Hacker News new | past | comments | ask | show | jobs | submit login
Etsy sellers say their bank accounts were emptied in major billing snafu (boingboing.net)
182 points by mkeeter 35 days ago | hide | past | web | favorite | 103 comments

The fact that this happened on a Friday with a Monday holiday coming up smells extremely fishy to me.

Of course this is completely unfounded, but I have a gut feeling its a hack and we will be hearing more about it in the future. Most electronic heists happen at exactly these times because the banks will not reopen until following Tuesday at which time it can potentially be way too late.

One prominent example that I can think off the top of my head is the Bangladesh Bank Robbery [1], but I am sure there are more example to be found

[1] https://en.wikipedia.org/wiki/Bangladesh_Bank_robbery

Here's another example


>National Bank said the first breach began Saturday, May 28, 2016 and continued through the following Monday. Normally, the bank would be open on a Monday, but that particular Monday was Memorial Day, a federal holiday in the United States. The hackers used hundreds of ATMs across North America to dispense funds from customer accounts. All told, the perpetrators stole more than $569,000 in that incident.

An interesting data point is that Etsy made charges to cards, but then offered refunds to the bank account on file.

This tells me their merchant processing credentials may have been stolen, and since they didn't initiate the debit, they don't have the transaction IDs immediately available to refund/reverse them. (Obviously the processor would be able to provide these on Tuesday when they open back up)

Things like this are my problem with the pull style payment systems. It would be nice for online systems if you were given an invoice, and you had to tell your bank to push the money to the other party. (or confirm the pull). For recurring bills that are always under a certain amount, he was a customer can give a business some limited amount they are allowed to pull every month.

In a system where we turn over our payment information to all these companies and they can accidentally pull any kind of money from your account, it just leads to problems.

Once I have your bank account number and I tell the bank that I have permission, I can pull out any amount of money I want.

Only protection you can offer yourself as a business owner is having a separate account, keeping the absolute minimum required and sweeping balances off to another account as fast as you can. I feel for Etsy, as someone that has built a funding system, the thought of this type of event use to give me nightmares.

I only guarded by testing as if people's live depends on it, because it really does. Screwing up someone's account could mean them not being able to afford food, rent, could be the start of an eviction, job loss, losing their business, not paying employees, many other terrible events or worse taking their own life.

Circuit breakers are also important. If Etsy typically does 2,000 withdrawals on average, and one day their system has to do 50,000 ACH debits. The circuit breaker should kick off so someone can review and manually push it through if correct.

It's incredible to me that you can give your bank information away to a company and they can withdraw whatever they like.

There's a bunch of companies (utilities such as power companies, for example) that allow an individual to set up such direct withdrawals. They also seem to let you do this without any kind of special authorization from the bank -- I've done this many times and I've never been forced through any kind of bank login to authorize them to withdraw money.

In Norway, you have two systems ("avtalegiro" and "autogiro") for direct debit. You have to go through the bank to authorize the setup, and you have to specify a max amount. There's also a system called eFaktura where companies can send digital invoices to your bank account; paying them requires going into your bank's app and approving each one individually.

Anybody in the US can try and pull as much as they can. This is a very old system going back before electricity. Paper checks signed by pen sent by mail (horse back) to banks. They checked that the signature on the check matched the one on file and released the funds. This system worked in that era but now someone gets your bank account number and can use it online to pay for something without a signature and banks don't really verify anything.

Someone I know had checks stolen and the people used the info on the checks to pay their electricity bill. The police were notified and even though they new exactly where these people lived, did nothing. The only thing to do is close the account and open a new one. What a stupid system for the user, but the banks don't care enough to change it.

Business accounts can sign up for something called “positive pay.” You set a default rule (e.g. accept below a threshold amount and otherwise deny). You can review transactions on a daily basis and override the default. This works for both ACH and checks.

We currently use one account for everything, including Stripe deposits from SaaS applications. But as soon as practical, I intend to move to a model where there is a separate "staging" account for any kind of 3rd party interfaces.

That's exactly how it works where I live.

The businesses sends the invoices electronically, and I get an e-invoice in the bank and have to confirm it before it is being paid. Nobody has access to my account but me.

One can also set up auto-payments with limits per business, like one limit for the energy bill and another for rent.

