Hacker News new | past | comments | ask | show | jobs | submit login
PayPal is currently blocking all transactions containing the word “tardigrade” (twitter.com/archiemcphee)
404 points by _Microft on Sept 12, 2020 | hide | past | favorite | 208 comments

Per [0], a possible answer to this seems to be that an arms dealer had connections to a company called Tardigrade Ltd. and all transactions with firms like these are prohibited which is why the word "Tardigrade" made it into PayPal's filter.

As long as companies like PayPal have issues like that, or with moderation in case of Youtube, Twitter or Facebook, I'd claim neither of these companies have actually solved scale. If they can not properly deal with the issues that arise of scale, they haven't solved it at all. They might be reaping the benefits and dumping the issues on others but they haven't solved anything else at all.

[0] https://twitter.com/kenshirriff/status/1304564003859918849

[1] https://home.treasury.gov/news/press-releases/sm849

PayPal gets a list of banned strings from the Office of Foreign Asset controls.

If any match those strings it's flagged for a review.

This is more or less legally required for any company that moves money in the United States of America. You will probably find the same issues with the same terms on any other banking for financial body.

Technically, these aren't being blocked. They're being audited. The payments will still go through. The way this is taking place is following very specific legally "known good" pathways - so that when paypal does accidentally let a payment through to a sanctioned entity they are able to argue that they took every available precaution and should not have to pay the $250k per transaction fine.

The last time PayPal had to pay these fines - for example - it was ~$7m. That's not including legal fees. https://fcpablog.com/2015/03/27/ofac-fines-paypal-77-million...

The payments won’t still go through - if you look at the links, PayPal is returning a big red error message to customers. It doesn’t look like PayPal is doing any kind of review, they are just blocking all transactions with Tardigrade in the associated text anywhere.

Tried this with my german paypal account. Several 1cent payments were flagged, reviewed and then accepted. One 2€ payment was reviewed, flagged and hold back until I describe the details of this transaction.

How do you think a review process works? It's not instant. When you try to process the payment, the OFAC check fails, and it's flagged for manual review. Only option is to show the user an error

As a retailer who has been stung by this bullshit with PayPal many times in the past, I can tell you with absolute certainty that the payment doesn't go through ever, at all.

It isn't flagged and reviewed, it's just outright rejected with a cryptic error message indicating that someone, somewhere breached PayPal's terms of service. No money leaves the customer's account, no money arrives in the vendor's account; the process simply fails.

What is “manual review” here? The reviewer doesn’t have the ability to send the transaction through. It went to the circular file.

I hope an arms dealer names themself eBay Arms. I’m against arms dealers and PayPal and this would destroy PayPal.

FYI Paypal's been spun off from eBay since 2015 and its agreement to serve as eBay's default payment processor was set to expire this year.

Really! That is extremely interesting news. I’ll let the sentiment stand, but if you find an HN post about that or submit one, please link it here.

eBay is in the process of migrating sellers to use eBay's internal payment processing (beta users last years, others gradually - my eBay stored moved to it in July)


Or PayPal Arms. Inception!

>This is more or less legally required for any company that moves money in the United States of America. You will probably find the same issues with the same terms on any other banking for financial body.

No you won't because names are not unique. Banks and credit unions tend to have sophisticated data analysis, unlike the knuckleheads at PayPal.

When I heard about this nonsense years ago, I put some of the banned words in the memo area of checks and transferred money between two credit union accounts. They went through. I did the same thing using electronic transfers between accounts. Again, they went through without any problem.


A person put the words "James Kang" in a donation to the Red Cross that stated he was testing these banned words and PayPal, in their infinite stupidity, froze the transaction.

It's very annoying. I worked at a shop that sold cigars online. No actual cubans, but brands that used the name cuba in it. Inadvertently every time it would get flagged.

This seems like poor branding on the part of the cigar brands (at least for online sales).

When Castro took over the owners of the brands fled and took the rights to the brands with them. At the same time the Cuban government kept making the cigars under the same name. So for every major brand you will find 2 in the world, one Cuban, one not.

Bacardi (Puerto Rico) has started copying the Cuban Havana Club rum as well.

[1]: https://www.washingtonpost.com/business/havana-club-v-havana...

Well there's legal arguments to be had here about ip.

One of the Bacardi family was locked up / exiled during the first Cuban revolution ironically.

And the non-Cuban ones are laughably awful. The unexpected benefit of the embargo is it forced them to maintain a super premium product. They've had some anecdotal quality issues since Castro died, but being shielded from US markets and globalization made for better products in that case.

I am not sure what you are talking about but some of the best cigars in the world are not Cuban. Just look at CA top 25 list over the last 10 years. The H. Upmann (non Cuban) 175th Anniversary is an amazing stick. Cuban cigars have a unique flavor profile and can be amazing but they have not evolved at all. Also they have had some major quality issues. If I go into any store in London to by a box I am allowed to inspect each stick and build a box of good quality ones from a set of boxes. To be fair, the quality issues have gotten better in the last few years.

If I'm buying Cuban singles, I get it cut in the shop at the counter and check the draw to see if it's plugged. There are great non-Cubans, just not the fake brand ones, imo. The Avo Domaine is one of my all time favourites, and any Ashton maduro is my go-to when I'm stateside. I haven't had a Davidoff that I remembered well enough to get another of, and for that price, it should have been more memorable. It's a very individual thing. Given how recklessly dangerous it is to smoke anything at all, I keep it to a few high end ones as an occasional treat, as if I'm going to be giving myself cancer, it had better be the fancy cancer.

Is "I Can't Believe It's Not Butter!" a bad brand for margarine? Imagine it getting flagged by the butter police.

The difference is that there are no butter police, while there are in fact Cuban embargo police that will cause much greater difficulties in selling anything with the word "Cuban" in it.

So, no, "I Can't Believe It's Not Butter!" is not a bad brand for margarine, but saying "Cuban" something in a cigar which causes all manner of embargo difficulties is bad branding.

Well, they have managed to generate a class-action lawsuit, although it's more over the zero-calorie claim:


>Technically, these aren't being blocked. They're being audited. The payments will still go through.

