It got me thinking about the standard assumption that any system limiting chars in a password must be storing passwords in plaintext and not hashing them, else there would be no logical reason to do so (since hash length is constant regardless of input length) - with the only exception being placing a really large limit (say 1024 chars) just to avoid performance issues with hashing really massive passwords.
But.. I refuse to accept that's what's happening here. It simply can't be the case that Paypal is storing plaintext passwords, can it? So there must be another explanation - but what is it?
The only thing I can think is that perhaps they are encrypting passwords, instead of hashing them, or started out doing this in the early days and have since switched to hashing passwords, but there were by then so many layers of validation cruft and/or dependent systems that somehow relied on the 20 char limit being enforced, that they were unable to remove the limit without breaking everything, and they've decided the tradeoff of just sticking with a 20 char limit is worth it.
Does anyone know of or can think of a better explanation for this?
Of course, I never was able to see their answer because I cannot log in to open the issue tracker. So, in the end I just gave up.
1) for those who want security, 20 digits of random characters using a password manager is plenty
2) for those who actually remember and type a password (i.e., just a regular password), requiring them to keep it less than 20 characters increases the odds that they can actually type it in correctly (think elderly or more easily confused people here) and that reduces calls to customer service to complain that their password doesn't work.
Reason #442 to use a password manager.
I suspect the answer to your question is that what we know as "Paypal.com" is a collection of 57 different legacy systems that were hacked together over a period of 20 years. It's not that a designer sat down one day and spec'd out the design we see. It's more like it used to be much worse, and then they fixed 173 bugs (sometimes is an overly conservative way), and we're seeing the result of that.
Unless a software team is very careful, what the users see is software archaeology, not UX design.
The British Airways site does exactly the same thing, took me about 5 attempts at resetting my password before I realised what was going on...
But yes 20 character password is infuriating. My guess is that, at some point, it's extremely hard to change the password character limit and make sure it's correctly updated everywhere at once. Passwords are used in several places and they're afraid of missing a few.
That's my most generous reading of the situation. I still think Paypal is pathetic. Their country locking is the most awful shit: you can't use a foreign phone number, it has to be one of the country you registered with Paypal. If you move country, tough fucking luck, you have to close your account and open a new one and that's "standard procedure".
My supermarket has different websites (for their card or online shopping), and one has a X-characters limit while the other does not.
It has been a BIG hassle to get rid of all the problems I had (and still occassionnaly have some trouble).
So while having a password character limit makes customers angry, it is better than breaking everything.
It looks like Argon2 is newer and doesn't have a max length but still it's likely most sites are using bcrypt.
There's also a kind of handwavy "more than 20 characters is likely to be malicious input." Which is a little bit of a cop out but also probably true in general.
Bandwidth concerns finanlly brings us to the reason that paypal limits the password size to 20. PayPal uses an authentication scheme that stores the encrypted password client side and requires it to be resent with every request (or at least used to). Because the password isn't hashed before being transmitted, and is present with every request, they limited the size.
All of this was designed and implemented more than 10 years ago and even though both the bandwidth concerns and the need to send the password with every request are both outdated and paypal has likely updated to newer systems that remove these concerns entirely, companies rarely re-examine these kind of hard coded limitations unless they are legally required to.
Google "(framework) signup form" and you'll find lots of examples. Third link for rails: https://stackoverflow.com/questions/31105996/ruby-on-rails-w... - written in 2015, has artificial limit 8-20 characters without any technical reason.
Basically, I generated a 32 character password in my password manager, pasted it in, got no errors when I made my account, and could login in Chrome successfully. However, I couldn't login on the mobile app. I tried manually typing, copy/pasting, nothing worked (it doesn't even seem like they auto-lock accounts after 15 failed login attempts...). So I went to change my password on my desktop and noticed it stopped accepting anything after 20 characters. The field silently truncated my password. So I typed the first 20 into the mobile app, and was able to login.
The worst part about this system is that since the mobile app doesn't respect the limit (not sure if there is a limit in the app, I was able to do 64 characters successfully), you can make your account inaccessible from web browsers with a >20 character password (meaning it's not a DB restriction, it's just an arbitrary client-side restriction, and it's even not implemented consistently). I reported this bug last week and got a generic email response, so it probably still works for now.
I'm not particularly familiar with those security rules (even less with the rules of other countries) so I wouldn't be surprised if this isn't a rule in one of the countries PayPal operates in that they just decided to use everywhere to make it easier.
One of my credit cards lists my name as "Christophe" rather than "Christopher" as they have a fixed-length 10 character field for first names. Customer support said it was unfixable.
It only takes one such system, in a complex web, to impose that limit on all systems.
This has never been an actual issue (or even commented on), but another middle name discrepancy has. Back in high school, there were some issues with my name on my state ID not exactly matching the school's entry for me.
I expect a relatively small minority of the HN crowd have exposure to decades-old mainframe systems.
It seemed a plausible rationale, given the state of the world ~2000 when PayPal was ramping up was very different.
Especially in the financial sector, I can see partners and/or requisite systems to interface with being heavily mainframe-based.
And now, even if PayPal is following best practices, it's possible one of their counterparties is stuck in the 1980s. People forget that "building Fort Knox around a private line from X DC to Y DC" is sometimes cheaper than "rewrite COBOL system of record that no one alive worked on."
It's like living with a drug addict. They may be family but you sure as hell dont leave cash or valuables laying about...
Great analogy! Despite enjoying a long relationship, Paypal will very possibly stab you in the back and rob you blind in a blink of an eye then become incommunicado.