USA NACHA system is old. It's fixed width files transmitted via SFTP or web portals and manually uploaded to other banks.

This sounds like a very weak excuse. Why can't the bank show the account owner the incoming pulls, and let the owner authorize them? (And then send the authorized ones out as proper push transfers in the next ACH batch.)

It's how banking works nearly everywhere outside of the US, that's why most brokers handle US money transfers on separate forms. PayPal was built on top of this banking insanity, in most other countries PayPal would solve a problem that doesn't exist.

Whole thing is kind of like the imperial vs metric system.

Which makes me wonder - which other countries have banking systems that routinely allow pull-based access to accounts?

In the UK, PayPal can take what they want from my bank account, BUT I can just say "Reverse that" and it is done instantly, no questions asked (I might still be on the hook for legitimate transactions, but I'm not responsible for fraudulent ones).

(Case in point - a company I'd never heard of set up a Direct Debit on my account, and I didn't notice for about 6 months. One call to my bank, and I had the money back immediately.)

It's part of the Direct Debit guarantee:

> If an error is made in the payment of your Direct Debit, by the organisation or your bank or building society, you are entitled to a full and immediate refund of the amount paid from your bank or building society

> If you receive a refund you are not entitled to, you must pay it back when the organisation asks you to


Germany has had direct debit since the 1950s, Britain since the 1970s, the difference being that as a consumer you can cancel the transaction within 8 weeks, no questions asked. Why the US can't follow suit is beyond me, instead people have to hack their own workarounds with prepaid credit cards.

Germany has had direct debit since the 1950s, Britain since the 1970s, the difference being that as a consumer you can cancel the transaction within 8 weeks, no questions asked. Why the US can't follow suit is beyond me

In the U.S. you can cancel a transaction that you don't believe is legitimate. I did it as recently as last week and as long ago as the 90's when State Farm's auto-debit pulled $2,500 out of my bank account instead of $250. It's nothing new.

privacy.com allows creating credit cards with preset spending limits, either one-time or recurring. I use it for subscription services. (No affiliation just a happy user.)

privacy.com would be really attractive to me, but it comes with a mandatory arbitration agreement, and I'm trying to limit the number of businesses I interact with that rely on one.

Certainly the combination of mandatory arbitration and "we have your banking info" is a no go for me. If you want access to my bank account, you need to have some liability.

At some point I'm probably going to need to bite the bullet and sign up for an actual bank account or credit card with someone who offers it under normal terms -- but even that's been kind of frustrating to find. Capital One requires a browser extension. A bunch of places require phone apps.

I just want a banking site that lets me go to a webpage and click a "generate" button.

I am pretty sure Bank of America has this. I use their generated cards for several subscriptions.

This sort of error, where they accidentally pull thousands of dollars out of your checking account, can happen with privacy.com because you give them access to your bank account to use it.

Mastercard has a service like this also, but I seem to recall that last time I tried it, it required to have Flash installed, so I didn't use it.

Yes it’s neat, but also involves giving privacy.com unfettered pull access to an account. Not to mention the data pipeline for profiling your use. Not a bad trade if it suits you, but things to be aware of, certainly.

Credit cards already have legal protections so worst case you can file a charge back and your money is safe. Etsy has access to bank accounts which don't even have the credit card protections.

Apparently Citi offers virtual credit cards to their users, I've been meaning to open an account for this feature alone.

Are there any fees associated with that privacy.com service?

None in my use of the service.

To my knowledge, they make money because they act like a credit card (they collect cc fee from the seller), but actually just proxy the charge to your bank account. You basically lose out on any your own cc rewards though since you can't proxy to another cc (then they would lose their profit margin paying your cc provider).

Personal example of when I found it useful: I used a burner card from them to buy a board game online, turns out the site was hacked, leaked the card info, additional charges were attempted but failed because the burner card settings only allowed the original charge through. Was really glad I didn't use my own cc.

Unfortunately if one must supply privacy.com with access to a bank account, it's not an improvement over Etsy in terms of exposure. And with Etsy you can directly supply a credit card, leaving your bank account isolated.

I use privacy.com with a completely separate bank account account with a limited amount of funds. I think that it works well enough.

I use separate bank accounts for various isolation purposes, but they generally have a monthly fee when below a substantial balance. Direct deposit accounts are the exception in my experience, and one doesn't generally have multiple direct deposit employment sources.

