

How PayPal and Apple’s Fraud Policies Punish the Honest User - MattRyanLG
http://www.lockergnome.com/osx/2012/02/28/paypal-apple-fraud-policies/
In mid-November last year, I woke up to the sound of my inbox suddenly being flooded with new messages. I have things set to alert me whenever PayPal, Wells Fargo, or iTunes emails me because I know that means that money is either being given to me or taken away. To my surprise, what I discovered that morning was incredibly concerning, and would result in what could be the most frustrating customer experience of my life.
======
patio11
Curious that Paypal is getting the hate in the comments here: when did they
threaten to permaban him from his software?

Anyhow, constructively, you want to escalate to paper on both your bank and
Apple (maybe Paypal as well, your call). Start getting an evidence trail
together with certified mail, return receipt requested. Apple will kvetch a
bit but they (and virtually every other large company) understand the
difference between that and a phone call, which you should stop doing
immediately, because the contents of them are known to be totally opaque to
judges.

You probably won't have to sue anyone, but the demonstrable capability of
suing will cause them to escalate this issue internally very, very rapidly.

~~~
jellicle
> You probably won't have to sue anyone, but the demonstrable capability of
> suing will cause them to escalate this issue internally very, very rapidly.

Not even slightly true. They don't care. The cost of the occasional lawsuit is
baked into the system cost already.

~~~
patio11
So my background in this is in consumer debt issues, largely dealing with
banks, CC companies, and debt collection agencies. In my pre-HN days, I spent
a lot of time hanging out on a message board for folks who had issues with
that, after having a credit report that got totally trashed because of a
poorly chosen hash function causing my identity to collide with someone
else's. Because I have really screwy hobbies I would write letters for folks
to send to their banks.

Add the two dozen letters I had to send for myself and I have personal
knowledge that this definitively resolved the issue in 40+ cases, in many
cases jumping over "our policy is to never...", "you can't do that", and
collections at fairly advanced stages.

It is entirely possible that Apple is a tougher nut to crack than BoA or
Capital One, but that is not the way that I would bet.

Edit: By the way, this is a catchphrase for me: bureaucracies are stage
machines which take paper as input and return outcomes you want. Hackers
should be comfortable with paper. Consider it an opportunity to demonstrate
your ability to hack non-technical systems.

~~~
blantonl
_after having a credit report that got totally trashed because of a poorly
chosen hash function causing my identity to collide with someone else's._

I would love to hear more about this. Do you have a blog post or other online
posting that describes what happened in this case?

~~~
patio11
I do, but given that I discussed my personal financial situation and other
thoughts pseudononymously a lot on that forum, I'm going to ask that you
respect my privacy and not dig for it.

The brief sketch: credit reporting agencies have Seriously Hard Problems (TM)
in determining which identity to associate with an incoming piece of data. For
example, suppose you have a file on a Patrick J. McKenzie who once lived in
Chicago. You get a report from a hospital that a P.J. MacKenzie in an
unspecified town in Illinois (not the actual guy) stiffed them on a $250
medical collection. They sold the debt to a debt collector who, having run a
skip trace, determined that I am probably him, and they've reported the debt
against my information directly. Do you merge those two identities? By the
way, he's also delinquent on $100,000 in other debts.

This sort of thing happens _all the time_ in credit reporting. See my blog
post regarding "names are hard."

------
spindritf
Why is PayPal even in the title? They seem to have handled the case fine.
Yeah, the additional freezes probably weren't necessary but it was Apple who
went completely crazy.

A user was hacked so they stop allowing him to update their software?! So that
it can more easily happen again?

And they will revoke his account (and license?) that allows him to use the
software he bought?! This is like a horror story written by Richard Stallman.

EDIT: On second thought, why do you even need an account to update the
software? When I'm updating my Ubuntu, it's the software that's signed so that
I can trust the repository. The user is not signed so that the repository can
trust them, you can stay completely anonymous. Hell, even Microsoft never
required me to jump through any sort of hoops to get updates. I once had to
verify my key, that's it. Does Android require a Google account to use the
market and get updates? Even if, you still can get an anonymous one.

Why would anyone need my name to update their own software? It happens to run
on my computer but that doesn't change anything.

~~~
shinratdr
> And they will revoke his account (and license?) that allows him to use the
> software he bought?! This is like a horror story written by Richard
> Stallman.

Hardly. Valve has been doing this with Steam for years. Microsoft does it with
Xbox Live. It's the main caveat of a managed environment, sometimes the
manager makes the wrong decisions.

This might be bad or distasteful, but it's not novel or unique. It's par for
the course when it comes to software distributed through a central DRM system.

> Does Android require a Google account to use the market and get updates?
> Even if, you still can get an anonymous one.

You can do that with iOS too. Likewise, If Google decides to revoke your
access to your Gmail account that all your Android purchases are associated
with because you violated Gmail policy perhaps, you would be in the same boat.

Once again, not unique to Apple. Par for the DRM course.

~~~
JoshTriplett
I don't think you've actually disagreed with the original point in any way. :)

As you point out, Steam and Xbox Live have exactly the same disturbing
retroactive revocation property that Apple does; that doesn't make it any less
of a horror story, just more disturbing that people put up with it. (I suspect
people mostly just don't think about it, because it probably won't come up for
_them_.)

~~~
shinratdr
But so do Android Market purchases, and any other managed DRM system. You put
up with it just like everyone else. Where I disagree is my level of concern. I
have plenty of games on Steam and plenty of purchases on the iOS and Mac app
stores. It doesn't bother me because it's status quo. I got over it quite some
time ago.

~~~
JoshTriplett
No, I don't. :) And the ease with which this can become "status quo" makes it
that much more of a horror story.

~~~
shinratdr
Fair enough, I just assumed from the Android comment. IMO you're making your
own life harder for dubious benefit, but whatever floats your boat.

It's true that if you use no digital services and buy almost no mobile apps,
you can avoid this. That kind of blows, though.

~~~
JoshTriplett
I didn't comment on Android, though in the case of Android you can at least
bypass the Android market and install arbitrary apps without revocation. (I
don't have an Android device, though; still looking for a comparable
replacement for my n900, since it won't last forever.) I use quite a few
digital services, just not any that control my access to bits I've already
purchased. And I use a pile of mobile apps, all FOSS.

~~~
shinratdr
I wouldn't even consider the entirety of mobile apps ported to the N900 a
pile, but whatever. GP commented on Android and you followed up pretty
directly, so I just assumed.

True, I should have said the vast majority of popular digital services, not
ones targeted towards the kind of people that would use an N900 to make a
point.

~~~
JoshTriplett
At the time I wrote my comment, the original post hadn't actually mentioned
Android; that appeared in a later edit.

> True, I should have said the vast majority of popular digital services, not
> ones targeted towards the kind of people that would use an N900 to make a
> point.

<https://en.wikipedia.org/wiki/No_true_Scotsman> ? :)

I don't think services offering the not-quite-purchase of data represent "the
vast majority of popular digital services". Also, services like Netflix don't
have this problem, since they very clearly position themselves as analogous to
a rental, not a purchase. iTunes, the Android Market, Xbox Live, and Steam all
very much position themselves as purchasing mechanisms, which makes the
ability to retroactively revoke purchases unacceptable.

(And I don't use an N900 to make a point; I use it because it does the things
I want it to do better than anything else I've tried, and that includes
Android devices. I only mentioned it because you seemed to assume that since I
didn't use iTunes or Android I must not use mobile apps at all.)

~~~
shinratdr
> At the time I wrote my comment, the original post hadn't actually mentioned
> Android; that appeared in a later edit.

Ahh, makes sense.

> <https://en.wikipedia.org/wiki/No_true_Scotsman>

I'm looking at the truest scotsman in the world right now.

> I don't think services offering the not-quite-purchase of data represent
> "the vast majority of popular digital services".

I would, assuming you aren't counting rental services. Netflix isn't really
the same thing. I'm referring to purchasing digital goods tied to an account.

> And I don't use an N900 to make a point; I use it because it does the things
> I want it to do better than anything else I've tried

Right...

> and that includes Android devices. I only mentioned it because you seemed to
> assume that since I didn't use iTunes or Android I must not use mobile apps
> at all.

Nope, I assumed you use an N900 or something similar the moment you said you
didn't use an Android device. You seem like the type. I stand by my original
comment, there are very few mobile apps published for MeeGo. I didn't say you
utilized no mobile apps, I said a small handful. Still true. Hell, for MeeGo a
handful might even be overly generous.

~~~
shinratdr
Gotta love the "run through and downvote everything I said" response because I
was being honest. I guess a certain HN member is channeling reddit a little
today.

~~~
JoshTriplett
Certainly wasn't me; users don't even have the ability to downvote replies to
their own comments. I do find it surprising that someone would systematically
downvote everything you said (and AFAICT systematically upvote everything I
said in the process). I certainly don't think your comments need to disappear;
mostly I'd say "I resemble that remark". :) I've upvoted them to compensate.

~~~
shinratdr
I realized after I posted it that the "certain person" remark made it sound
like I was accusing you. I wasn't, I literally meant a certain person, as in
some random other user.

Either way it was a very nice gesture. Cheers.

------
dangrossman
So:

1) Someone steals his PayPal account and uses it to buy a bunch of stuff on
iTunes

2) He reports the fraud to PayPal, which refunds all of these payments to him

3) He reports to Wells Fargo that PayPal has engaged in fraud by taking these
payments to fund his PayPal account, which is a false claim -- the transfer to
PayPal was authorized as a funding source and PayPal was already handling the
refunds

4) Three months later, PayPal gets hit with a bunch of disputes from Wells
Fargo to take back money that's already been returned, double dipping and
creating major hassles for them. Wells Fargo is, essentially, stealing from
PayPal on the basis of this person's old false claim. PayPal flags the
account.

So PayPal did everything right: they were available for immediate contact,
were "courteous and helpful", promptly reversed the fraudulent payments to
iTunes, and his account was left in good standing while he was made
financially whole. What more could they have done?

~~~
kstenerud
"He reports to Wells Fargo that PayPal has engaged in fraud by taking these
payments to fund his PayPal account, which is a false claim"

No, he didn't. In his own words:

"I told the representative there that I had reported the claim through PayPal,
but wanted it noted that the charges made on my account that day were
fraudulent in nature. The representative appeared to understand, and helped me
make record of the incident."

The problem isn't with PayPal or his bank, as they'd eventually sort out the
ping-pong notifications. The real problem is with Apple's draconian policy of
taking all of a customer's purchases and data away from him if fraud reports
occur on three or more occasions, regardless of why they occur (such as in
this case with ping-ponging notifications between Wells Fargo and PayPal).

It's yet another reason to not trust your life to the cloud, and always
procure a separate, pirated copy of your purchased software so that nobody can
take it away from you.

~~~
MichaelApproved
> _and always procure a separate, pirated copy of your purchased software so
> that nobody can take it away from you._

Don't pirated copies of software usually come with all kinds of nasty spyware
and trojans?

~~~
slavak
No, but good job on buying the copyright lobby's threat-mongering.

~~~
MichaelApproved
I'm trying to remember where I heard this before. I can't say for sure but I
thought a few friends had this issue. It would seem to make sense though,
wouldn't it? It'd be easy to spread Trojans by adding them to pirated
software.

If its not the case, what is it that keeps botnets from abusing file sharing?

------
droithomme
Amazing. I had no idea Apple could just arbitrarily (or even with great
reasons) decide to shut down your Apple ID, killing your software and disable
a lifetime of DRM protected music, ebook and application purchases. Reminds me
of how you now must show a passport to leave the US and being behind on your
child support is cause to prevent US citizens from leaving the country, just
as if they lived in East Germany. Starts out, oh sure, we need this system to
check to make sure you're not some kind of criminal. Then it is used for
arbitrary control and enforcement of the whims of a cold centralized
bureaucracy.

 _Cough cough Stallman was right cough cough_.

~~~
cageface
Still worse, if you're an indie iOS developer they can yank your entire living
out from under you without explanation. This happened to me this year, I
suspect because I made some app store purchases while traveling abroad. They
disabled my ID and refused to even tell me why and only reinstated it after a
long and arduous exchange with support.

I really enjoy developing for iOS but this was a sobering experience.

~~~
brown9-2
Is it common to use the same Apple ID for personal purchases and your business
app development?

~~~
aptwebapps
It sure seems like a bad idea now, doesn't it?

------
TomGullen
The Paypal dispute policy is broken in my opinion. Admittedly we've only had a
few disputes (in the region of ~10) but without failure the disputers ALWAYS
gets their money back.

The worst case we had was when one customer made a payment to us, and we got
an email saying the payment was on hold whilst Paypal authorises and
investigates this payment.

A day or two later we got an email from Paypal saying their investigation is
complete, and we can ship the item. We sent our software license off to the
buyer and within a couple of hours they disputed it and won all their money
back the next day.

Paypal each time make us feel like there's nothing we can do, there's no
dialogue, there's no acknowledgements, it's extremely frustrating sometimes.

~~~
dangrossman
I've had the opposite experience. I also sell intangibles like software, and
win virtually all disputes. The PayPal _Buyer_ Protection Policy does not
cover services and virtual goods. Simply escalating to a claim and writing
"NON-TANGIBLE, SERVICES" in the tracking number box gets it closed in my favor
90% of the time when someone is lying to get the service or software for free.

<http://i.imgur.com/GEY70.png>

<http://i.imgur.com/IQlA9.png>

<http://i.imgur.com/vHAsP.png>

...etc. More transparency and human interaction would be nice, but I don't
think PayPal could do much better from a policy standpoint. They provide a
platform to self-mediate disputes, and they provide a system to resolve some
easy disputes over physical goods under policies that protect both sides. But
beyond that, what could they do? There's no simple way for them to decide
whether you scammed that buyer or they scammed you. If they don't give you the
money, they take themselves out of the equation and it's up to you to resolve
the dispute in small claims court, where it belongs -- in front of a judge,
not a 3rd party's customer service team.

------
sauravc
It turns out the author of the article used to work at Apple in customer
service. (According to his Google+ page
<https://plus.google.com/112301869379652563135/about>)

But he makes no mention of this in an article that speaks largely about the
customer service of Apple and PayPal.

I find this pretty disingenuous, and regardless of whether his story was
factual or not, it takes the wind out of anything he's saying.

------
jobu
Here's a tip: Don't use PayPal unless you absolutely have to. PayPal has taken
to treating its customers as badly as many large banks.

Many credit card companies are very proactive about fraudulent purchases
online, and I even had Discover call me when they noticed a series of small
purchases on iTunes. It turned out it wasn't exactly fraud (my 5yo on a home
computer I hadn't signed out), but I was able to cut it off and I'm sure they
saved me a bundle of money.

~~~
gav
I've had experiences dealing with fraud from both PayPal and Bank of America
recently. BoA were easy to get on the phone and refunded my money instantly.
PayPal won't let you speak to a human, and after a week or so of going back
and forth determined that it was acceptable for me to be overcharged for an
item as long as I got the correct item in the mail.

Using a real credit card (not debit) gets you a great deal of protection and
is a better option than ever using PayPal.

~~~
dangrossman
> PayPal won't let you speak to a human

Really? I've spoken to humans at PayPal many times. When I call, I don't even
have to navigate a phone tree or wait on hold, someone just answers. The
people I talked to were helpful and knowledgeable about their service and
handling problems (which is what I called about, some weird customer that sent
a bunch of <10-cent payments to my account then disputed them, and more
recently with a question about the new IRS 1099-K form).

It wasn't hard to find the number to call either. You log in, click on Contact
Us, then Call Us. Two clicks and you have a phone number.

~~~
jmonegro
Same here. I've had problems with PayPal twice, and both times their support
has been very courteous, quick, and helpful.

------
leephillips
"I’d have to buy Mac OS X Lion again, Final Cut Pro, Compressor, hundreds of
dollars in iOS apps, and hundreds more in Mac software"

If you use commercial DRMed software you are asking for this. It is hard to
feel sympathetic with this part of the story.

~~~
antihero
Damn right, he's been digging his own grave, Apple just handed him the shovel.

------
theHeraldTV
I've been using PayPal for nearly ten years now and never had any issues with
the service. Now currently my bank account is overdrawn, and if I don't get it
out of the red soon I won't be able to use PayPal with my eBay account, etc.
That's not PayPay's fault -- it's my own for not managing my money better.

Apple Inc. prides itself on its customer service. When I went in for a group
interview to work at the local Apple Store that was the most important concept
they drilled into our heads. That said, it's one thing for a company to talk
the talk; it's quite another to walk the walk.

~~~
MattRyanLG
Having worked for Apple customer service myself, I couldn't agree more. Apple
does a lot to help the customers, but why iTunes doesn't have phone support is
beyond me.

~~~
Caballera
Apple has a lot of contact information that's easily available.
<http://www.apple.com/contact/>

sounds like someone did a charageback if they didn't do it one of the
financial institutions did one.

------
rickdale
This isn't a problem limited in scope to Apple and Paypal. If you get your
identity stolen in any way it can be a huge hassle and take over 12 months to
completely figure it all out and clear out your credit. Speaking from personal
experience, I had to call over 20 businesses, send each of them copies of the
police reports, and remind some of them, to clear their marks on my credit
report.

------
brown9-2
_The PayPal representative I spoke to was very courteous and helpful, though
he couldn’t confirm whether or not I would experience the dreaded PayPal
account freeze as a result. After all, all of my income comes to me via
PayPal._

Wouldn't it make sense then to use a separate PayPal account for your self-
employed business/income from what you use for personal purchases?

------
soult
What I am most curious about, and what has never been mentioned in the article
or in the comments here, is, how the account was hacked. If the author not
only has been hacked himself, but also knows other people who have been
hacked, it should be possible to find the common denominator between them.

~~~
MattRyanLG
That would be interesting to find out. It's hard to find a common ground
between them, since my Sister-in-law has an incredibly different set of usage
habits than I do. Further to that, she doesn't have an iPad/iPhone.

------
joejohnson
_I spent over an hour on the phone with Mac support (remember, iTunes doesn’t
have a customer support line)_

That's because Mac support lines _are_ the iTunes support line. He obviously
figured this one out, yet he keeps claiming there's no number to call for
iTunes-related issues.