"Oh, yeah, don't worry, 3D secure can't be forced for all payments, but we got you, we'll enable it when we think it might be abuse. Also, our seller protection covers you."
All the time: "Here is a customer that made 12 purchases during the last 13 months. We took the money, but you have to prove that the card wasn't stolen and that the customer got what he paid for. We didn't enable 3D secure for this transaction, so please fix this for us and we'll give you your money back. Also, if you don't we'll take some more money from your account. Seller protection does not cover this as services are in a gray-zone."
240K frozen and taken since 2012 and still counting! At least I've started to win all the cases, but it takes a lot of time. Time to switch to stripe where I can force 3D secure...
PayPal is a joke. A bad joke.
I don’t know why companies do this but I notice that companies that don’t compete with Amazon tend to have horrible customer support, but as soon as Amazon enters the market suddenly everyone picks up the phone second ring, has chat, and sends out hand written e-mails.
I got the exact same feeling when talking to them. It sounded like they understood my problem, but the proposed resolutions were obviously not a match. Reasoning about it with them got me nowhere, they clearly had no other options.
Except if you asked the bank, they'd say there was a system error we had to correct, sorry for the inconvenience, please take our survey. PayPal will say you sent/refunded the money, we never touched these funds and can do no wrong, and if you can't produce documents that never existed related to this transaction that was entirely in error you can kiss your account goodbye.
Paypal is a well-oiled machine until you trigger some exception that creates a case with their legendarily incompetent support - at that point, the results will be essentially random and often apparently malicious, no matter the facts of the case.
Turns out, 15 years ago when I signed up, I was 15 (I am 30 now) and that is against their terms of service. So my account is permabanned and they said to make a new one with a different email.
I can understand they don't want people under 18 to sign up, but for fucks sakes, it was 15 years ago, this feels like a fairly stupid policy.
I would like to add that the customer service experience in this instance was pretty good - they had a queue system where you can leave your number and they call you back instead of keeping you on hold forever, and they representative was helpful and professional and told me straight up that I could make another account.
I've been fighting a similar issue. I woke up one morning to an email that my account was permanently suspended, along with several family members' accounts that don't live with me. All of our accounts were shut down at the same time, with no reason given. None of us had used Paypal in months, and I haven't received money on Paypal in years. We can't get a hold of anyone to find out what happened.
I'm not saying they're right, but I can see why this is the easiest way for them to fix the legal situation.
How come most of these stories seem to involve obviously incompetent merchants?
-I had an old eBay account that was closed through inactivity
-I wanted to buy some headphones so I decided to create a new account
-When I went to eBay it had already given me a username through some sort of linked google account feature that used the google account I was logged in to
-I tried to buy 2 $40 headphones and it wouldn't let me, saying I was over my temporary purchase limit
-I figured maybe you can only buy one item at a time as a new user so I tried to buy a single pair of $40 headphones and got the same response
-I thought it might be my VPN, but my VPN was off at the time.
-I created a normal account linking it to my normal email and everything seemed well. I purchased the headphones successfully
-A few minutes later, I got an email that the first account had been suspended for suspicious activity. I first thought this was fine, until I read that I was not allowed to use any other eBay account ever again in my entire life. There were no options listed for recourse. Reading internet threads suggested that they were serious about this and that even if my other account still worked, they would eventually find it and close it.
Eventually I called and got a rep. I got the feeling he didn't believe me, but he fixed the issue so now I can use eBay again without worry. The whole experience left me a bit shaken though that triggering some automated flag nearly resulted in being cut off from one of the largest marketplaces in the world for the rest of my life.
I called and spoke with them for an hour and they would not tell me why they suspended the account, other than "I have reviewed the information and have decided the suspension is correct. But cannot tell you why it is being suspended." they kept repeating that she personally reviewed and therefore suspension must be legitimate. I said to her that her review of the account sucks.
And I had my pitchfork out to sue because they should not be doing that.
Second, I realized how powerful these big platforms like eBay are. I looked around for alternatives in case I did get permanently banned and I sure didn't find much. What was particularly creepy to me was how being an undesirable to eBay could potentially spread: they track your account, name, address, credit card number, IP, and so on and seeing any one of these can lead to bans on other accounts. In a lot of ways this makes sense, but in theory, if I happened to log on to my banned account at my mom's, it could match my account with her IP and ban her account as well. I doubt this would happen in eBay's case as support reps would probably help her if that happened, but it definitely brought to mind the Chinese social credit system where linking to an undesirable can make you an undesirable yourself.
Third and most important was personal. I'm engaged to someone who is planning to use eBay. I wouldn't care too much about being banned off of eBay but I would hate to see her life become any harder just because of some weird glitch.
I’ve been using PayPal personally for 10+ years without issue. I also own a company and have processed hundreds of transactions and withdrawals through a business account with them without a single problem. I’m not saying that dealing with PayPal is without risks, but it’s also possible that we’re hearing a vocal minority here.
Then you won't mind if I borrow the keys to your account. You'll never notice a thing.
Even if PP is just covering their embarrassment over a mistake, it is still nonsense on stilts that they stonewall and bullshit about transactions flowing through your account. Who knows if they're even legal transactions? Someone could be playing a game.
Before you assert the belief that Paypal would never risk laundering money, you maybe want to look at Wachovia, HSBC and Deutsche. And it doesn't have to be "Paypal" in some formal sense; it could be employees there.
It is incredibly naive to play "what, me worry?" about sketchy things going on in your accounts.
It happens ALL the time, and you'd never notice or be notified.
On top of that the vast majority of people don't get a notification every time a transaction happens on their checking account. Some banks are implementing a notification feature for some transactions nowadays, but it's rare, new, and opt-in. The general case is money just flows in and out without much fanfare.