If I need to setup a separate account to isolate privacy.com's use, why wouldn't I just make it a Citi account and use their virtual cards instead of providing all my identifying information to yet another third party open to hacking and diminishing of corporate values?

Because I don't use a browser that supports flash.

Capital One also does but apparently it requires you install a browser extension that you give permission to spy on all webpages.

Are you sure that's not just an optional convenience thing?

The biggest issue is that the same info needed to push money into your account can be used to pull money out.

Why both actions require the same credentials is byond me.

The article is really poorly researched. They mentioned that Etsy decided “not to cancel the transactions”. What does that even mean? You can’t cancel a transaction where the money has already been taken out or the account and magically expect it to return. Etsy has to push the money back into the account via a refund.

And money refunded is never considered income, so the second part of the article is completely unfounded speculation. Unless Etsy issued 1099s it doesn’t matter how much money they push into the account, it doesn’t mean it will be considered income.

At least with Braintree (which my company uses), you can void a cc transaction any time until it settles at midnight, with the result that the money never actually leaves the account. A preauth of this magnitude could still cause big problems for a day or so, but it’d be better than locking the money away as a credit in a totally different account (which, among other problems, somehow smacks of money laundering).

The money moved so it already settled.

Yes, by the time they addressed it. Seems hard to imagine this was the sort of thing that didn’t hit their radar on the day of, though.

There is a sort of "cancel" for ACH transactions, and they were talking about both credit cards and ACH withdrawals.

I'd be concerned about the 1099 thing. They've already demonstrated some poor practice in that area, so it's reasonable to raise the issue before they calculate it wrong.

>Unless Etsy issued 1099s it doesn’t matter how much money they push into the account, it doesn’t mean it will be considered income.

Etsy does issue 1099s to sellers who meet certain criteria although who knows if this will be included.

It doesn't matter whether Etsy issues 1099s, as that's not what makes a payment income...

Generally reimbursements are not income.

The 1099 panic is just totally and completely uncalled for, there's no reason to think Etsy's systems would erroneously report reimbursements as income on 1099s. After all, my work issues me both paychecks and expense reimbursements and when I get my W-2 at the end of the year only the paychecks are listed as income, it doesn't include the reimbursements.

And even if your 1099 was incorrect, that doesn't mean you'd suddenly owe taxes on the incorrect amount, you'd just report the error to Etsy for them to fix.

This is the kind of mistake that potentially kills the company. Or would if it still would be a small artist umbrella but it's now only a small portion. Because after this, a lot of small artists will pull out for sure because as you very well know 40% of Americans can't cover a $400 emergency expense so they equally can't afford to hand their financial info to a company which might just trigger such an expense. This is a problem. I liked the small artist half of etsy. Where do you get your small artist stuff now?

In a way, Feltsewfantastic's Corgi felt keychain key ring / bag charm / ornament is my support animal... etsy has brought me a lot of joy.

I know that there has been a lot of internal handwringing at Etsy over changes in the culture and values of the company over the past few years.

I imagine this will be a good chance to see how much of the old Etsy still remains in the DNA and how much has gone CYA corporate.

Really hope everyone affected gets made whole. Unexpected large withdrawals that persist for days can be extremely stressful, and in some cases, affect lives for a long time afterwards.


(I once had a case where a store charged me a ridiculous amount of times, over 40-50 for the same transaction, and then I was charged tons overdraft fees for every duplicate transaction. The store refunded my money but refused to pay for the overdraft fees, the bank refused to refund the overdraft fees demanding the store would pay, and meanwhile I was a 19 year old out of somewhere near $2000 for months and stonewalled by CorpStore and CorpBank.

(They eventually each agreed to cover half, which was a bit of a coup for the bank I thought)

Mistakes happen, even terrible ones. They can be fixed though. The biggest issue is the fact that Etsy is stonewalling the issue and not willing to talk about it openly.

I don't think they're stonewalling the issue. They need to figure out what happened, they need to figure out who got affected, they need to figure out how to refund their money, with ACH it's slow. Friday is the worst day, banks are closed Sat, Sun and Mon (Banking holiday, President's day), their customer service lines, emails are probably flooded. Their legal team might have already taken a few calls, their PR department is working as hard as possible, their retention team is also trying hard to keep business. The dev team needs to also find a solution. They need to do all this, and their postmortem report probably needs to be reviewed by legal to reduce any future exposure.

