
PayPal does not know how to detect fraud - tooltrainer
http://tooltrainer.com/blog/paypal-does-not-know-how-to-detect-fraud/
======
jeffmould
There are so many red flags in this story, I have a hard time gaining even the
slightest sympathy for the OP. Yes, PayPal has currently, and always has had,
crappy practices when it comes to customer service and disputes. That's not
news in my books and comes as absolutely no surprise.

Where I got lost though is the selling of an extremely valuable asset such as
shop.com (a four-letter, dictionary, brandable, .com domain) at well under
value. The first lesson in fraud detection is that if it seems to good to be
true it probably is. A domain that probably has a value at close to a $1M
going for under $1000 would fit the definition of too good to be true. Yeah,
partners break up and can do some angry things, but selling an asset at such a
heavily discounted price would certainly be shocking to me. A little more due
diligence on buyer side would have prevented this. Otherwise I have a 100 foot
yacht and an ocean front property in Nevada for sale for $1000 if you are
interested. :) I mean even PayPal warns flat out warns about these types of
transactions ([https://www.paypal.com/eBay/cgi-
bin/webscr?cmd=p/gen/fraud-t...](https://www.paypal.com/eBay/cgi-
bin/webscr?cmd=p/gen/fraud-tips-buyers-outside))

To me this entire story is like saying I went to Walmart and parked my car.
They have security cameras in the parking lot and I asked an employee if those
cameras were monitored. The employee told me yes so I left the windows down in
my car with my laptop and a wallet full of cash on the seat. I was only going
in the store for a minute and I felt assured that if anyone stole them I could
easily identify them and get my stuff back. When I came out everything was
gone. When I asked the security guard to review the footage I could not see
who the people were and could not identify them. I am now going to complain
about Walmart's security practices because of this incident.

The good news for the OP is that at least he has ads on his site and I am sure
the traffic he is getting from this post he may make back a few of those lost
dollars in ad revenue :)

~~~
larrys
Just so you know the filter that people who own and trade domains is actually
much better than even what the OP (and you) are describing. It's actually more
like "a 3 letter .com being sold for $5,000" where the 3 letters aren't
particularly memorable and the domain might typically be worth $10k. You'd
have to be in the business to really know the risk involved.

With domains you have to make sure you know the history of the domain (which
takes a bit of research) and additionally most people in the domain business,
at least with valuable domains, tend to use escrow.com as an intermediary to
make sure there is recourse.

That said another thing to watch out for is buying a domain which has been
stolen from someone which does happen. In that case a domain is priced
attractively (not to cheap not to expensive) and unloaded quickly before the
real owner even knows what has happened. This can happen as a result of a
simple hijacking of an email address (of the rightful owner) or by social
engineering the registrar. As only two examples. That is much harder to detect
and even in the case of using escrow.com you would still be out of the domain
once it gets yanked back to the original registrant.

Source of the above: Me, I've been doing this for almost 20 years and get paid
to buy names as well as buy on my own account.

~~~
notahacker
It has to be said that "domain stolen from rights holder" is the only reason
why anyone actually having control over a highly-sought after term which is
the brand of an active commercial web property would want to sell it on a
standalone basis for $500.

------
alyandon
Glad to see that Paypal hasn't changed their ways in the past 6 years.

From another thread:

I once made a major purchase off eBay and received merchandise that was
substantially different than what I ordered.

It took 4 months, many exchanges with PayPal via their "dispute center" and
many phone calls to have my purchase refunded. They even closed my dispute at
one point claiming that I hadn't returned the merchandise because their
support staff was too incompetent to check the DHL tracking # on DHL's web
site to verify that I had indeed returned the merchandise (at my expense).

I will never make a major purchase with PayPal again.

~~~
foldor
I had an experience once with PayPal and Dell Canada.

I bought a couple of monitors off the website, and apparently there was an
issue with the calculation of taxes (which wasn't noticed) resulting in a
pretty decent discount. Well, I paid for the monitors through PayPal and
authorized a charge of ~$600. A few days later I check up on the status of my
order and it states that I was charged ~$800 due to an "Additional
authorization" charge. This was because Dell noticed their mistake and instead
of communicating it to me, just decided to sneak it in there, which was only
noticed by me after checking up on it, no notification was sent out about
this.

So apparently, PayPal allows a company to charge a customer more than they
have authorized a payment for, and don't even bother to send a courtesy
notification about this.

Buyer beware.

------
joesmo
"Pull up a chair, grab the popcorn, and settle in. You’re not gonna believe
this…"

Actually, I'm not surprised. Paypal has no incentive to resolve disputes or
stop fraud. Every company has a limit over which they will intentionally try
not to honor any fraud protections. With Paypal it's just zero. For example,
American Express is usually good at resolving disputes, but a dispute that a
few thousand dollars will not be resolved in your favor even if you can prove
that what you got was not what you paid for I paid for an air-conditioned
Marriott room and got 6 rooms (one at a time) in two different Marriotts, none
with AC that worked over a period of three weeks. (Apparently, Marriotts in
Cancun advertise AC but don't let you use it, a problem that I've ran into at
one other major hotel as well, though only for one night.) Amex, at least is a
reputable company. Paypal on the other hand is a company that knowingly signed
up many people for credit cards without their knowledge. I would not expect
anything from Paypal and I would only use a credit card and make purchases up
to an amount I know I can dispute with the CC and win. If you're using Paypal
any other way, chances are you will get fucked.

------
gotrythis
I find it really disturbing how many people are busy attacking the author
because he should have known better, or they think he's going to use the
domain in a way that doesn't add value. The domain and use of the domain in
question is irrelevant.

The takeaway is that PayPal has a ludicrous policy of accepting easily faked
screenshots as indisputable truth that a domain has been transferred, as the
OP demonstrates here: [http://tooltrainer.com/blog/watch-me-hack-and-own-
paypal-com...](http://tooltrainer.com/blog/watch-me-hack-and-own-paypal-com-
in-seconds)

Reminds me of the the people saying it was okay that Ashley Madison got
hacked, because we don't like cheaters and therefore they deserve whatever
they get. And while we're busy feeling morally superior, the real bad guys
continue to scam and harm more people.

~~~
happywolf
I find it equally disturbing to push all responsibilities to PayPal for one's
greed and 'naivety' (for lack of better words).

------
corobo
> Partners split up, and maybe out of anger or spite one of them sells a
> valuable asset way below market value

By selling shop.com for $500? A 4 letter, dictionary word, extremely
brandable, .com?

> Has nobody even bothered to do a whois lookup on shop.com?

No, not even you apparently. Well done. This was a lesson valued at $500, be
glad it wasn't more.

~~~
vtlynch
Your argument is pointless. Assume that someone who was not aware that
shop.com should never be available for $500 made the purchase. They deserve to
be scammed? No.

The entire reason Paypal exists as a Third-Party payment processor is to
ensure fairness on both sides. They failed.

~~~
larrys
Your point about paypal is of course correct.

Importantly though in this case the buyer knew the price was to good to be
true and his greed got the best of him. Plus the thing to keep in mind is the
level to which a company like paypal can protect against fraud. Might be
similar to expecting that a dry cleaner should detect a forged clothing ticket
perhaps. Or a restaurant should detect that another diner is using your
reservation. Doesn't scale very well.

~~~
tooltrainer
Why is it greed and not merely taking advantage of a potential opportunity?
Sheesh the morality police are really out in force today.

~~~
larrys
Perhaps greed is the wrong word here. (By the way I am definitely not the
morality police that is for sure..I have no problem with people making money
practically any way they can)

I think your good judgement was clouded by what you though was an opportunity
to make a large sum of money. As such you let your guard down. And ignored
common sense.

For example, let's say you are on assignment for the US Government and you
have a bunch of secrets in your briefcase. (Or you work for Google, whatever).
You go to a bar and a super attractive hot woman (or man) strikes up a
conversation with you. You are nowhere near attractive or rich or smart enough
to have this women she is a 12 and you can only score 5's and that's if the
woman is drunk. (let's hypothesize). So your brain should be saying "danger
Will Robinson" [1] but instead it thinks "wow she likes me I'm surprised but
hey anything can happen!!!". And the next thing you know she has walked off
with your suitcase of secrets. What do they call that? A Honey Pot? Whatever.
My point is perhaps greed is the wrong word so what is the word to describe
what I am talking about here? After all you knew this was to good to be true
and almost certainly not true however you did it anyway.

By the way I don't buy into that whole "to good to be true probably is" line
it all depends on the circumstances. However what you did here was clearly
someone outsmarted you, they knew paypal better than you did.

[1]
[https://en.wikipedia.org/wiki/Danger,_Will_Robinson](https://en.wikipedia.org/wiki/Danger,_Will_Robinson)

------
Sleaker
I'm not sure why the article posters thinks paypal disputes are ever
favorable. There's been articles all over the internet on how horrible their
CS is and pretty blatantly discribes their bad practices and how they haven't
gotten any better. I'm just surprised people refuse to use alternatives for
online payments. Even if paypal says you're protected, if you didn't use a
Credit Card through their service to make the purchase it's kind of the
author's fault for trusting Paypal to be competent at being able to resolve
this issue even after it was blatantly going to be a scam.

tldr; I find it pretty hard to feel compassion for the author here.

~~~
irq-1
People use PayPal for the same reason banks use email, not because either is
secure or reliable, but simply because people make decisions by following the
crowd. As long as people think PayPal (or Yelp) has a big crowd of users,
they'll use it's popularity as a substitute for critical selection, and
consider it a "legitimate" choice.

------
e28eta
You might replicate the fraudulent screenshots with the PayPal.com domain, see
if that gets their attention.

That said, isn't the real story that domain escrow services exist for a
reason?

~~~
Implicated
> That said, isn't the real story that domain escrow services exist for a
> reason?

No, story is that Paypal has been a haven for scammers and crooks since it
started.

The lesson of the story is that they shouldn't be buying domains for any non-
trivial amount of money without utilizing an escrow service.

~~~
jonknee
> No, story is that Paypal has been a haven for spammers and crooks since it
> started.

The story is that every financial exchange has been a haven for spammers and
crooks since they started.

------
breul99
"... way to get really cheap domains that I can turn a very generous profit on
via domain parking"

Lost all respect for the author once I read that. Squatting on domains and
making people who want to legitimately use the domains pay far above market
rate is ridiculously scummy.

~~~
vixen99
So don't buy anything cheap and then sell it later at a higher price because
that's scummy or does this only apply to domains; if so, why? Your respect for
traders is presumably zero.

~~~
iterati
Yes, my level of respect for traders is exactly zero. There's a difference
between investing and trying to make a profit off short-term trades,
arbitrage, and other forms of financial practices that offer dubious value to
anyone other than the trader.

~~~
harryh
When you buy stock as an investor who do you think you're buying it from? A
trader.

~~~
kedean
The respectable case is traders who transfer good between supplier and buyer
because there is no smooth transfer path or when there is significant risk in
communicating directly with the selling, such as stocks, grocery stores, and
realtors. The non-respectable case is when the trader exists purely to hold
onto then profit on the product. This includes domain squatters, ticket
scalpers, and those people who buy things from one thrift store to sell back
to another thrift store at a higher price. It's the same reason why patent
trolls are so disliked.

~~~
harryh
Without ticket scalpers I couldn't decide to go to a sold out show or ballgame
at the last minute. They provide a valuable service to me.

------
paulcole
Sounds like the author doesn't know how to detect fraud. Shop.com for $500 is
insane and he knew it. He thought he was free-rolling. Either he'd take
advantage of someone selling a domain at well below market or he'd be covered
by PayPal's fraud protection.

Lesson learned for him, I guess.

~~~
ceejayoz
"You should have known better" is _not_ fraud protection. PayPal is entirely
in the wrong here.

~~~
zamalek
> PayPal is entirely in the wrong here.

Exactly, the only way to find out if PayPal is on the ball _is_ to make a
mistake, I can't understand why there are so many comments harping on about
this blatantly obvious point.

Otherwise what would the author (or any journalist) do? Fake a fraudulent sale
(which would still be fraud)? Or intentionally find a fraudulent seller? "Hey
PayPal, I purposefully went and found a fraudulent sale, can I have my money
back?"

~~~
notahacker
This isn't journalism though. This is someone buying something they think is
almost certainly a scam with the assumption that either PayPal will underwrite
the loss or they'll be a millionaire. What should the author have done? Not
buy it, obviously.

Frankly, given that a thorough fraud investigation would have revealed two
separate attempts to gauge eBay/PayPal's refund policy followed by the
purchase of an asset, followed by the claim, he's lucky he hasn't been accused
of being complicit in the scam. A more on-the-ball protection team certainly
would have raised that possibility and escalated it.

~~~
vitd
"with the assumption that either PayPal will underwrite the loss"

No. He called and spoke to both eBay (who said they would not) and to PayPal
and they assured him they would underwrite it. Per his article:

"The very helpful gentleman I spoke to informed me that ever since the
eBay/Paypal split recently, _domains are actually covered by their buyer
protection now!_ " (Emphasis in the original)

~~~
notahacker
They did not assure him they would underwrite the specific loss, they merely
pointed out that domains were covered by a buyer protection policy which
allowed Paypal to make a decision _at their discretion_.

Frankly, I can't recall ever seeing any complainant _more_ deserving of being
on the wrong side of Paypal's discretion than this one.

------
istvan__
I found entire criminal networks operating on PayPal and Ebay, when I reported
the case to them they refused to deal with the situation. Basically the
criminals were selling software that appeared to be legal but the serial keys
were stolen from the vendors. When somebody realized what is going on they
sent an email saying if you rate us on Ebay 5 star we give you back the money.

Ebay was more than happy to let these guys operate on their platform, I have
supplied them all the evidence but nothing happened.

------
jamiesonbecker
> PayPal does not know how to detect fraud.

s/PayPal/Author/

------
esMazer
someone should sell 'paypal.com' and then after being scammed try to get the
money back from paypal. That will be a fun conversation! "I have proff that
the domain was transferred to you, I can see right here the domain payp.....
yes is yours, this can't be faked!"

~~~
tooltrainer
LOL!! Brilliant!! I should totally provide them screenshots showing that I
just sold their domain out from under them. ROFL.

~~~
steego
It would be hilarious until Paypal decides to file fraud charges to make an
example of you to send a clear message to anybody who thinks it's fun to
embarrass them.

~~~
esMazer
this is why you'd be the person scammed and would want the refund.. the other
scamming party is the one that sends the screenshots, this is the party that
paypal would go after

~~~
steego
...but you need someone to play the role of the scammer. That's what the
parent was offering:

"I should totally provide them screenshots showing that I just sold their
domain out from under them."

------
Justin_K
Always clear your funds from paypal and make payments via credit card. You
have no ability to dispute otherwise. That and don't be a fool. There wasn't
one single thing about this sale that smelled clean.

------
happywolf
Technical this isn't fraud from the perspective of PayPal.

Let me elaborate, if your account is taken over and used, or your credit card
is fraudulently associated with a PayPal account, then this is fraud (as per
PayPal). However in this case, you were willingly using the account to pay
someone and entered into the transaction willingly. Even though the outcome
was not favourable to you, but PayPal doesn't have the information needed to
mediate.

In fact to PayPal it doesn't have the necessary information to judge who is
telling the truth: it is as easy to fabricate a GoDaddy letter or whatever
documentations you provided, and there is no easy way to tell (yes, PayPal can
call one by one to verify, but this isn't scalable and very expensive). That
is one of the reasons why eBay doesn't offer buyer protection.

I doubt you will get better protection with other alternatives like credit
cards or bank transfers.

~~~
hannibalhorn
You definitely get better protection if you use your credit card. Maybe it
depends on the bank, as I've only had to do it 3 or 4 times in my life, but
they've always stood by me, even in less obvious situations than the linked
post.

~~~
happywolf
You are right, it depends on the card issuer. My friend was forced to pay a
large sum at knife point in China a few years ago with his CC, later the CC
company told him there was nothing they could do since he personally signed it
already.

~~~
tomtang0514
I have to say it's really not the CC company's problem. Your friend should
call the police and ask for the proof document from the police to argue with
CC company

------
mttp
A somewhat similar situation happened to me a couple years back. I was put in
contact with an individual through a mutual contact about purchasing two
phones from me. I was located in the US and he was in the UK. All of it seemed
good, no worries with the sale, he sent the payment and covered shipping.

A couple days after delivery I get a PayPal dispute saying he filed a fraud
charge with his CC company for the $1100. It was basically a no questions
asked refund to him in the full amount which left me with a $-1100 balance on
my PayPal account. So not only did he receive the products, he got all of his
money returned to him and I had no way of contacting him due to him living in
the UK. I was only racking up my cell phone bill trying to reach him
internationally all with no answer.

The only thing PayPal had to offer me in terms of why this happened was "he
filed a claim with his credit card company".

------
BogusIKnow
As www.shop.com is obviously running a website, the domain would have been
stolen to be sold on eBay.

So the author was fine taking part in a crime.

"No Mr. Judge, I did not know that large diamond could not cost $10."

~~~
genericuser
Yeah I feel like if he actually cared about things being fair and honest he
would of become upset when he saw this obvious scam taking place, which he
more or less recognizes as such.

However all he does is attempt to confirm is that he won't be the party to
lose money in this scam. He does it thinking well either he will get shop.com
and win (at the cost of the owners of shop.com), or it will be a scam and he
will get his money back from Paypal and Paypal may or may not get the money
back from the seller, in which case either Paypal loses money or everything is
back where it began.

He try's to find a no-lose position in someone else's scam, basically trying
to scam a scammer. You know what I could respect that, but whining about how
you failed to scam the scammer is just annoying.

------
steve-howard
I guess when an opportunity comes up that makes me think "there's no way this
can be for real, but there seems to be no risk involved," I lean towards the
assumption that the scammers have also thought of this and are confident that
they won't have to give the money back. It's a shame PayPal is this oblivious,
but the scammers knew this in advance and took advantage.

------
resonanttoe
Apart from the obvious jumping clearly in to a scam part which we can ignore,
this lacks a distinct amount of that-there evidence.

I'd very much be interested to see the listing, the comms, and the comms with
Paypal/ebay.

It's also curious that someone who is posting all of this opted to call
support agents all the way instead of having something on record.

Of course none of this proves anything but still these are curiosities.

------
fixxer
Tl;Dr Author entered into an obviously fraudulent transaction and was
defrauded.

------
tooltrainer
To add to this...

[http://tooltrainer.com/blog/watch-me-hack-and-own-paypal-
com...](http://tooltrainer.com/blog/watch-me-hack-and-own-paypal-com-in-
seconds/)

------
g42gregory
I personally never ever use PayPal for payment, always a credit card. My wife
paid $700 to the vendor who closed shop right before the wedding (but after
taking the money!). She called PayPal and they came up with an excuse why this
wasn't covered (something along the lines that she paid in one payment and not
in installments, I don't remember exactly anymore). Luckily we discovered that
it was paid "through PayPal" on the credit card. Credit card promptly refunded
the money. I will never use PayPal after this again.

------
linuxlizard
Why anyone trusts any PayPal transaction with >$100 is beyond me.

------
ikeboy
This reminds me of when I would buy fake memory on eBay and dispute it to get
free stuff. They would label 4gb micro SD cards as 64gb (and hack the
controller to say the same).

I always got back my money, but I guess it was riskier than I had thought. I
was getting it from eBay, though, and usually the seller would refund to avoid
bad feedback anyway.

------
x3n0ph3n3
Caveat emptor. You seemed to know what you were getting into and proceeded
with a risky bet. Sometimes you lose those bets.

------
sakopov
I'm sorry, but this had red flags all over it but apparently author's greed
ruled over rational thought process.

------
mendelk
At one point, I discovered a feature (forgot the name) that isn't accessible
in the web UI (at least that I was able to find at the time) and needed to be
requested via email, namely, auto-withdrawal of PayPal funds to my bank
account once a night.

Personally, I sleep better knowing my funds are in my bank, and you can, too!
:)

------
kalleboo
So. Say you wanted to put PayPal out of business with better service.

I guess for this specific instance, they can conference call GoDaddy and have
the third party vouch for things.

But how do you rule in a he-said-she-said situation? If a customer says they
received a ceiling tile instead of an iPad? For other digital goods like in-
game characters?

~~~
notahacker
Frankly, if you don't want to put yourself out of business, you don't refund
your client in situations where the client cannot reasonably argue they didn't
expect the listing to be fraudulent, especially not assuming the money isn't
sitting in an account at the other end waiting to be transferred back. You
probably don't want your disputes department providing an adequately detailed
explanation of the reasons they reached a particular decision either.

------
oneJob
If one browses on over to shop.com, at the bottom of the page you'll find:

© 1997-2015 SHOP MA, INC. All other designated trademarks, copyrights, and
brands are the property of their respective owners. (prdmf002)

Doesn't really look like a shop that's ready to turn out the lights.

------
tooltrainer
Hot damn, Paypal has reversed their decision!

[http://tooltrainer.com/blog/paypal-executive-escalations-
del...](http://tooltrainer.com/blog/paypal-executive-escalations-delivers/)

------
BogusIKnow
Funny, shop.com says at the top:

"Shop Now, Pay Later With PayPal Credit – Learn More"

------
nkozyra
> Has nobody even bothered to do a whois lookup on shop.com?

Trying to bite my tongue here, but ... did you? Not saying this would tell you
whether the domain was actually for sale or not, but it might offer some clues
and/or at least a contact point (if not shop.com itself, which is totally
active).

There wasn't much due diligence here, and it seems like OP was relying on
Ebay's protection to secure a lazy gamble.

~~~
zamalek
The point of the article is that PayPal accept screenshots as proof. You can
point out that the author made a mistake until you are blue in the face; it
won't change that PayPal's policy is ludicrous.

------
totony
If paypal won't cancel it, can't he just do a chargeback on his credit card?

------
hiphopyo
Anybody know why they use their own fictional currency rates?

~~~
alvarosm
To rob you. Just like their fees, which should be used to compensate
fraudulent transactions and go to their profit instead.