Some banks show you transactions that are pending. If a transaction never goes from pending to settled then it literally just disappears without a trace. Standard behavior.
Additionally, a seller on ebay probably fat fingered their ebay information, so when the item was sold, the seller accused the customer of fraud (I never go the money!) and the buyer thinks the seller is fraudulent (I sent the money!) and probably reported the "seller" which is actually the poster as fraudulent.
That, plus the increasingly irate phone calls from the poster and the refusal to ID themselves led PayPal to shut down the account.
Your bank could do the same thing, I don't get notified when an ACH transaction or check clears.
There's also the issue of this resulting in the account being suspended. If this was just a normal transaction reversal, they definitely did something wrong for it to result in account suspension.
And yeah, PayPal support is legendary in just how incompetent it is - I won't deny that. But it seems like the author was originally upset about something that is a normal part of banking.
You’d expect that Paypal would notify him of the reversed transaction. Or would at least be able to tell him it was reverted instead of accusing him of refunding it himself.
My bank doesn't notify me about any transactions, I have to check my bank book manually. Once a mistaken transaction showed up and disappeared a few hours later, with no trace left behind at all. I just assumed it was a mistake and didn't bother getting angry.
It sounds like PayPal, or someone, made a mistake that PayPal then processed a fix on. When the guy called to say someone took money from his account with no notification, "what happened?", they said _he_ had actioned the refunding of the money. Which he hadn't.
They lied, purposefully and deliberately. But there's a good chance that the person on the phone wasn't lying IMO, instead someone altered his account in a way that didn't show [to their phone reps] in their system ... which is IMO much more messed up.
So PayPal lied to him.
Then they asked for details of the transaction that they said he had refunded and "blocked" his account for not providing them.
Government financial services should impose heavy fines on things like this, not informing a creditor when debits are made on their accounts. His PayPal account should have a user traceable error (with doubled entries in the other relevant account entries) -
money paid from $ACCNUM with $ACCID
money paid due to PayPal error and refunded to $ACCNUM
If they could do accounting properly then they wouldn't have to implictly accuse him of fraud (demanding the transaction details).
My experience of PayPal has in general been pretty good, but I did have a person pay for something from eBay, then when I was sending it - like just about to head to the post office I realised I'd not checked the payment. On checking the transaction link in eBay the transaction didn't appear on PayPal .. uh oh, so I checked PayPal and I couldn't find a transaction for the amount in my account list. So I checked eBay and the buyer had asked to cancel the completed transaction ... so I said yes, very begrudgingly. Then a few days later the buyer asked for the money back, but I never had it, and they (assuming they weren't lying) had a transaction for paying me ... which should be impossible with proper accounting because that transaction should include an entry in my account ledger too his payment and my receipt are one transaction.
My suspicion is that their database processing is lacking and their account ledgers as displayed to users don't properly demonstrate the status of accounts.
I'm assuming good faith on behalf of the OP primarily because I've had a similar experience of missing transactions on PayPal.
I had an unexpected deposit show up in my bank account last year and then disappear a day later. The bank sent me a letter in the mail explaining what happened.
Maybe you need a better bank.
so, i deposited a $1000 paycheck (was working for a local guy, fixing computers) once and did NOT notice that i actually ended up with $2000 in my account. This went on for at least three months, when all of a sudden I lose $1000 from my account. Apparently Wells Fargo had figured out about the bug and found all the accounts that had gotten double deposits and 'fixed it'.
All without notifying me.
...I don't bank with Wells Fargo any more.
When the bank corrected it the transaction completely disappeared, apart from the screenshots he took there was no trace of it whatsoever.
No need to get angry, but you might need to get careful. It's a bit like seeing a single cockroach in a restaurant; you can't just kill and remove it then declare that everything's fine.
Contacting them and confirming that it was a mistake is basic CYA, it establishes with them that it's not your transaction and hopefully gets something on file.
(I've just got off the phone with EE after a mysterious charge appeared on my account. They couldn't tell me where it had come from or even when it was applied, so after putting me on hold for a while they agreed to just take it off again. But I only spotted it because I'm checking my bills carefully after a previous dispute ...)
In his case, he just got suspended and asked to provide documents he is physically unable to produce (contrary to presumption of innocence).
the next day, and after almost two weeks since the refund to place (but only one day after the long phone discussion) my account was blocked as "suspicious" activity and in order to unblock it I will have to provide original product receipts of the product I was "selling", something that I do not have as I do not even know what I was selling!
Yet again, emotion and anger are now somehow the company's fault.
This is merchant 101: always refund suspicious payments before your payment processor has to do it, it'd be really bizarre if Paypal was somehow the only exception in the industry.
There is no risk of OP loosing $1,200 to two refunds if he went through the proper refund procedure. A transfer can only ever be refunded once.
The only way I see this going wrong is if instead of doing a refund you create a new transfer to send the money back, but you obviously shouldn't do that.
I suppose the key is if Paypal put it in the wrong account then cleared up after themselves, I don't think that's a refund as such, you should be telling the account holder when they ask though. The other option is the payer paid money to the wrong account, in that situation this guy should be getting notified.
This isn't just an issue of 'not his money'. How are you supposed to know if your account is hacked, or some weird fraud is going on, or even just a straight forward, he sold something and thought he got paid for it.
In many (all?) countries, your bank would've acted criminally. If money has been deposited to your account, only you or a court order can get it out again. If somebody "just does it", they are on a similar legal basis as somebody that forgot a jacket in your house and decides to break your lock and enter your house without your knowledge or authorization to get it back.
Requiring a court order to correct simple bank errors is entirely infeasible and, frankly, pretty silly.
>A payor can attempt to reverse a payment made with an ACH credit only if the payor claims the beneficiary was already paid by a previous ACH credit entry, or the beneficiary was the wrong recipient of the funds, or the original ACH payment was in the wrong amount. Otherwise, the credit is considered final.
There's a good reason for that: nobody want's banks to take money out of accounts because they "feel that's the right thing to do".
There's one notable exception: SEPA direct debits getting reversed. Using DD requires a special agreement with your bank, however, and it won't happen that money ends up in your account without you requesting it - or if it does, you will get a phone call from your bank where somebody explains the situation, apologizes a dozen times and asks you to look into the matter and authorize a reversal. Acting on their own would be a criminal matter and likely be of interest to the regulators as well.
Unless it's a real lot of money going through the courts to get reimbursed would be impractical and if you transposed two numbers while typing an account number then you might not even know who the money went to.
No, the law gets involved and at some point, a judge will decide whether you owe the sender the amount they mistakenly sent. It's basically the same for "I mistakenly sent you 100 that I meant to send to my friend" and "I mistakenly sent you 100 when I only meant to send you 50 that I owe".
And yeah, it's a hassle. At least you can generally find out which account the money went to, and with new IBANs, you need to mess up multiple digits, since they include a checksum. If the checksum doesn't match, the money bounces back into your account. Previously, some banks required that the account number and account holder match (within reasonable limits, misspelling the last name would work), but that changed with the IBAN system, only the account number matters now.
> When you notify your bank or building society that you have made an electronic payment to the wrong account, your bank will commence action on your behalf within a maximum of two working days.
> Where your bank finds clear evidence of a genuine mistake, they will contact the receiving bank on your behalf with a request to prevent the money being mistakenly spent. As long as the recipient does not dispute your claim, you will subsequently receive a refund of the protected funds within 20 working days from when you notified your bank.
Well, you clearly aren’t a lawyer (anywhere).
- There was no merchant contact info. They managed to upload Google's logo and use Google Account as the merchant name. Isn't PayPal doing any basic blacklist check, etc. or check against stock logos (there are tons of companies now, which provide logo by provided company name).
- There's not way to report the invoice as scam attempt - I can only "cancel" or "archive", which sends the "merchant" an email and they can know that my email belong to a valid PayPal account after that as the email is sent by PayPal.
In general, after so many in business, PayPal is a lazy, slow, and stupid company. I am sorry to say that, but it's the truth. Their developers are a bunch of old timers, who have entrenched into the company and there's no innovation going on. There are many, many, many complains about PayPal, which I can list here. Most of the are very simple to spot and fix by PayPal, but, no, they are untouched for years.
I feel like their dev teams is maybe a dozen people who just do maintenance of critical issues and that's it. Their recent interface upgrade took years and it still sucks and feels like in the dawn of DotCom. Compare PayPal to Stripe, let's say - there's no room for comparison! Stripe innovates at a huge pace, they provide a much better DX (Developer Experience), and are so much nicer to work with!
PayPal recently acquired Xoom - a very expensive and shady money transfer company. Compared to TransferWise, they are a total joke. In general, I think PayPal is managed by technological morons!
P.S. PayPal Here is also a disaster compared to the rest. I bought the device (as PayPal gives nonprofit discounts like Stripe but unlike Square) and many of our transactions failed, so, we switched back to Square. Now we're integrating with Stripe's reader, so, we'll get the best of both.
Google, Facebook, PayPal all rely on their automated systems working perfectly and handling as much as possible. But there's always edge cases where things don't go as planned, and they require human intervention. But big tech wants max profits, so they try not to hire anyone, and those that they do hire are as poorly paid as they can get away with.
So you get very uninterested and unmotivated people handling customer support.
Nah it's still not done. There are nooks and crannies of the site where the early 2000s theme is still around.
Reading this post has given me the final nudge I need to look into closing both those accounts.
Note this isn't a snark at paypal specifically. I'm just interested if anyone with an economic background has an opinion to share.
So it'll probably be SMS, and otherwise they can ship me a second factor -- as the Rabobank already does for as long as I know: they basically send you a payment terminal that creates 0 cent transactions on your card, if I understand it correctly. While a bit annoying, it is safe and not too inconvenient.
- Inability to issue refunds
- Lack of 2 factor authentication
- Non-unique payment addresses (receiving emails are not bound to one account or even one person)
Proof a ruthless focus in the right place can overcome almost anything.
They've been shit forever.
> PayPal survives because they keep end users happy, we (the people using PayPal to take payment or integrating it) aren't the end user.
Yeah as long as you just use PayPal once a year to make some payment through your debit card it's okay, but any advanced user who use it more often will eventually get in trouble.
What exactly caused it I have no idea, but might be traveling or using VPN. Once I tried to make fairly big $2000 transaction to pay for my new laptop and spent a week re-verifying my identify with them.
Given two merchants, I'll choose the one that uses a credit card over paypal every day. At least with a credit card I've my bank _and_ the scheme on my side. With paypal, it's me (and my bank) against the world ...
Far less issues than I’ve had with my bank actually (random declines, locked out of my account due to technical issue) in the same number of years.
These new-monopolies all seem to have the same features: robo-traps that trigger problems for users, robo-support (or support-by-script) that doesn't solve the problems, and no apparent motivation to actually solve problems when they happen.
Stronger regulation might fix some of this, but generally there should be some obligation to act ethically and responsibly.
(I know I'm dreaming, but consider how we got to the point where this requirement might as well be science fiction instead of a realistic consumer expectation.)
Ultimately if you get into a bit enough dispute with Paypal you have to consider using the real courts.
Now, an aspect of running even a small business is that I have some cash on hand, and a profit margin to cover the cost of eating one or two disputes if necessary. If a $100 sale goes down the toilet, I don't lose $100, but only my original cost of goods.
Where I read about horror stories is individual sellers who are selling things like a second hand electric guitar. In those cases, the buyer and seller are probably both not swimming in cash, so having their money tied up in a dispute is in fact painful. And that entire economy is rife with fraud and outright theft. Also, electric guitars are a case where there is extensive room for dispute about the provenance and condition of each piece. This gives the buyer an easy way to claim "item not as described."
In my view the hot business model for using the small payment services is selling an inexpensive physical good with a generous mark-up.
If you shipped the product, you most certainly lost $100, plus whatever additional labor costs were involved in attempting resolution.
There's also the opportunity cost of having that cash illiquid, even if you do win the dispute in the end. Money's time is worth money.
I follow a rule that's common among micro-businesses, which is to waste zero time on disputes. I always offer a full refund right away, along with a boilerplate list of troubleshooting suggestions. In virtually every case, the customer comes back in a few days and agrees that my product works. But because of this, I consider a dispute to be an immediate loss, and not a dollar amount hanging in limbo.
I think this is almost exclusively small, inexperienced merchants.
Paypal is used in about 40% of our sales and we didn’t have any issues in about a decade. Even from personal experience as a buyer I can‘t report any major issues.
I keep my eye out for alternative services because like many others, I've heard horror stories, and would not mind having a backup. So far I haven't found anything.
A possible reason for my good luck is that I run an "analog" business. My product is a physical good that I make and ship, so the customer gets something tangible and that's the end of it.
I don't want to cast aspersions, but the horror stories I've read are either one-time incidents with eBay sellers, or complex digital services where the product is an intangible.
Yes that’s normal for PayPal.
Getting a the runaround about how and why it happened?
Yep, that’s expected too.
Actually getting a non-form letter response of any type?
That’s just lucky. We couldn’t get an account rep on the phone for almost 4 days when ~35k was suddenly deducted from the account. Nor when they accidentally cancelled all of our customers subscriptions while working an an unrelated fraud incident. Of course in both of these instances the customers blamed us for not being able to process refunds and being unable to reactivate their subscriptions.
PayPal, working as intended.
Imagine having PayPal place a hold on the funds in your account to make sure refunds/fraud can be handled. Then when a customer does request a refund you’re literally unable to process the refund because it won’t take it from the funds you just received that are held. So now you automatically lose all disputes and they just start raiding your linked bank account. So why did they hold the funds in the first place?
PayPal needs to end IMO.
Really the only thing to do, as soon as you see a "pay with paypal" screen is to go away screaming.
Here's the anecdote: I had had a company with a bank account and PayPal account, then dissolved the company and closed the bank account. Months after that, a former supplier of the now nonexistent company who had PayPal authorization deducted funds fraudulently from the PayPal account, claiming they had rendered services that were never rendered to a company that obviously and provably no longer existed.
PayPal sent the account into overdraft. When they couldn't deduct payment from the bank account that no longer existed, they started sending threatening communications to get me to settle the balance. I took things up with their fraud unit to get the transaction cancelled. Their fraud unit dismissed my case without looking into any particulars regarding the services that the vendor didn't render or the company that should have received services that no longer existed. To them the only thing that mattered was that, years ago, I was, in actual fact, stupid enough to click on "Pay with PayPal", the ramifications being that vendors are entirely within their right to use PayPal as an instrument of fraud and legal intimidation against me. It's your own damn fault, sir, for being so stupid and using PayPal.
Knowing that taking the legal route would have been way more costly than the amount of the transaction, and wanting to sleep soundly again against the backdrop of PayPal sending threatening communications, I wired money from my personal account to settle the balance and jumped through a shitload more hoops to make sure the PayPal account was properly closed and couldn't come to haunt me again in the future.
I think that's how they get away with it: Since the transactions they handle tend to be small, no one will take legal action.
The critical point seems to be that fraud won't talk to customers.
It makes sense that PP moves quickly when fraud is suspected. What doesn't make sense is that they're so secretive about the events that take place on a user's account. For all we know, user's could be facing legitimate fraud issues that can be addressed with cooperation between PP and user. However, a user cannot cooperate when they have no idea what's going on.
If you can't discuss cases of fraud with your customers out of fear of revealing information to the defrauding party, you may need to do more in vetting the identity of users. I don't mean the intricacies of fraud with customers like patterns and markers for fraud. I mean getting to the bottom of the disputed transaction. You're shooting yourself in the shoot in any other case. PayPal is concerned more with user count and transaction volume than individual account retention. You would think that you want your customers to be proactive in cases of potential fraud.
It seems like they never learned from their every-user-is-a-credit-card-holder days.
Also the fact that they reply to my initial question about the refund, with an absolutist "After investigating, YOU have logged in and YOU have initiated the refund", when I know I have done not such thing, immediately makes me think that I've been hacked or somehow have fallen a victim of fraud.
Further inquiries to clarify the issue, only leads me to get my account blocked/locked. I have no idea how this can be considered fraud protection from their side! And all this means that all in all I agree with you about the lack of competence of the fraud protection team...
I recently bought some piece of clothes and paid with paypal (had some money in it and I wanted to spend it before Paypal decides to close the account for whatever reason).
There was a panel saying "you allow the clothing company to ask for whatever amount of money there is in the account and if there isn't enough we will take it from the credit card linked to the accound". That credit card is the one I used to put money in the account in the first place.
A few days ago I decided to give money to a charity a friend set up on facebook for his birthday. Had a choice between paypal and my credit card. Same kind of Paypal panel but I felt better giving facebook my credit card than linking Paypal and Facebook.
I am nervous and I am going to buy a pi or something and close the Paypal account forever.
My credit card is a "fill it to use it" kind. You need to put money on it from your bank account and then it acts as real Mastercard. So there's always 0 euros on it except when transfering money from bank account to buy something online. And I can put the money back from the cc to the bank account, no fees. With Paypal I can't, it's like I am forced to spend it now.
Does anyone know how I can avoid that happening?
I've done this a fair amount in the past: When I would do business with a vendor that I don't trust all that much with the way they do their billing, I would give them a credit card number for a prepaid credit card with tightly controlled balances, instead of giving them anything that's linked to my main bank account.
But it doesn't really help. When the untrustworthy party wants to deduct a payment from the mechanism you've given them and it can't, then they will instead just turn to bullying and threatening legal action, and you end up paying them whatever is in dispute because you won't want to risk them taking legal action.
Another consideration that enters into this is the dark and murky territory of consumer credit rating. If there's an account that's in your name, regardless of whether it's PayPal, a prepaid credit card, a bank account or whatever, and there's a charge that hits the account and there's no balance, then this is an event that they'll collect data about, and that may be disseminated in ways that you may not realize, and it may come back to bite you in the ass when you want to apply for a mortgage or something. So it's best not to go that route.
At the end of the day, the only thing you can do is to not do business with certain kinds of entities at all. And PayPal is definitely on my list of entities not to do business with.
But I really think that the banking regulator should take note of user stories such as the ones that are regularly all over HN and get to the bottom of it. After all PayPal, at least in Europe, is subject to the same regulation as other banks and payment processors. And if that's not the job of a banking regulator to take note when a financial institution has such shitty processes that consumers regularly suffer damages, then I don't know what is.
Also, maybe a private lawfirm should put together a class action or something on the basis of all those user stories. I realize that cases tend to be rather different to each other, but I'm finding it hard to believe that there aren't some things that happen so frequently and so systematically that it should be easy to take a stab at in court on behalf of a larger group of users who have suffered damages.
But, standing on principle, I would have really liked to lodge a complaint with the regulator. Only problem: Since I was acting as a company (that now no longer even existed), it was never a consumer transaction, so consumer complaint wasn't a viable route, and you obviously hurt your case, even if it's just a complaint with a regulator, if you then settle the balance since they'd read that as you admitting guilt in some way.
Not settling the balance and lodging a complaint with the regulator could have had the side-effect of raising the stakes for them. So in a situation where they'd not normally take you to court, they might now actually do that since there would now be real money at stake, if the regulator launches into a full-scale audit into their processes & business practices. In such a case, winning a court case against me would have helped them in calling off the dogs if the regulator were to take an interest.
If you ask me, it should be the other way round: The banking regulator should play the role of public prosecution. When you complain against them with the regulator, then the regulator should either (a) tell you to bugger off without charging you for the privilege and allow it to end right there (b) take on your case in the sense of taking it to court on their own dime and if it looks like it was processes & business practices that were at fault then they should come after the financial institution for that kind of a failure hard.
That reads like a "no" to me.
This is what happened to me:
I got an eBay order and shipped it out, transferred the funds out of PayPal.
Buyer sends me an eBay message saying "OMG I'm so sorry but my eBay account was hacked." I believe them because when I googled the shipping address the package went to a foreign freight forwarder.
I don't worry because the address was "confirmed" in PayPal, so I'm protected from fraud. I always make sure to ship only to confirmed addresses.
eBay account owner initiates fraud investigation.
PayPal refunds buyer while the investigation is pending,
I have several linked bank accounts, they didn't touch them, my PayPal account just goes negative.
PayPal sends me an email telling me I can't have a negative balance and I need to fund my account to get my balance to zero, against their TOS to carry negative balance. No biggie, I fund it. I think I was even able to fund it with a credit card.
Fraud investigation proceeds. I have to provide a tracking number to verify I actually shipped the item.
A few days later PayPal decides it's fraudulent, but I'm covered under their seller protection.
PayPal refunds me the money, I transfer it back to my bank.
I'm perfectly happy with how it was handled.
I guess that doesn't make a good blog post though.
First, PayPal doesn't like it when your dispute ratio increases. The best way to handle disputes as a merchant is just to give the customer what they want. Most times this is a refund.
Second, when fraud occurs most PayPal users dispute any transactions as soon as they get their account back.
Third, You cannot refund a payment from a held or rolling hold balance. PayPal retroactively applied a rolling hold to our account of ~30% of our monthly gross transactions for a rolling 90 days. The way this works on PayPal, at least at that time, means that until your rolling hold balance is equal to 30% of your last 90 days transactions any funding of and payments into the account IMMEDIATELY get sucked into that rolling hold. We would auto flush the completed transaction account balance nightly. So now we're in a situation where trying to refund a customer wants you to add funds to your account, but as soon as the funds are added they are applied to the rolling hold. So, you click Refund on the dispute and you're unable to refund it. Eventually the dispute is automatically closed in their favor and the account balance goes negative. At that point you can fund the account and it'll apply to the negative balance first.
This was my experience at least, and trust me it was one of the most stressful events I ever encountered. Most of that stress was not knowing what was going on and why, and trying to get anything out of PayPal. Their processes are so opaque for merchants in many cases.
What i would love is for these services to require ID for opening account, not after depositing over $250 (when you have skin in the game and have to verify your id or lose the $), they won't though because they would have a 95% churn rate on registration.
You can use them for recurrent expenses or make them single use (the card is cancelled after first payment).
You can also max them to any arbitrary value. So if I need to buy 23.03 dollars of something online I can issue a card that maxes out at 24 dollars. So even if the details were stolen you could only take the remaing cents until it maxed.
None of this is new or innovative I never really understood the need for paypal in online shopping.
You say that but it's literally the only way to counter scamming sellers on the internet. PayPal needs to stay, at least until there are viable competitors.
Edit: also googling around none of those seem to have the solid buyer protection that PayPal has. With PayPal I can just open a dispute with a picture of the error (color is off or whatever) and within a relatively short time period the seller is forced to reimburse me the full purchase cost, including shipping. That's very valuable as a customer.
Never had an issue with PayPal debiting funds though, in 10+ years using them.
What would be an alternative solution in your opinion?
I never got actual confirmation that paypal is really as bad as some people casually mentioned
I can confirm that PayPal is horrible to legitimate merchants. One would expect better fraud protection given the high fees they charge. I never expected they would simply “freeze” our funds without explanation.
What he got was a counterfeit, a fake that was broken.
He started the refund process, but I was pretty miffed that my reputation with my kid got mixed up in these poor business practices. So I emailed management and asked that they apologize to the kid.
It took almost forever to get them to figure out that I was not asking for a refund. I was asking for somebody to explain what happened, apologize, and take steps for it not to happen again.
He finally got a refund, although whether it was from my actions or his nobody knows. He said it came in three chunks, as if various departments were each pitching in a bit.
I thought my point was pretty clear: as leadership, when you take your company and allow its reputation to suffer like that, this is something you are responsible for and need to take action to fix. The money has nothing to do with anything. But they only have certain predefined channels that they seem to be able to communicate through. Anything outside of those channels causes a weird org fault.
I've worked with call centers before, and it continues to amaze me the strange place we are putting humans. They're paid to answer the phone, but after that? They're basically little robots, paid to execute a predefined program, adding in a bit of human-sounding noises now and then to make things slightly more palatable to the person on the other end.
> Inappropriate automation and human/machine confusion bedevil call centres. If you could solve your problem by filling in a web form, you probably would have done. The fact you’re in the queue is evidence that your request is complicated, that something has gone wrong, or generally that human intervention is required.
> However, exactly this flexibility and devolution of authority is what call centres try to design out of their processes and impose on their employees. The product is not valued, therefore it is awful. The job is not valued by the employer, and therefore, it is awful. And, I would add, it is not valued by society at large and therefore, nobody cares.
How true is this of the general population? I suspect that a significant fraction of call centre volume could be dealt with through a web form.
That said, the rest of the point is true: the lack of agency in call centre employees likely results in a huge amount of wasted time and frustration both for the customer and for the company.
I remember the first time I saw the computer-controlled voice-directing picking. You wear the headset. The computer tells you what to do. I see this way of working eating up more and more workers.
One economist put it this way in a recent column I read: robots aren't taking your jobs. Robots are becoming your bosses.
This is not the payment processors job, this is the merchants job. Instead of PayPal you could just as well have contacted Visa/MC/Whoever or your issuing bank, they wouldn't have been able to do much for you either.
E: Yeah, I guess I misinterpreted the parent.
It just isn’t worth the risk, IMO. At least with Stripe I know I can talk to somebody if a problem arises.
However, the concept of explaining to a customer why they did something is utterly alien to them. This just does not seem to be part of any process they have. It bewilders them to no end if you ask them for an explanation of anything.
PayPal charged me £400 which I was lucky I spotted. Eventually after a week got the money back.
I never got an explanation why it happened or how I or they would prevent it in future. I prevented it by leaving eBay and Paypal.
I find this the best way to deal with them :)
Long story short is that someone I'd previously transacted with owed them money so they determined that they would take it from my account and recover it from me.
I complained the Financial Ombudsman in the UK. They agreed with my position that it was unreasonable for me to be held financially accountable for people I've transacted with indefinitely.
Paypal stuck to the line that "You cannot close your account in order to avoid a debt". Despite the fact that I had no debt, except the one they assigned me several months after account closure, out of nowhere.
I've found a few sites over the years which only supported Paypal as an option, in every case I've chosen to buy elsewhere or not at all. Paypal is not a company I could support.
I expect them not to hide it though, i.e. I expect to see the transaction log to say "+1000 deposit -1000 correction", and I expect them to be open about the mistake IF I ask. I do not expect them to give me a call to explain what happened, however.
This is behavior I expect from any entity where I have an account with a balance, whether it's a commercial bank, PayPal, or anyone else.
There are many situations in which a person could receive money and genuinely think it was theirs to spend. Some of those situations could be ones in which the spending could be extremely detrimental.
Other than that I agree.
So I end up opening a new Paypal account -- which must use a new email address, and can't have my old credit cards added to it.
Now I'm stuck in a situation where my newest account doesn't accept the credit card from my local bank because
This card is linked to another PayPal account.
Please remove the card from the other account
or try a different payment method.
Oh well, whoever are still using Paypal should know by now what they are risking.
Planet Money just had a story from the other side, one of the producers made a payment on another service in error, and tried to get it refunded.
You could read one of these stories and come away passionately more pro or more against chargebacks, but the real solution for both situations is just more transparency and communication.
In SG's case, if they're right that the money ended up at the right place, fine, just let everyone involved know what happened, how PP came to that conclusion, and what options there would be for the parties to appeal in the case of fraud or mistake. It sounds like in the PM story that that approach would have resolved everything faster there too.
Transparency isn't going to kill you in this situation. You may be worried about privacy risks, but just make a clear policy as to what you can and can't say during the initial phases of disputes.
Transparency will resolve the easy cases, but there are real dilemmas here between buyer and seller rights. I feel like some of the tech that is taking over the roles of payment systems are just pretending these dilemmas don't actually exist. eBay definitely stumbled through buyer vs seller rights for a while, maybe still doesn't have it right.
Cryptocurrency is an interesting spin. In some ways its stance is that chargebacks are so anathema that they will design them completely out of consideration.
1 - Bought tickets for a show via twickets.live
2 - Seller (supposedly) sent a transfer request to me via the ticketmaster portal.
3 - I received, nothing, tried to contact seller, got no reply till after event.
4 - Open a dispute as I paid for something and received nothing.
5 - PP sides with the buyer citing ‘evidence’ the tickets were sent to me
6 - PP won’t share ‘evidence’ with me, wont reopen my dispute, no option to create a new one.
Now I’m down a wad of cash, didn’t go to the show, and got no opportunity to do anything about it. Closed my account immediately afterwards.
When you call support, either in the original or the new country, they both offer the same thing:
- change your password (I know my password, and though they seem to understand, their script seems to tell them to offer this)
- close your account (what, after telling you my email address and the last 4 digits of my bank account (not even a credit card)? That's password-equivalent?!)
Support tells me it's not supported to login to your paypal account from another country. Don't thousands of people do this every day? On holiday, while traveling for work, or moving countries like me... doesn't this happen thousands of times a day? I live an hour driving from five different countries, it's not uncommon for anyone here to be somewhere in, y'know, the EU.
A few years ago I remember being locked out of a PayPal account (which I just forfeited) for not knowing my security questions. Like, duh, you think I answer truthfully what my favorite food is for a payment account after I (the 13 year old leet haxxor) 'hacked' a classmate's Hotmail by guessing a very common favorite food? They still use security questions, but these days I enter my current password there so I can at least answer when prompted.
Yeah, exactly. I had the same thought when support told me to open a new Paypal account from the country I live in abroad and only use that account when I'm abroad.
Wait, what? Their official policy is to use a different account for N countries you spend any time in?
To link my new US bank account to my Paypal account, I ended up using a US VPN and then gave Paypal my friend's US telephone number so that he could feed me the security code.
It made me suddenly feel very precarious about how I currently use my Paypal account. I would've thought international-use was one of Paypal's main marketing bullet points.
Though, to keep things in perspective, Paypal does let me do things that my bank certainly doesn't, like send and receive money for free internationally and work remotely for anyone with a Paypal account. I can't complain too much and I'll give them the benefit of the doubt that they are hamstrung to some degree by psychopathic anti-laundering/KYC bullshit.
I hope Facebook's Libra will be more polished and be built on the expectation that people ever leave their country of origin.
But can I close the account? Nope! I have to send official paperwork to prove it is a valid seller account before I can close it.The only reason I want to close it is so I can reuse the email address. But you can't even change the email address.
Their process is flawed and lacks common sense.
They are simply the biggest name in the business and have been around the longest. There is absolutely no other reason they deserve the market share they have.
Maybe I am in the wrong here but my approach each and every time to a project where I deal with someone elses' money is to try and figure out the most secure and most informative way to do everything, afterall it's one of the biggest responsibilities you can take on as an online service provider.
They keep trying to balance this with good customer service, but I'm not sure you can do any better ... and I hope nobody thinks that cryptocurrencies are the answer.
And sellers on larger sites like eBay can't easily use a competitor. It's a classic anti-trust pattern and should be treated as such.
That is the story of the whole western world at the moment…
I now pay with credit card.
Once you have a very large organisation, consisting of many staff handling cases, all of whom need to be acting consistently, you face the real statistical likelihood of fraud within the company itself. Any sufficiently large company will have employees that try to defraud it.
The upshot of this is that large companies handling many transactions like this, especially ones that will often be disputed, must implement security not just to prevent fraud from outside the company, but also inside.
Such security measures are often very difficult to work around by employees trying to do the right thing by customers who are in the right, but where something unusual has happened that those security systems didn't anticipate. I can imagine this often frustrates the intention to have a smoothly working system.
You also can't easily make changes to accommodate such corner cases without opening other security holes, both within and without the company. And it takes a long time to formulate and disseminate new protocols that your employees should work to. And then you have to communicate any changes in the way you handle things to your customers.
Running a company like this must be an absolute nightmare of logistics. And it is surely made worse in that Ebay seems to have the ability to authorise chargebacks and refunds in disputed cases that can then be appealed to PayPal itself.
But the alternative is in my opinion worse. As a buyer, you must pay for an item before receiving it. I am aware of so many complaints online of fraudulent sellers making off with tens of thousands from fraudulent sales, and there being nothing anyone can do about it because of banking privacy laws. Having a service like PayPal seems essential to reducing fraud in such online transactions.
In summary, I can perfectly understand PayPal wanting to perform a security check for every long time customer for whom a flag was raised by some security protocol.
And naturally, there are going to be many false positives, and many unfair decisions taken at such scale.
Independent arbitration would indeed seem like a good idea. But who is going to pay for independent arbitration for potentially millions of disputed transactions? The reality is, almost every single transaction that has already been appealed to PayPal that can be appealed easily to an independent arbiter, will be. So you simply double the (already high) cost of such a service.
Paypal makes it very easy for subscription services to keep sneaking those charges in.
Closing my Paypal made it very easy to stop that nonsense.
It's comforting to know that other people feel the same way.