Nothing will make the users happy till their money is refunded and that will not happen till Wednesday. Earliest day they can submit refunds will be Tuesday, it will show up on Wed. Same day ACH is not going into effect till Sep 2020.

The whole concept of a bank being "closed" and so you being unable to make a money transfer seems so quaint and last-millennium.

Exactly. This is one of the advantages that cryptocurrency has over banks.

The Etsy snafu will be repeated until people and businesses start to require crypto for business transactions.

> Exactly. This is one of the advantages that cryptocurrency has over banks.

If it were any sort of meaningful advantage you'd likely see banks adapting pretty rapidly. There's nothing inherently impossible about faster bank transfers - Europe already has 24/7 nearly-instant transfers via SEPA.

> The Etsy snafu will be repeated until people and businesses start to require crypto for business transactions.

I suspect for every one Etsy snafu there's a bunch of "thank goodness I could issue a chargeback" situations.

> Then there's a potential tax issue.

> Oh, and don't forget the credit score dings that people whose cards went over the limit could potentially suffer.

Getting charged $10,000 abusively can put people in a complicated financial situation.

And there is the issue of trust between the platform and sellers.

lawyers and liability -- unless there's something concrete to be gained from being open, being a good samaritan can get you into even hotter water.

Having people trust you is a concrete gain for being honest. Hiding the truth to avoid liability demonstrates that you're not trustworthy. To me, it's fundamentally unethical, though I know it's often promoted as "practical" in our culture.

They should be bending over backwards to try and restore their users' trust. It's insulting that they expect us to go by faith alone.

if you were in the shoes of an Etsy seller that lost 10000 even knowing you would probably get it back... Would you trust them ever again?

I'm someone that was impacted by this (had about $2700 put on my credit card), and yes I will trust them again.

Mistakes happen, and I think it's silly to overreact and completely cut ties with a company over a single mistake.

It does suck, and it was hilariously bad timing for us due to some personal stuff going on, but I trust that they will do a good job rectifying the issue.

I do have some issues with how they are handling this (I should have gotten an email when they found out this was a problem and not have had to find the forum post on my own), but at the end of the day it's a mistake and one I hope they will learn from.

It's strange how the US just can't seem to figure out sensible payment systems. Payment in the eurozone is not exactly perfect, banks being banks and all that, but this kind of thing is almost a non-problem: If there is a SEPA direct debit drawn from your account that you object you, you simply tell your bank (online banks tend to have the option in the online banking interface for every direct debit transaction) and the amount is immediately credited back to your account, with the same value date as the previous debit. It's then the problem for the payee and their bank to sort out.

It's already figured out, USA has the first mover's disadvantage, maintaining compatibility with an older system when you have many users.

So what? The SEPA shift was also a compat nightmare - even worse than in the US I'd say. 34 countries with each having their own system of bank and account IDs that all had to be rolled over into one common system, and banks now being allowed only one day of delay (which used to be up to a week for international).

The EEA covers over 500M people, way more than the US does, with way more languages. It's not impossible to do such a migration, the difference is that EU legislators were fed up with the brokenness and forced the migration via regulation while the US government believes that "the market will fix everything". No it will not, the market will only deliver what is the lowest acceptable effort.

This is just their billing system, not the way sellers are paid?

I was very active in the Etsy community back when they start planning to implement their own payment system. At the time, I perceived them to have a record of continual incompetence paired with insensitive or hostile customer service. I was very wary, along with friends of mine in the community, of something such as this occurring to me. I certainly have never trusted them with my money.

The response is typical of the vague, downplaying way I remember them handling problems way back in 2008.

“We're aware of a bill payment error affecting a small group of sellers which resulted in some cards being incorrectly charged. We don't expect this error to impact additional sellers going forward.”

"People who sell crafts and other goods on Etsy, an e-commerce site focused on handmade and small-batch products, say they woke up to a nasty surprise Friday morning when thousands of dollars were withdrawn from the bank accounts and credit cards sellers are required to have on file in order to have an Etsy storefront."

Why do sellers have to have credit cards on file?