They buyers are literally getting a message saying "This transaction cannot be completed because it violates the PayPal User Agreement" [0]

[0] https://twitter.com/ArchieMcPhee/status/1304437732584771584

So the answer is this will never be fixed? Just a big RegExp essentially, is the path to avoid $250k per fines? A Persian friend was craving his mother’s cooking, so we went to a restaurant which he Venmo’d me for and we got a stupid flag because his note said “Iranian”. That’s borderline culturally inappropriate considering these companies have a long history of all our other good-standing transactions, they already have massive data from third-parties they purchase from about our offline identities, they have our geolocations whether we like it or not. There is a vast asymmetry of information between these companies and the public they service. They have the advantage, so why not apply that advantage to not flag a small-charge restaurant outing in one of the country’s most well educated neighborhoods, and use something more sophisticated than a silly-string dictionary lookup to determine when to flag.

OK, but so what? 'Be on the lookout for XYZ' is an understandable request, but what prevents paypal rapidly distinguishing between credible and suspicious transactions - and more importantly, pre-emptively communicating with users about it, since they are going to find out the hard way?

Conversely, what stops bad actors just switching to doing transactions for t_rdigr_de, ta_dig_ade, or tar_igra_e and thumbing their nose at the filtering? (OK, realistically they would probably switch to some more obscure backup code but you get the idea.)

The basic problem here is that the burden of enforcement is being shifted by Paypal to innocent people with no warning, instead of being shouldered by the company, which is in a position to push back legally on unreasonable requests and plan ahead for reasonable ones.

> Conversely, what stops bad actors just switching to doing transactions for t_rdigr_de, ta_dig_ade, or tar_igra_e and thumbing their nose at the filtering? (OK, realistically they would probably switch to some more obscure backup code but you get the idea.)

This literally happened at HSBC. Employees entered transactions in exactly the way you're imagining.

(I didn't find a written source, but this is covered in Netflix's "Dirty Money", episode "Cartel Bank")

Just to be clear, OFAC does not give a list of “banned strings”. It provides a list if individuals and entities that it is illegal to transact with. By which I mean, it’s the entity that matters, not just the raw string.

It’s up to the payment processor to have a process that ensures they don’t send payments to a blocked entity.

You can search for them here: https://home.treasury.gov/policy-issues/office-of-foreign-as... and see the listing for the company in this notice: https://home.treasury.gov/policy-issues/financial-sanctions/...

Note that the standard practice for handling an OFAC hit (e.g. payment to O Bin Laden) is to disambiguate your payee from the blocked individual/entity. This can be easy or difficult depending on how much info you have on the payee; if you have an address and nationality already that don’t match the sanctioned entity then you’re generally ok; typically you would collect a photo of the payee’s ID and run a manual check if there was any doubt.

These “enhanced due diligence” processes can be quite time consuming in aggregate, and I’m not surprised that PayPal isn’t running a detailed EDD process on transactions that will probably net it a few cents of fees.

Having said that, given the structure of their business (online checkout) I’m surprised that they are considering the product (eg “tardigrade”) as being relevant; they have account info on both the payor and payee so they know the payment isn’t going to the sanctioned Cypress company from the OFAC list. This isn’t a Venmo payment that says “pass this payment on to Tardigrade Inc”, which you would want to block.

This seems like either a bug in their screening code or some very risk-averse logic (maybe to do with low-value transactions).

In all software I've seen dealing with these issues (ofac, aml, Dow Jones listings, etc) the flagging should result in manual verification but you're able to configure risk allowances. They almost all certainly allow some bad transactions through accepting the potential risk/cost of actually hiring huge teams of manual auditors. Just being flagged does not always lead to audits.

And the strings from this list have to be matched indiscriminately against everything? Names of account holders, text in the reference field of a transaction (if such a thing exists in the US), whatever?

I’ve had an order of “Aleppo pepper” blocked from a small online retailer because it contained the word “Aleppo”.


Yep. I bought a used copy of Yakuza 0 online once and foolishly included the name of the game in the notes of the transaction. PayPal blocked the transfer of funds for over a week.

I haven't read the actual guidelines / rules / etc put out by OFAC in over a year but that was the gist of it from the legal team.

Yes, all text in a message scanned, matches made are for manual review. In the world of financial compliance false positives are in the majority. No company can afford to skip a true match for the sake of scalability based on current audit practices.

In finance, compliance is taken very seriously. Better to block 1000 transactions than miss 1.

PayPal compliance is a very different problem to social media moderation. Financial regulations require any transaction that is "suspicious" in any way of having links to terrorism financing or money laundering be reviewed, and there are large and personal penalties for not doing so. And a review is expected to be more like auditing your customers entire financial history than just asking what they meant by a word, so for a consumer service like PayPal the only real option is to block the transaction. In that climate there's no good reason not to massively over-filter, the risks of a false negative are way too high.

Well completing Know Your Customer checks and audits is sort of their job, isn’t it? They provide a service, saying that they will process payments unless the payment is prohibited by government sanctions. But instead of carrying out actual due diligence, they just block anything remotely related and put the onus and cost of doing their own job on their customers. At least they should have a better process to start proper diligence once a customer complains about overreach of their blacklist, to avoid improperly sanctioning innocent businesses.

What if an arms trader used the name “Tickets Limited”? Would they block all payments mentioning tickets? Surely not, as it would hurt their business, clearly illustrating that their conduct is not at all due to “compliance with mandatory laws and nothing we can do about it” but “we did the math and we feel we can screw you over in this case.”

You're right but I think you'd perhaps be surprised how international sanctions monitoring works.

Example, I know one of the largest banks in Europe used to have payments they sent to one of their South American branch offices blocked from time to time because their address in Brazil or Argentina or something was on a street called "Avenue de Cuba".

But PayPal specifically isn't under banking laws which is how they cover their ass normally (like if you have money at PayPal and they terminate your account you never get your money , which there are thousands and thousands of cases of PayPal doing which would be illegal for an actuall bank), so banking law has nothing to do with PayPal.

In the US, the PATRIOT act, and thus KYC laws, apply to money service businesses. This includes PayPal.

in the EU they are an actual Bank based in Luxembourg.

Yes they would, the fines are up to 250,000 per incident. If you share a name with someone on the AML list, good luck opening up a financial account anywhere and if you do manage to get an account, being able to fund the account from another source.

You're not comparing like with like there. If you share a name with a suspicious group, yes, that's a hard problem to solve. That's not this. This is a _product_ with the same name as a suspicious group. It's categorically irrelevant.

No, aggressive filtering is the rational move here. The risks are highly asymmetric. A false positive gets you a frustrated customer that, as in this case, you can work with to modify the product description. Annoying.

A false negative can get you a fi ne of $250,000 and criminal penalties.

This isn't an issue of ( or not just an issue of) "not solving scale". Even if filtering issues if this sort were 99.9999% solved the risk asymmetry would still come down on taking an abundance of caution on nation-state levels of "oh crap" if you miss something.

There is precious little "working" with PayPal. We had an unauthorized transfer of $1000 out of our bank account by PayPal, and they have a completely useless circular IVR, their chat bot is nigh non-functional, and their support documentation is woefully out of date. We ended up detecting the odd activity early enough to redirect the funds before someone (who added an unknown number to the account) did anything with it, but we started a dispute and chargeback just-in-case. Further business being cut off be damned.

I've worked in fintech/self-banking institutions. PayPal is a mockery of the entire industry. The example of the literal worst implementation anyone can think of and which leaves everyone scratching their head at how they manage to get away with running as fast and loose as they do.

It doesn't matter. The searches are based on the same methodology. Scanning fields for the banned entity or individual. Also if you spell it phonetically, it should get blocked as well. Even if you can raise to the compliance officer, they aren't going to change it. There's are also criminal penalties that enforce AML.

Is there any way to access this list so I don't end up naming any product, service or company with something on there?

I suspect there's a false positive rate on some teams's dashboard and it's kept at an acceptable level that won't require raising transaction fees or incurring too many more OFAC fines.

How would they know what transactions were true positives vs false positives? That would require them to know whether a transaction is bad or not, which as we know, is a hard problem

Random sampling, Monte Carlo methods, statistical inference, etc

>saying that they will process payments unless the payment is prohibited by government sanctions

if they say that they will process payments unless prohibited by government sanctions and then do not process payments that is not prohibited I guess they would be getting sued for those payments.

evidently not given the downvotes, but then I don't understand, if their terms of service say we pay out unless the payment would be of type X and then they keep from paying out on payments of type Y they have violated their terms of service and thus would be open to being sued.

PayPal can pretty much always refuse to process any given transaction. They are not keeping anyone’s money, they are just refusing to accept a transaction request. There’s no money to “pay out.”

Of course, that makes sense, reading the parent comment I thought it implied that they were letting some money in and not letting it back out. In fact I could swear I've read about PayPal doing that - letting money in, not letting it out.

PayPal DOES do that frequently, mostly if you trigger some risk threshold on your account. But, then again, so do regular credit card processors.

>They are not keeping anyone’s money, they are just refusing to accept a transaction request.

Wrong. Assets under U.S. jurisdiction that are owned by or being transferred to persons or organizations on the Specially Designated Nationals and Blocked Persons List must be frozen. Furthermore, the Department of Treasury has a right to seize these funds without due process.

Please read the article. These are people trying to buy tardigrade-themed items from an online store. PayPal is not taking and then freezing their funds, they are just refusing to process the transaction.

This is the kind of thinking that lead to the TSA putting infants, and even a US Senator, on the US no-fly list because their names matched those of "known terrorists."

The Washington concept of NATIONAL SECURITY<tm> is a brain-eating parasite that seemingly renders compliance managers unable to tell the difference between categorically different things, such as US Senators and IRA terrorists, or Serbian companies named Tardigard and products, sold by companies completely unconnected with Serbia, with descriptions that contain the word tardigard.

> […] because their names matched those of "known terrorists."

As Bruce Schneier (IIRC) observed: these people are 'too dangerous' to let fly, but not dangerous enough to arrest.

Safe enough for firearms as well:

> In a 2010 report, the Government Accountability Office noted that "Membership in a terrorist organization does not prohibit a person from possessing firearms or explosives under current federal law," and individuals on the No Fly List are not barred from purchasing guns.[25] According to GAO data, between 2004 and 2010, people on terrorism watch lists—including the No Fly List as well as other separate lists—attempted to buy guns and explosives more than 1,400 times, and succeeded 1,321 times (more than 90% of cases).[26]

* https://en.wikipedia.org/wiki/No_Fly_List

Stopping gun rights being taken away from No Fly people is the one time the NRA seems to potentially be of any use

I would think the weirdness is because there are constitutional Due Process requirements to being able to arrest somebody, charge them with a crime, or take away their gun rights. But the Feds can easily lean on the airlines to not let people they don't like board a commercial airliner. That'll maybe make us question a few things.

But then I think another part of the reason is that most of the international terrorist types that were originally expected to be blocked by the No Fly List were generally not in the US, and so not subjects to US Gov charges or even gathering evidence.

> seemingly renders compliance managers unable to tell the difference between categorically different things

Because it renders them liable. The whole system will turn against you if you give it an opportunity to nail you for using discretion.

And this happens everywhere in society after a certain size is reached due to the need to hold people accountable without actually being able to fully evaluate who or what is to blame (due to the situation being too complex or not having all the facts/data). But politically, someone(s) has to go down.

Only if there was some sort of cohort of people who would be able to judge actions to see if they are liable.

Perhaps we aren't scaling the judiciary system propley & allowed it to become overly complex so that only a certain subsect of the population can navigate it efficiently and an even smaller portion of that can litigate for others.

Perhaps. Maybe if the same cohort of people who practice said laws weren’t incentivized to challenge existing laws and to make more laws there would be more resources to help judge.

> Because it renders them liable.


This is how you tell the difference between financial crime that the authorities don't care about and financial crime they do.

Look for personal liability.

This would be a more compelling explanation if there seemed to be particularly high levels of holding people accountable.

It seems to me we build big opaque structures that prevent accountability. Your national internet provider rips you off? You'll probably be able to reverse the transaction, but good luck getting any information at all about what happened.

Or because a false positive doesn't render them liable, or if it does, the punishment isn't harsh enough.

Our six month old was on the list. It was a shock when we went to the airport, and they asked that he be taken aside for an interview with a TSA agent. We wrote a letter explaining the situation, and got a letter back acknowledging that our information had been received. They stopped asking 3-4 years later.

That they even requested that a 6 month old be taken aside is absolutely insane

Not only that insanity, but... you need a thing called "ID" these days. ID to fly.

If you can fake ID, and you're on some list, why on Earth would you use the same name? And if you can't fake ID, then it will be linked to, you know, ID numbers, birthdays, and more.

I can't even imagine how "just names" ended up on that list, as a match requirement. How many John Smiths are there?

Very, very strange. I don't get it.

But for regular banks service to private citizens is also compulsory, so they can't just choose the easy path by blocking a transaction based on keyword filters, they must do the intended auditing. So for them there is a balance, for paypal there isn't.

>But for regular banks service to private citizens is also compulsory

what country is that? AFAIK in the US most businesses can refuse to do business with you for any reason, except a very limited set of reasons related to discrimination[1].

[1] https://en.wikipedia.org/wiki/Protected_group

Whole EU, per directive 2014/92/EU

> 44) Consumers should be guaranteed access to a range of basic payment services. Services linked to payment accounts with basic features should include the facility to place funds and withdraw cash. Consumers should be able to undertake essential payment transactions such as receiving income or benefits, paying bills or taxes and purchasing goods and services, including via direct debit, credit transfer and the use of a payment card. Such services should allow the purchase of goods and services online and should give consumers the opportunity to initiate payment orders via the credit institution’s online facility, where available. However, a payment account with basic features should not be restricted to online usage as this would create an obstacle for consumers without internet access.

Better citation is “No Duty to Deal”


I would say it’s not much different with regular banks in the US, as they can and do refuse service with no recourse if you do something they seem suspicious.

> But for regular banks service to private citizens is also compulsory, [...]

Depends very much on jurisdiction. PayPal is active in many jurisdictions, too.

> Financial regulations require any transaction that is "suspicious" in any way of having links to terrorism financing or money laundering be reviewed, and there are large and personal penalties for not doing so.

Unfortunately, PayPal's advanced KYC and AML verification process is hilariously incompetent and rigid.

Some months ago, they asked me to provide charity information for my personal account, and subsequently limited my receiving/sending privileges.

Phone calls to them trying to sort this out have always ended up at some call centre in the Philippines, where the agents can only tell their users that the account limitation is "for their safety".

That account of mine is still limited.

They've also limited the personal account of a friend of mine (who was interestingly enough ex-PayPal) before, also asking for charity information.

> And a review is expected to be more like auditing your customers entire financial history than just asking what they meant by a word

In the US, which is presumably where the sanctions trigger originates (the company is on OFAC's list), a review of a transaction is just that. Even opening an account doesn't require a review of your customer's entire financial history, merely that, for a business account, you understand the nature of your customer's business.

> In that climate there's no good reason not to massively over-filter, the risks of a false negative are way too high.

There is, however, good reason to do an actual review and not outright block transactions. The advice PayPal gave its customer, "change the wording on your website to prevent this from happening," is exactly what competant regulatory training tells you not to do. Changing the wording of a transaction to obviate the need for a review is in itself a red flag. PayPal is utterly incompentant.

The only company I’ve ever seen take these requirement seriously is Transferwise. I have a very common last name and similarly common-ish business name and they had to have me say I wasn’t related to a bunch of politicians I’d never heard or nor associated with a bunch of similar companies.

This keyword stuff is no kind of protection for them, especially if their own reps are advising people to just circumvent the list, which itself probably is a TOS violation.

I don’t know if PayPal ever claimed otherwise, but I’ve suspected that much of the AI powered moderation online is simply advanced keyword matching.

We have to start accepting that either websites are unwilling to or unable to do moderation in any meaningful way, unless they hire human moderators at huge costs.

Hearing an interview with the country for Facebook on Danish radio just two weeks ago, it’s pretty clear to me that it’s not that Facebook aren’t willing to implement the moderation politicians requests, the problem is that they can’t. And if Facebook can’t implement moderation, there’s no way PayPal is able to with a much smaller budget.

Politicians often ask for silly things in connection with technologies they don't really understand, to achieve goals they don't really expect to achieve, just in order to look good to a certain part of the electorate.

Consider an analogy between modern social media sites and something like a phone network or postal mail service. What would happen if a politician suggested that phone companies or their national postal service should be required to monitor all communications for some vaguely-defined concept of suspicious activity, and then when something was flagged, have it reviewed by a human and if deemed inappropriate cut off the spread within X hours? It would be considered an absurd suggestion by just about everyone, for being impractical, expensive, intrusive, unreliable and of questionable benefit.

And yet, politicians keep suggesting that social media companies should be able to do almost exactly that. There are demands that these companies magically detect any sort of inappropriate content on their systems, and then remove it quickly. Small details like subjectivity, privacy and practicality never seem to feature in the press conference, though.

That's a terrible analogy, for two reasons.

1. Post and phone have an expectation of privacy so the government can't review them (in the US, at least)

2. There is already a system in place to review all phone calls in real time. It's run by several Western intelligence agencies to get around the monitoring rules mentioned in #1.

1 is merely an accident of history and a subjective question of what you consider a reasonable expectation of privacy.

Even if 2 is true, I doubt that system is preventing people from discussing controversial subjects like, say, climate change or politics, even if what the speakers are saying is untrue.

Yet posters on HN are the first ones to want the government to regulate tech.

It’s funny to see.

“Snowden showed how corrupt the gov’t is and how our privacy is at risk!”

“We should have the gov’t regulate communication on the big social networks!”

I think the last good thing that the government ever did with regards to tech in the US is cell phone number portability.

And I agree with them. Tech is far too unregulated today, and this causes massive damage to our societies.

But regulations should always be reasonable and proportionate, and expecting a social network to police all human communication via their system for vaguely specified bad content does not seem to clear that bar.

Yet the representatives who are going to pass laws are the same people who grilled Zuckerberg for Twitter’s practices.

Do you really trust their competence? All the laws being passed and all we got was shitty pop ups on every website saying “we use cookies”. Of course we also got the DMCA....

The government system in the US is essentially dysfunctional, as far as I can tell from outside. Fortunately, not everywhere is like that. All politicians are politicians, but some are more politician than others.

Another example for keyword matching: I work on a German/Polish team. We sent money for a birthday present from Germany to Poland. Someone used the colleagues' nickname "Kuba" in the subject line. The Paypal account of the Polish colleague was blocked afterwards. But he could resolve the issue via support afaik.

I'm guessing it's because of Cuba.

I'd wonder why the US is still embargoing Cuba after all these years. What's the endgame? What's the goal? The Cuban regime is still there and the Soviets are long gone. It seems petty and spiteful.

Florida is an important swing state, and it’s also the home to a lot of anti-Castro Cubans in exile, and their descendants. Politics.

Letting Cuba off the hook would require politicians to admit they are wrong and have been for decades. In contrast, keeping the sanctions up does not cost the government much and companies have long factored in the sanctions/compliance as cost of doing business, so there is no pressure on politics from that side.

Like most things in America it comes down to political pandering thanks to the two party system. You may have noticed a lot of progress or corruption on the Cuba front in recent memory based on your political affiliation. There is a large “Cuban” American population that primarily hates the regime in control of Cuba and will support the political opponent that is speaking tough on Cuba. Whether you care about Soviet’s or Communism or revenge is irrelevant because what you do care about is south Florida and South Florida still cares deeply.

And we have to care about South Florida because of the undemocratic system of the electoral college.

Just to augment the story: Kuba is not an internet nickname. It is a shorter form of given name Jakub (Jacob). I use Jakub only in documents and during formal events. For everyone else I'm Kuba.

I wonder if Cuba Gooding Jr. has issues any time he tries to do something online with PayPal or such

These kinds of problems are a product of scale.

For companies the size of Paypal, Google, or Twitter, the revenue from their operations is so great that leaving a few crumbs on the table by not handling corner cases is of no concern.

Smaller companies can't afford to lose (for example) 10% of their business to corner cases. For large monopolies, a 90% solution is more than good enough.

Yes, large companies have solved their own money-making problems of scale by becoming so large that problems that we find important as a society become ignorable for their bottom line.

That doesn't mean that they've solved the problems of scale that we care about as a society.

Google does care about 10%.

But problems that are absolutely pretty big, might still only be 0.01% for Google.

Are you telling me I can start website called "ebay ltd" and get donations from paypal for hosting wikileaks and snowden leaks and paypay might block ebay transactions along with my ebay ltd?

No because Ebay is well known, but pick a name of a small to medium start up and yes you can probably kill their paypal account

PayPal seems to arbitrarily block transactions on eBay too. Happened to my friend and he called support and they told him there is nothing they can do. In disbelief he called again and got the same response.

Next time somebody here creates a shell company for very bad things, please try naming it YPal!

The first name and deity name Isis [1] got tarnished by ISIS (which later got renamed to IS).

PayPal is also just two words blended together. I'm not sure they're anyone's friend though.

[1] https://en.m.wikipedia.org/wiki/Isis

I feel like I'm missing some obvious link here. If changing the name on a legitimate transaction is enough to let it go through, what stops actual Evil Terrorists (tm) from just telling their financiers that their name has changed every three months to stay ahead of specific filters?

If I had infinite resources, IMO, the way to go with this sort of thing is to have no blocked transactions or obvious failures, and only relaying the suspicious transactions for law-enforcement to review. If there are crimes, actually get involved and prosecute them, don't just create weird financial black-holes for innocent people and behaviour. From the customer side, no more stupid disruptions. If there are actual bad actors at play, they don't get any immediate feedback they've been flagged and are less likely to change their strategies and cover their tracks.

If there are too many transactions getting flagged this way and law-enforcement ends up buried under dots to connect, then that's a signaling mechanism for them too-- they've obviously done a bad job of crafting their filters and need to adjust for signal/noise.

It makes the government officials and a certain percentage of ignorant public see how much busywork is done to stop the terrorists and feel good about it.

I bet a lot of malevolent transactions do slip through the cracks because of how laughably naive this system is.

What's your treshold though? I mean, it's easy to get in a raising the bar fallacy here. If this happens to only say 0.1% of PayPal transactions? Would that be good enough? Why that treshold? What about 1% ? Or should it be 0.01% ?

Key word blocking is the dumbest thing ever, arms dealers used it for some transactions, okay they'll just use a different code word, but now people legitimately using tartigrade are boned.

When they ban the new code word, they'll just switch again, once again screwing over the legitimate users of that word.

its wackamole only stupider because at least wackamole at the arcade gives you prize tickets.

From a 2019 Worldcheck copy, and OFAC SDN https://www.treasury.gov/ofac/downloads/sdnlist.txt

> TARDIGRADE LIMITED, Dimitriados 1, Limassol 4004, Cyprus; Registration Number C378737 (Cyprus) [GLOMAG] (Linked To: TESIC, Slobodan).

> TESIC, Slobodan (a.k.a. SLOBODAN, Tezic), Serbia; DOB 21 Dec 1958; POB Kiseljak, Bosnia and Herzegovina; nationality Serbia; citizen Serbia; Gender Male; Passport 009511357 (Serbia) expires 27 Oct 2020; alt. Passport 007671811 (Serbia) expires 05 Aug 2019 (individual) [GLOMAG].

> [GLOMAG]: Executive Order 13818 - Global Magnitsky;

You are misspelling TARĐIGRADE. That word is Serbian, not English. The Latin form of the language has the letters /d/ (upper "D" and lower "d") and /dz/ (upper "Đ" and lower "đ").

There is also a TARGET TRANSPORTATION LIMITED on the list. PayPal, in their infinite stupidity, would probably block transfers to the retailer Target.

I’m sure the PayPal CEO is deeply wounded by a HN commenter declaring that they haven’t “solved scale,” but perhaps he’s comforted by the tens of billions of dollars they make each year.

My guess is more simply that "tardigrade" contains the substring "tard", which is sometimes used as short for "retard" in their state of the art regexp filter.

Their filter is probably like /iran|tard|cuban|.../i (see also: https://www.insidehook.com/daily_brief/news-opinion/paypal-w... and https://news.ycombinator.com/item?id=24359821)

Same for the word "Bitcoin". If you try to send something with this word to somebody it will block their and your account. For me this is an (kamikaze) attack vector.

I mean, why stop at just "Bitcoin". Might as well put a bunch of the words in there to increase your chances (eg. iran, nuclear, uranium enrichment, north korea, isis etc.), kind of like https://www.google.com/search?client=firefox-b-1-e&q=tiananm...

Or just use "Cuba" somewher. It will have more effect than the rest all combined.

I work europe based ecommerce company. paypal was blocking orders for any product that had “cuba” as pat of the name/description due to us cuban sanctions. although after talking with account manager, they have removed this filter for us.

Based on my experiences helping a client with Paypal, even though we had written approval from one of their executives in Paypal risk management, we got shut down weeks later for violating the thing we explicitly got permission for.

If I were you, I would expect something to trigger a blockage again (and ultimately decide, like many companies, that Paypal just isn't reliable).

that’s proven by all other problems we have working with. but you cannot simply turn it off since it has huge payment share vs other payment methods

Just curious, why is allowing cuba in the description so important to you?

Farther down the thread:

  A few people mentioned OFAC sanctions, so I investigated a bit more. In Dec 2019, US Dept of Treasury sanctioned companies linked to Serbian arms dealer Slobodan Tesic, including Cyprus-based Tardigrade Ltd. So PayPal flags tardigrade ornaments by mistake.

Part of this is no doubt Paypal's fault, but part of it is also the fault of the US's over-the-top trade sanctions laws. The penalties for getting it wrong are so severe, it creates a strong incentive for companies to err on the side of caution even when doing so produces idiotic outcomes like this one.

I don’t think it has to do with err on the side of caution. I don’t think PayPal has the technology to implement better blocking.

The problem is that if you make a false negative error, there is the risk of severe legal sanctions, if you make a false positive error, there are zero negative legal consequences. Hence the law encourages everyone to prefer false positive errors to false negative errors, and this is the result. If the legal incentives were different, the outcome would be different.

The law could provide an efficient recourse in case of false positives – e.g. a legislated right to appeal, legislated SLAs for considering appeals (and penalties for failing to meet them), indemnification for the provider if they grant an appeal in good faith, an expedited process for judicial review of denied appeals, etc – but the law doesn't, and since there is no incentive for an efficient recourse, nobody provides one

I understand the legal issue for PayPal, but then they got really lucky in this case. Tardigrade isn’t really a widely used word, so just blocking the word completely is “fine”, but what if the arms dealer in question operated under the name “Arts and crafts ltd”? Would PayPal have used another blocking system?

I don’t blame PayPal for their reaction, but I also doubt that they actually have better solutions than keyword blocking.

So, you think this is more of a prop 65 scenario?

Is it possible you could spell the word correctly? It is Serbian, not English.

I forgot what happened once to my PayPal account but I remember calling them because I knew the issue I had couldn’t be resolved over the phone. The person on the other end had a canned response to my problem that didn’t answer why my account was the way it was. I just remember saying that I wanted to buy things, I have money to spend, why do you not want me to spend money with your service. Brief pause and then she said my account would be active again in a few minutes.

Don’t even get me started on eBay. Support is non-existent for my issue so I had to lie in a different support request to get my issue looked at. Even then what they need me to verify transactions on my account is impossible.

The solution paypal gave "don't use word tardigrade" is wrong from product point of view

paypal considers that a better solution than the alternative one "don't use paypal"

The obvious workaround is to move from edges to facets.

Instead of Tardigrade (A) shipping arms to $TERRORISTS (B) and (B) sending money to (A) by paypal in a bilateral pattern AB, they should move to the next topological level.

A ships arms to $EMBARGOED_PARTY (B), (B) sends money to $FREEDOM_FIGHTERS (C), and (C) sends drugs with street value to (A), making a triangular pattern ABC.

Extension to tetrahedral trade is left as an exercise for the reader.

Here's some context: https://www.vice.com/amp/en_us/article/n7wg3w/paypal-tardigr...

Likely not due to the Scunthorpe problem like one might expect, but due to an arms dealer having sold weapons through a shell company named Tardigrade.

What’s wrong with Vice?

There's many things wrong with Vice. In addition to the story in the sibling comment, they have a consistent track record of misrepresenting their reporting to sources, heavily editing interview responses to change the meaning of what the interviewee said, and in at least one case I directly witnessed inventing the entire content of an interview that never happened and publishing it. I would simply consider anything they write at least misrepresented and possibly entirely fictional.

what's the problematic substring of "Tardigrade"?

Probably not "grad", maybe "tard" ? ;p

Reminds me that around 2006 you couldn't say "Saturday" on runescape because it contains "turd"

You have to thank the OFAC regulations for that - they have created issues for both businesses and customers in the name of political goals that don't have any relation to them.

GDPR has a separate, less-known article that bans fully automated decision making without an appeals process: https://gdpr-info.eu/art-22-gdpr/

It's unlikely you'll be able to get Paypal to actually comply with it, but going through a path that will hit someone familiar with GDPR and mentioning this article, and escalating via the DPA, is probably the most promising option

Obviously doesn't help if you need something done quickly, because especially if you need to get the DPA involved, this process will take months.

That's actually a good (if slow) solution, given that payment processing is important enough to hit the filter (significant recourse or something).

Don't use Paypal, or you risk randomly losing your money.

Pretty much. I'll refer to something that happened to me a few years back: https://news.ycombinator.com/item?id=18783724

This must be rough for the band "Tartigrade Inferno"..


Thanks to PayPal I just learned a lot about Tardigrades. Interesting creatures.

Unpopular opinion but I think we have a civic responsibility to put them on probes and crash them into every planet in the solar system. Those cute little water bears are nature's survivors.

Why specifically a civic responsibility?

There's probably a better word but it resonates with some people.

The desire to preserve other planets for the remote chance that there's life there and we can study it before turning up anyway and ruining things is misguided. We are the only known life in the universe, it's incredibly irresponsible to not propagate such things (just in case)

Perhaps 'moral responsibility'?

Unless we end up killing life that already exists there.

The aliens can make a movie about it.

Based on my experience as a developer and user I can't understand how PayPal got so big and ubiquitous.

I had the worst experience ever in trying to set up our recurring billing system with them, wasting several days of work, to the point that I simply gave up, switched to Stripe, and got everything up and running, in production, in hours.

Even as a consumer I had a terrible experience when trying to send money abroad, for my rent, with Xoom, a PayPal service. They initially took the money from my PayPal account, told me that the money was on its way to the recipient, only to block it some days later for non specified reasons (refunded in my account). On top of that, I lost the option to use my PayPal account to send money, for what appeared to be a technical issue. Even if the system appeared to give me the option to use my PayPal account as a source of funds, telling me that the accounts were indeed connected, then when actually sending the money the option disappeared.

To solve the issue I called Xoom, they told me that there was no way of reconnecting my account and that I had to contact PayPal. So I did and they told me that they couldn't do anything and that I had to contact Xoom. After few exchanges back and forth like these, I simply asked to close my Xoom account so I could open a new one and restore the link between my Xoom and PayPal accounts, but they told me that that was not possible and that to cancel Xoom I had to cancel also PayPal.

So I gave up, used another service and got my money to my recipient.

I'm not from the US and to me PayPal was always only a way to avoid filling in credit cards details on (random) websites.

it always feels a bit weird to see people elsewhere rely on it for much more.

>I'm not from the US and to me PayPal was always only a way to avoid filling in credit cards details on (random) websites.

And this is the answer.

Paypal's existence comes down to the fact that they are the sole "legitimate" vector into the US financial system for a vast majority of the rest of the world. Because that's such a massive financial incentive, they can basically treat users however they wish and get away with it.

Brewing up space for that next startup who respects their users and works in the same marketplace ;)

Perhaps part of the reason was the ease of access for minors. I'm now over 18, but when PayPal got popular, my friends and I were under 18 so we weren't allowed to purchase stuff (like video games) online since we didn't have our own credit/debit cards. PayPal used to not verify your age so it was perfect for this type of stuff.

PayPal was the first free electronic way to send and receive money to people in the US, to my knowledge. Which is a sad indictment of the US’s infrastructure.

Even today, so many people use Venmo, which is still PayPal. Apple Cash seems to work well, but still involves an unnecessary middleman like PayPal.

Zelle is the only half decent solution, that doesn’t involves third parties.

Zelle is also a third party, just well integrated into the banks' UIs. I had a Zelle payment blocked recently and ended up seeing a lot of stuff on the internet / reddit about Zelle doing similar stuff as the other companies when it comes to blocking payments as well as customer service & having money disappear in some cases.

Zelle is the brand name for Early Warning Services, which used to be called clearXchange, and is owned by the biggest banks themselves. When I write there is no middleman or third party, I mean that the money goes from the sender's account to the recipient's account. With PayPal/Venmo/Apple Cash/etc, the money goes from the sender's account, to Paypal/Venmo/Apple/etc's account, and then to the recipient.

Also, with Zelle, you never need to give anyone your bank account number, and you are never authorizing anyone to reach into your account and take money via ACH, like you are with Paypal/Venmo/Apple Cash/etc. It’s also instant.


>Early Warning Services, LLC, is a fintech company owned by seven of the country’s largest banks.


>Zelle is a United States–based digital payments network owned by Early Warning Services, a private financial services company owned by the banks Bank of America, BB&T, Capital One, JPMorgan Chase, PNC Bank, U.S. Bank and Wells Fargo.[1][2][3] The Zelle service enables individuals to electronically transfer money from their bank account to another registered user's bank account (within the United States) using a mobile device or the website of a participating banking institution.[1][3]

> Also, with Zelle, you never need to give anyone your bank account number

As a non-American, seeing this listed as a plus is always so strange.

It’s beyond ridiculous. The safe thing to do in the US is to have accounts which you don’t give info to anyone. And then you setup ACH transfers from that account to a checking account you use for expenses, and only keep smaller amounts in the checking account enough for money going out in the near future.

> PayPal was the first free electronic way [...]

What do you mean by 'free'? Didn't they always charge fees?

Not for sending money to friends - fees are charged when paying for goods & services

PayPal used to be great in its time. Leadership and ownership changed and now its just there and because everyone knows and trusts it it still lives on.

Scale/brand effects.

PayPal has always sucked, at least to some level.

For example: paypalsucks.com was set up some time around 2001[0].

[0] This is the earliest snapshot the IA has of the site: https://web.archive.org/web/20010215013627/http://paypalsuck...

Ebay pushed it aggressively; IIRC you effectively couldn't use ebay (or lost critical aspects like fraud protection) if you didn't use PayPal.

Outside of the US, credit cards were far from ubiquitous (and they still aren't). PayPal was the one system that could handle international transfers reasonably.

Edit: Also, speed and payments to individuals. Back when eBay was an auction house for used goods sold by individuals, not a marketplace for commercial sellers, it was the one way to get someone money that was instant. No idea how that worked in the US, but in Germany the alternative was bank transfers which took 2-3 days back then.

Part of why PayPal got big is that at the time it was new the incumbent banks had transactions that tended to be slow and crappy and sometimes expensive on top of that. I remember when I was younger that there was this "mysterious" clearing time with my bank where you'd send money and the other party wouldn't get it for a number of days (and that number of days wasn't even reliable either). And with international transfers it was worse than the domestic ones.

Now that people have got used to better payment processing the banks have had to improve, I think it's easy to forget just how bad things used to be.

Very simple: they were the first to get there in the online payments space and delivered something that worked reliably without the time and $ cost of money orders or bank transfers.

So I guess it's nice to have an alternative payment method like cryptocurrency.

Such arbitrary prohibition is caused by "Know Your Customer" regulations. And it is anything but.

Clear indication for regulatory audit, since the methodology is at fault here.

The financial reforms following 9-11, introduced reporting requirements. This could be under this umbrella? One example is suspicious deposits must be reported by those in the financial services industry to the federal government. Once reported your broker is prohibited by law from informing you of the report. We lost a lot of financial freedom following 911. Paypal is just following US law.

Anyone care to guess as to why? At face value it seems like a very odd word to censor, I have absolutely no clue what the motivation might be.

There is a blockchain-related project called tardigrade. I guess they just have a big list of crypto-related terms.

Edited to add: or the arms dealer. Either seem likely.

"The sanctions also include two Cyprus-based companies and one Hong Kong-based company – Moonstorm Enterprises LTD, Tardigrade Limited, and Business Diversity Limited.The Department of the Treasury claimed that the companies are “owned or controlled by, or acting or purporting to act for or on behalf of, directly or indirectly, Tesic”." - https://balkaninsight.com/2019/12/10/us-expands-sanctions-ag...

cause it contains (starts with) "tard"

What would be wrong with 'tard'?

It's a shortened version of the slur "retard".

Poor little fellas.

I had a horrible experience with PayPal earlier this year. I needed to send $500 to an individual buying our house, they were paying cash and on such a tight timeline for closing that the closing docs were written up before they got back their inspection report and asked for an allowance.

Paypal kept blocking the transaction even though it was just a simple person to person transfer. I was on chat with their support for nearly an hour. The person kept describing some black box of a security system that, for security purposes, no one manages or can see why transactions get flagged. I asked multiple times to speak to a manager or someone on the security team and was told consistently that managers won't have more info and there literally isn't a security team...

Needless to say I haven't used them since and will do everything I can to avoid it. I have no problem if a flag is errantly raised on a normal transaction, but to say they literally don't have a security team is mind boggling.

There was a time I was excited to get a PayPal account owing to all the (perceived) hype around it.

I made one and linked my card but rarely used it. Once I had to pay to an online merchant and for some reason the card didn't work so I hooked up my savings account. Months go by and since I never came around to using the service again, I wanted the account closed.

But before that, as a personal preference, I wanted to manually remove the card and account link. The card worked fine but it won't let me do it with the bank account. Took 3 separate chats over a week to get it done and I finally closed it to never look back. I have no idea of the dark patterns exist anymore.

Now I just use cashapp to send and receive money with my friends. Left such a salty taste in my mouth, I'll never give PayPal any business anymore, just seems sketch.

NO security team?!

So they literally admitted that they don't have anyone actively monitoring transactions? Working to watch for fraud? Theft? Hacking?

Wow, I may stop using them as well.

It was a lie, of course they have all that, they just never speak to people. When was the last time you spoke to google support or manager? They collect notes and only when something escalates to a PR story or a high volume of complaints/failures/cancellations do they create some JIRA story and assign it to some engineer. A “business to consumer” internet giant will never let the consumers get passed the call center to talk to engineers directly, and engineers don’t want that either. It’s as much of a rule as that a business must be profitable. On the other hand, competent support is supposed to have tools to fix most issues.

I also had a bad issue with some unauthorized withdrawal via eBay, from my paypal, in about 2004, and spent hours on the phone with no result. I wished I could boycott them after this, but no one cares, I just learned no to trust them because they are a terribly run company on the consumer support side. And I think it is because they deal so much with fraud. I don’t think we can do anything about it, except promote these stories.

They have a whole department called "risk management" that is responsible for combatting fraud. (I worked for PayPal under that department in a past life.)

I'm sure there's a "security team" somewhere that responds to attempts to directly breach PayPal's infrastructure, though I never interacted with them. (Paypal has quite a bit of on-campus physical security, and I did interact with them almost every week.)

Circling back to the discussion at hand: PayPal probably doesn't have any digital/financial security staff at their call centers (why would they?) so as far as the call center reps are concerned, there is no "security team".

All I can say, to all the comments, is "whoosh".

Communicating badly and then acting smug when you’re misunderstood is not cleverness.


Hey, great info. Unfortunately, you assert several things with your statement, which really are not true.

Try again? Do you have a better jab?

Maybe one that doesn't rely upon a comic, as your main argument?

There is no security team which you may speak to.

'this is an arbitrary + stupid mistake by a company known for drawing lines in the sand over stupid rules' is the less scary answer here

we know tardigrades can travel through space. what if the aliens are already here

tardigrades founded paypal to demoralize us with arbitrary + stupid rules, and their only weakness is the streisand effect

The only thing that would improve this comment is an embedded image of a tardigrade. Mods?

an upvote to you my good sir

So this "internal security system" takes over the company even if they don't want this. This is so wrong I don't even know where to start.

It's a trade sanctions issue. PayPal could end up in deep shit with the Treasury Department if they let their front-line support techs override an OFAC match.

There is almost certainly a way to handle this, but it involves talking to PayPal's legal department, and it will take time.

OFAC match? The entities aren't matching just the product. It's like blocking someone from buying food at Joe's Cuban Resturaunt in Miami. Not what OFAC actually requires.

why is paypal and other payment processors getting caught out with this braindead text filter stuff? slam a grep somewhere instead of real effort?

Wait until they ban you for life for a similarly random reason, then tell you “it cannot be appealed” lol.

I bet the folks at tardigrade.io are not happy.

I hope the EU will come up with a central bank backed alternative soon.

The whole problem with PayPal is exactly that it isn't a bank so they can get away with all kinds of stuff a bank cannot. I doubt a bank backed competitor could survive against a business that can just lock an account with money in it and never pay them back. Not really a level playing field.

It's really hard to identify sarcasm on the internet.

in the EU (instant) IBANs (that are slowly rolling out since some years ago) largely solve the problem. here PayPal is used a lot but mostly with external credit cards (like Google pay or apple pay)

Duplicate submission from several hours ago:


I check for popular sources (Quanta Magazine, Nautilus, Ars Technica, ...) but Twitter threads I usually just submit - if it's not someone super-duper well-known or popular here on HN. Foone's latest shenanigans would warrant a check for earlier submissions for example. My apologies.

With "tard" you can block any Spaniard or Latin American with any transaction setting the time after the afternoon...

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact