accurate use of
the word in that sense. WePay is the other half of online payments: PayPal is
for businesses, and WePay is for people who need to collect money but aren't
businesses.

------
taelor_rb
Question:

So my adult (beer league) hockey team is trying to start a slush fund so that
we can pay for things like new jerseys, water bottles, shared resources type
stuff. We are looking at trying to get a group account for this, and WePay
looks like its exactly what we need.

But the accounts we talk to say that we would have to pay taxes on this
account, if its in a bank account. Would WePay be a way to get around paying
these taxes? Does anyone else have any insight to how we could set this up?

Is this question way to off topic for Hacker News?

------
jfager
I have long wondered why Facebook doesn't do this. Group birthday gifts,
wedding registries, basically any social scenario where money needs to change
hands, it seems like FB would be so well positioned to take an honest buck
from.

~~~
iamdave
No.

Do you know why? Facebook acts as if it were completely incapable of knowing
when far is too far. Whenever something new rolls out, it always comes off
like outsourced peer-pressure. 'HEY LOOK AT WHAT EVERYONE ELSE IS DOING BUT
YOU!!'

No thank you, sir.

~~~
jfager
The question of whether FB as it exists now would abuse such a system (yes, of
course they would, they're awful) is separate from the question of whether or
not said system would make business sense for a gigantic social network.

If FB were the kind of company that could figure out how to make money without
ads or taxing 3rd party devs, maybe they'd also be the kind of company that
would treat its users as customers rather than products. Hypotheticals all
around.

~~~
iamdave
You've actually got an excellent point to this.

------
jscore
Sounds like a play from the book REWORK: Mobilize against an enemy (or
something like that).

It's just words; WePay is not another competing product, it's basically a
bunch of features that PayPal can implement and with >80M accounts, they can
easily kill it.

Say what you want about PayPal, but each one of you should read PayPal Wars to
learn the inside story of how PayPal worked and competed. They basically
pioneered the person-to-person payment service and faced a myriad of issues
before eventually selling to eBay.

------
jscore
Homepage is too busy. Simplify it a bit.

------
pinksoda
I really hope WePay destroys PayPal. They have screwed myself and my friends
too many times.

The homepage layout is all wrong though. Poor element placement, messy
typography, and the color scheme is off. It looks amateur and unpolished. All
those SEO'd subpages are worthless if they don't convert.

Also:

\- Upgrade to Nginx 0.7.67, there was a lot of bug fixes in 0.7.65 and 0.7.66.

\- Limit the number of login attempts to prevent brute forcing.

\- Don't show "That email address was not found" when someone tries to recover
a password. You are giving out too much info, which can be used maliciously.

\- Block scraper/vuln scanner/curl scripts by user-agent to keep away the
script kiddies and botnets.

\- Don't host your Javascript on Google. This gives hackers another possible
point of entry. It's probably safe, but you're better off limiting points of
entry.

\- Use mod_rewrite as an additional layer of security. You'll need to slightly
modify it to make it work with Nginx.

\- Remove "access info anytime" and "post to my wall anytime" when signing up
with Facebook.

\- Limit SSH access by IP address.

Feel free to contact me if you need help.

~~~
seiji
Wow, "ssh wepay.com" works. Turn that off.

Once again, "cloud" doesn't mean "lol, we don't need to know about servers!"

~~~
ez77
I must admit I didn't know the big domains disabled ssh. Naive/beginner's
question: how do programmers work remotely at these companies (if it's allowed
at all)? Do they ssh into other (safe) servers, from which a safe transfer is
eventually made into the production servers?

~~~
Firehed
It's a matter of setting up VPNs and IP-restricting where you can SSH in from.
You can also set up port knocking and other SSH-related security measures. It
depends how much convenience you're willing to trade for security.

~~~
nwmcsween
Practicality trumps everything, after 10+ years of using ssh and trying port
knocking and everything else none of it works when you're 4000km away in
another country with only a handheld to access the servers.

~~~
poet
I think it should probably company policy at a financial institution not to
allow someone in a different control on a handheld device to access the
servers.

~~~
nwmcsween
I use layered security (in the sense of servers) with a password lifetime of
10 days. I deal with servers daily and the issue of compromise has been twice
in on firewall containers/servers which was fine as the systems in place found
it, found the issue with the net facing software and I fixed it. Practicality
doesn't mean no security.

~~~
count
If you're using SSH, you should be using keys, and not passwords.

~~~
nwmcsween
Those aren't mutally exclusive

~~~
count
Can you require keys AND passwords? I haven't been able to figure out how to
get that to function - if passwords are allowed, it lets you in with or
without a key, from what I can tell. I'd be happy to be wrong though!

------
clistctrl
The CEO was a speaker at this years startup bootcamp, it was an interesting
talk. [http://blog.wepay.com/2010/10/wepay-ceo-bill-clerico-at-
star...](http://blog.wepay.com/2010/10/wepay-ceo-bill-clerico-at-startup-
bootcamp/)

~~~
bmac
I second watching the WePay talk.

One of the best pieces of advice I heard at Startup bootcamp came from Bill
Clerico (WePay CEO) when he described building software as a community
process. It seemed like an elegant way to say users are what really matter and
it applies equally well to commercial, open source and personal projects.