Buyers I can understand, but sellers?

To pay the fees associated with selling.

why isn't the fee deducted from the selling price before money are wired from etsy to seller?

Traditionally buyers paid via PayPal directly to the seller's account without Etsy seeing the money. This is still a supported option for grandfathered sellers and for sellers in countries where Etsy Payments does not operate, it is called "standalone PayPal".

A couple of months ago, for those sellers that use Etsy Payments, Etsy actually switched to deducting the fees from the sales like you suggest. But that still doesn't cover the cases where buyers want a refund afterwards, or if the seller had no sales to cover the listing fees.

Some platforms work like this (Amazon) and some have fees you have to pay after the fact (eBay). Big reason why eBay works like this is it has listing fees for high volume sellers and they have to be paid even if the item doesn't sell. Also, in the early days payment wasn't handled by eBay itself, it was decided entirely between buyer and seller. eBay auto is still like this (as far as I know).

But even with Amazon you have to have a credit card on file and they'll charge it if your seller account goes negative. Your seller account can go negative if you have a return or if you paid for FBA shipping and haven't made sale since or paid for FBA removal.

You need to pay for listing as well, regardless if you sold or not.

b/c Etsy makes money in listing fees as well as transaction fees.

Because they have to pay for listings and other things from Etsy.

Why can't people just prepay a credit on the service, and the service provider could deduce fees from the credit? A lot of other services are doing that. It would solve all kind of associated issues with this these kinds of errors, like cancelled cards, overdraft fees, etc.

Why would you lend a company money, interest-free, when you could put it in a savings account, invest it, pay for something else, etc.?

Why not? I've decided to spend the money in the next few months on the service already, so the money is allocated anyway. I do it regularly. It also avoids paying the card companies' fees, because I can just wire the money.

A lot of serices are structured this way, anyway. Download services, hosting services, even marketplaces like Etsy. Really, Etsy's model sounds more like an exception from my POV. But I'm not in the US.

There's no reason that the company couldn't pay interest on the money you lent it.

Exactly why I never connect real bank accounts to Venmo or even paypal. I only trust credit card companies lol. My Venmo is built up from friends sending me when I paid for them in cash.

Also if I were to connect bank accounts, I have several buffer accounts which are low on purpose

Etsy's TOS requires mandatory arbitration, unsurprisingly, but I wonder what their reaction would be to thousands of arbitration claims over overdraft fees and other financial hardships.

This seems to be simple theft. Report it as a crime.

Mens rea - Latin for “guilty mind” - is the intention to commit a crime, and must be present for many types of prosecutions.


Etsy claims to be rapidly returning the taken funds and paying any penalties incurred by their customers. If they didn't, it could be taken as a signal that they intended to keep it, satisfying the requirement of criminal intent.

If, through an accident, you acquire the property of another, and don't give it back, that can be theft. This is called "theft by conversion."[1]

[1] https://www.newyorklitigator.com/conversion.html

I'm interested in how mens rea squares with the oft-cited "ignorance of the law is no excuse" (is there a Latin term for that?).

If you don't know you're breaking a law there can be no mens rea, can there?

Mens rea means you intended to do the criminal thing that you did, not necessarily that you knew it was criminal. Homicide is homicide because you intended to kill someone, even if you didn't know that was a crime; if you did not intend to kill someone, you lack the mens rea but may still be guilty of negligent homicide or some related crime.

Certain crimes do require knowledge of the law, like tax evasion: the tax code is assumed to be so complicated that to be guilty of criminal tax evasion it must be proven that you knew you were evading taxes. Wikipedia has a summary: https://en.wikipedia.org/wiki/Mens_rea#Ignorance_of_the_law_...

if you did not intend to kill someone, you lack the mens rea but may still be guilty of negligent homicide

The standard varies by jurisdiction, but it's quite common for "intended to cause non-lethal injury but accidentally killed the victim" to be treated as murder; this arises for example in the "eggshell skull rule".

Some states also have what is referred to as "constructive murder" whereby you can be convicted of murder if you commit a serious crime and someone dies, regardless of whether the possibility of a death was reasonably forseeable; in Canada this has been ruled unconstitutional on the grounds of lacking mens rea but in the USA courts generally accept that having the intent to commit a serious (but non-lethal) crime meets the requirement.

Constructive murder is also known as felony murder in the US: https://en.m.wikipedia.org/wiki/Felony_murder_rule. It can lead to some seemingly strange outcomes:

“For example, 20-year-old Florida resident Ryan Holle was convicted of first-degree murder for lending his car to a friend, who used the car in a burglary during which a murder was committed.”

The eggshell skull rule is from torts, not criminal law and it would be unconstitutional to apply it to criminal law. You're thinking of constructive murder, where the intent to commit a serious felony everyone to the intent to cause all foreseeable harms that the attempt could engender.

Different countries, different constitutions. In Canada, constructive murder was ruled unconstitutional; but if you intend to shoot someone in the leg (say, to stop them from pursuing you) the lack of intent to kill would not save you from a murder charge.

Even in these instances, however, intent to commit an unlawful act is still part of the burden of proof.

In addition to the comments about mens rea being an intention to do an act, not knowledge of the law, sometimes your knowledge (or lack thereof) is part of assessing your conduct. For instance, the Englad and Wales Theft Act:

> A person’s appropriation of property belonging to another is not to be regarded as dishonest if he appropriates the property in the belief that he has in law the right to deprive the other of it

An honest mistake as to the law would not be considered theft.

Intent to do an action is independent of knowing the legality of that action.

There's not such a thing as a mistake, only lessons. Lessons learned or otherwise.

I have 1 special account for these type of things, and I keep it empty or with just enough $ to cover what is rightfully owed.

I am no genius. I have learned my lessopn (from PayPal).

You'd still be liable for overdraft charges, wouldn't you?

You can decline overdraft "protection".

Not really. I have overdraft protection disabled on my Ally account. I get fees all the time when it is overdrafted anyway. I really do want to punch the person in charge of letting accounts go negative. I would rather get denied at the POS than overdraft and suffer fees.

In Germany, we have special automated loans ("Dispokredit") for this situation. These are expensive (14% p.a.!), but as they are meant to be used only in emergencies and for a short time only, such a situation as here would not incur fees above 1€, as the interest is most often calculated daily.

Some banks in the US have this, some charge a fee to use it. It's a niche product though.

Not all banks are this customer-hostile, luckily. But there may be undocumented ways to truly get this shut down. If not and if possible I’d recommend switching banks.

I can't recommend Simple enough. Been banking with them for years and it's been wonderful.


> ATM and everyday debit card transactions that would cause an overdraft may be declined at no cost to you.

Open a Fidelity Cash Management account - they do exactly that, deny the charge with absolutely no fee. I accidentally chose to pay with my bank account instead of my credit card on PayPal, the charge was denied with no fees. On top of that the account has no account fees, no minimum balance, free checks, and ATM reimbursements.

I’m a buyer and made a couple purchase last night on Etsy. All my credit card info was saved on checkout with no verification required to use the card. Surprised me in comparison to how Amazon or other retailers typically require the full card number be re-entered on checkout. I understand this is different but seems like a bad convenience trade off.

Amazon doesn’t require re-entry of any details on checkout, at least in the US. I can click a button and immediately purchase something with minimal confirmation.

I have never had to confirm any details with Amazon as far as I can remember.

If you change your shipping address, it will ask you to re-authenticate the credit card number.

I'm in Canada and I've had to confirm details on my card. I guess outside US thing.

In the US, you do have to confirm the details on your card when you change your shipping address in Amazon, or you need to make any updates to it (i.e. cvv / exiry date). Otherwise, not so much.

Edit: Oops, just noticed that point was also posted twice in sibling comments. Oh well, third time's the charm I guess?

I'm from Canada too. The only time I had to confirm my number / CVC was when I changed my delivery address.

You do have to enter additional information when signing in from a new browser.

Plenty of sites, including Amazon, do not require you to re-enter a saved card number.

Some sites only require re-entering the card when shipping to a new address.

> Some sites only require re-entering the card when shipping to a new address.

This is what Amazon does, in my experience.

Yah I think it's a good thing. I have a password manager so it's only a few clicks to paste the card number in. I'm guessing the majority of consumers are annoyed by it.

amazon has required me to re-enter card numbers when shipping to an address not associated with that card. I have bought on Amazon in the US, Spain and Mexico with this happening each time.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact