Hacker News new | past | comments | ask | show | jobs | submit login
Square thinks I don’t exist (kevinchen.co)
567 points by kevinchen on Jan 28, 2014 | hide | past | favorite | 252 comments

To the OP:

If I were you, I would check your credit report IMMEDIATELY.

I'm in the same boat as you, except I'm in my 40s. Most companies use Experian or Equifax to do some sort of credit verification by asking these questions. However, about 5 years ago, the credit agencies merged my credit record with someone else with the same name, but entirely different birthday and location.

Evidently, they don't give a fuck because it took me years to get this wrong information off of my credit records. I don't understand how this isn't libel, since they are spreading false information about me, and that drastically affected my credit, and I had to jump through hoops to get everything corrected.

The thing that really sucks is that Experian STILL has the wrong information about me, so when I'm asked these credit questions, it's mixed with the other person's data, so I always fail the credit check. Despite having nearly perfect credit, I've failed the credit check numerous times, and like you, the decision has always been final, because no one appears to give a fuck.

The problem is I have no idea how to get Experian to refresh their data, even though it's several years old now.

It might be the case that the OP's credit history has been merged with someone else, and if this is the case, they need to fix it as soon as possible. Use the yearly free credit report to make sure there is no loans or credit cards associated with your name, and if so, you need to call every single credit agency and dispute it. It really sucks, and I don't understand how we let the credit agencies have this much power, where we the consumers have to suffer like this whenever THEY fuck up.

Regarding your libel question: The Fair Credit Reporting Act (FCRA) expressly pre-empted state defamation suits against credit reporting agencies. 15 U.S.C. 1681h(e).

> [N]o consumer may bring any action or proceeding in the nature of defamation, invasion of privacy, or negligence with respect to the reporting of information against any consumer reporting agency ...

Ich. Did we get something in return out of that act or was it a coup? Do they have any legal obligation to get this stuff right?

I have intimate personal experience with the FCRA. Sadly I don't have an hour to talk about it at the moment, but ping me any time. Short version: it's one of the most absurdly customer-friendly pieces of legislation in the US, assuming you know how to work it. There exist Internet communities where they basically do nothing but assist each other with using the FCRA to get legitimate debts removed from their credit report, which, when combined with the Fair Debt Collection Practices Act, means you can essentially unilaterally absolve yourself of many debts if the party currently owning it is not on the ball for compliance.

The brief version, with the exact search queries you'll want bracketed: you send a [debt validation letter] under the FCRA to the CRAs. This starts a 30 day clock, during which time they have to get to the reporter and receive evidence from the reporter that you actually own the debt. If that clock expires, the CRAs must remove that tradeline from your report and never reinstate it. Roughly simultaneously with that letter, you send the collection agency a [FDCPA dispute letter], and allege specifically that you have "No recollection of the particulars of the debt" (this stops short of saying "It isn't mine"), request documentation of it, and -- this is the magic part -- remind them that the FDCPA means they have to stop collection activities until they've produced docs for you. Collection activities include responding to inquiries from the CRAs. If the CRA comes back to you with a "We validated the debt with the reporter." prior to you hearing from the reporter directly, you've got documentary evidence of a per-se violation of the FDCPA, which you can use to get the debt discharged and statutory damages (if you sue) or just threaten to do that in return for the reporter agreeing to tell the CRA to delete the tradeline.

No response from the CRA? You watch your mail box like a hawk for the next 30 days. Odds are, you'll get nothing back from the reporter in that timeframe, because most debt collection agencies are poorly organized and can't find the original documentation for the debt in their files quickly enough. Many simply won't have original documentation -- they just have a CSV file from the original lender listing people and amounts.

If you get nothing back from the reporter in 30 days, game over, you win. The CRA is now legally required to delete the tradeline and never put it back. Sometimes you have to send a few pieces of mail to get this to stick. You will probably follow-up on this with a second letter to the reporter, asserting the FDCPA right to not receive any communication from them which is inconvenient, and you'll tell them that all communication is inconvenient. (This letter is sometimes referred to as a [FOAD letter], for eff-off-and-die.) The reporter's only possible choices at that point are to abandon collection attempts entirely or sue you. If they sue you prior to sending validation, that was a very bad move, because that is a per-se FDCPA violation and means your debt will be voided. (That assumes you owe it in the first place. Lots of the people doing these mechanics actually did owe the debt at one point, but are betting that it can't be conveniently demonstrated that they owe the debt.)

If the reporter sends a letter: "Uh, we have you in a CSV file." you wait patiently until day 31 then say "You've failed to produce documentary evidence of this debt under the FDCPA. Accordingly, you're barred from attempting to collect on it. If you dispute that this is how the FDCPA works, meet me in any court of competent jurisdiction because I have the certified mail return receipt from the letter I sent you and every judge in the United States can count to 30." and then you file that with the CRA alleging "This debt on my credit report is invalid." The CRA will get in touch with the debt collection company, have their attempt timeout, and nuke the trade line. You now still technically speaking owe money but you owe it to someone who can't collect on the debt, (licitly [+]) sell it, or report it against your credit.

I just outlined the semi-abusive use of those two laws, but the perfectly legitimate use (for resolving situations like mine, where my credit report was alleging that I owed $X00,000 in debts dating to before I was born) is structurally similar. My dropbox still has 30 PDFs for letters I sent to the 3 CRAs, several banks, and a few debt collection companies disputing the information on my report and taking polite professional notice that there was an easy way out of this predicament for them but that if they weren't willing to play ball on that I was well aware of the mechanics of the hard way.

[+] Owing more to disorganization and incompetence than malice, many debt collection companies will in fact sell debts which they're not longer legally entitled to. This happened to me twice. I sent out two "intent to sue" letters and they fixed the problem within a week.

[Edit: I last did this in 2006 and my recollection on some of the steps I took was faulty, so I've corrected them above and made it a little more flow-charty.]

Wow. Having tried to resolve in a friendly manner a bill in which Verizon charged me $150 for DSL service at an address to which they not only never provided service but at which they eventually noticed they can't provide service, period, due to its distance from their nearest central office -- and having had them respond by sending the bill to a collection agency -- this information will be of great use to me, and I thank you very kindly for it.

Absurdly interesting comment for those of us who aren't lawyers with this specialty. Thanks.

Please have a beer on me sometime. Bitcoin address?

I appreciate the sentiment. As an alternative, consider donating one beer extra on your next charitable donation and think of me when you do it. That accomplishes your objective and has a higher utility to me than either beer (which I don't drink) or bitcoin (which I would need to drink rather a lot to start using -- for my reasoning on this, see hnsearch for [patio11 bitcoin]).

Not saying that Patrick endorses this but just in case you need any inspiration I'm just going to leave this here...


I put in a $100 this morning, let's get little baby Mathayo's head fixed :)

In case you are not being sarcastic on purpose: Patrick despises crypto currencies and very probably has no *coin address.

You could always buy bingo card creator.

This is one of the times I wish HN had a "saved comments" feature.

Fascinating. Is there any equivalent process for the UK, or any good resources on it?

Ditto! I wonder is there any EU law on this...

Very informative post - even if you don't live in the states, you can learn a thing or two from this one.

Thank you for your time.

An epic comment from patio11, Well done.

I happen to know that in America there are collections agencies which peak at bulk debt purchases then contact the debtor trying to illegally collect a debt they don't own.

Eventually the bulk debt package gets sold and a rightful collections agency calls them up trying to legally collect a debt.

Overall it is a very sleazy business.

Interesting... Do you have links for the aforementioned internet communities?

creditboards.com is the one I had in mind when I wrote that particular bit. I also liked the Motley Fool Credit Cards and Consumer Debts board back in the day. Sentiment on that board is that people should pay their debts, which is closer to my personal feeling than creditboards' prevailing sentiment that getting advantage on a debt collector or creditor is always justified and praiseworthy.

I already wrote a longer response but think your sentiment also deserves a shorter one: The trade for the FCRA over state defamation suits is actually a net win for consumers.

To win a defamation suit, you have to prove (generally) a) you factually don't owe the debt and b) the CRA should have been aware that you factually don't own the debt. Those can be fairly difficult to demonstrate. (Quick, demonstrate that you don't owe $30,000 to Bank of America under account number #123456. Note you may be responding to a sworn deposition from a Bank of America representative which says "I have reviewed our firm's records, kept in the ordinary course of business, and they show that he does, indeed, owe us $30,000 on account #123456.")

To win a FCRA suit, all you need is a return receipt from a letter you sent and then observe "No return receipt for the letter they sent in response dated within 30 days? Then presumption is they didn't send one. Unless they can immediately produce documentary evidence to the contrary, they're facially non-compliant, and I win automatically. We never reach the question of whether I actually owe the debt at issue. It's irrelevant."

Not a lawyer, but I think they are also required to have a process for disputing inaccuracies. Also, there is the free annual credit report law.

Amazing that companies maintaining credit histories are relying on a person's name to map financial data to a 'person'.

Don't we have unique identifiers call Social Security Numbers?

Social security numbers are most emphatically not identification. The social security department tried for many years to get people to stop using your social as a form of identification, but companies (and sometimes even the government) still keep doing it. Social security cards printed before 1972 actually had a disclaimer printed on them that said "Not for identification purposes", but the message has since been removed. Although rare, there are actually duplicate social security numbers as well, and not everyone has a social security number. A number of religious groups, most notably some sects of Amish, refuse to get social security numbers and regularly fight legal cases to prevent having a social security number as a requirement for access to government services (although obviously not social security).

Popular misconception here: That disclaimer meant possession of the card is not identification, since it doesn't have any verification like a photo. The number does represent identification, as far back as 1943.

Source, the Straight Dope: http://www.straightdope.com/columns/read/141/why-does-my-old...

The SS card is a name-to-number mapping once the name is already identified by another document like a driver's license or passport.

The US seems to have this quite backwards. They should be identifiers NOT authentictors although it is always likely to be slightly messy as some people won't have one and others may end up with multiple but having multiple people with the same number sounds pretty wrong.

Well that's interesting... Thanks for debunking my notion of SSN as an identifier. Sounds like a problem that needs to be solved.

It could be solved as pretty much every other country on the planet does it, with a national ID number (& card). But the US population rises up in outrage every time this is suggested.

My country's government has done a lot of idiotic things, but I don't believe that instituting a national identification system is one of them.

Social Security numbers are not ID numbers, as other posters have written.

Other countries (including Israel, where I live) do have ID numbers, and they are used universally -- by governments, employers, credit-card companies, and the like. I actually very much like the convenience that this gives me. I have one number to remember, and I don't worry very much about it being taken or used by someone else.

No, Social Security Numbers are not unique.

Furthermore, many sources of credit information do not have access to your social security number to use as a key. Your phone company, cable company, oil company, and so on all may need to send your bills to collections and put a mark on your credit report, but they don't have access to your social security number (they may ask for it, but you aren't required to provide it).

There are cases of them being re-issued accidentally, but they're supposed to be unique, and we have massive data systems based on that premise. Texas has only just recently begun transitioning from using SSN as the primary key for their statewide student (and school staff) database.

when one credit agency merged me with another person, they put both our social security numbers on the credit report. I found it the weirdest thing in the world. They also combined our address records, so I had two different residences for my whole life, and residences for 15 years before I was born.

These documents often lack in consistency.

Thanks for the heads up! I actually tried to check all three before writing this post. One has the correct info, but it looks like the other two agencies are a bit slower. I have to do those by fax.

Did you try https://www.annualcreditreport.com/ ? Note: this the official website maintained by all three CRAs.

Yeah, the site couldn't find me for 2 of the 3 credit reporting companies.

Damn thinking about living under such a system makes me want to run off and live alone in the wood.

Using a non-common name heals all. We have too many David in the same office. It's appealing for people to remember so that it sounds nice. But it defeats the purpose for us to have a name. Name should make you unique.

He'll just pop back about eighteen years and ask his parents to pick a different one, then? Or spend a few hundred bucks, and a few days of hassle, to get it changed. Oh and plus ordering some new proofs of name change every now and then whenever he needs to submit a birth certificate to something. I'm sure he's got no sentimental attachment to his name either. I can't see your plan of "have a unique name" resulting in any problems for him.

(I have changed my name for very different reason, I know precisely how much hassle it causes in the US.)

In choosing egypturnash you achieved your objective.

I went through the name changing process too, although not for myself. I don't mean he needs to change his name to avoid this type of problem. But I raised a common problem for people to concern, especially for the next generation.

Our culture is encouraging more and more fast food and simple, short thinking. I don't quite value that value, especially from developer's point of view. As you can see, how complicated processes are involved in VLSI chip design and circuit design in iPhone. If people applied the same culture or manner or habit, we would not have those great products.

His problem is a dilemma because financial systems have to be that strict. There are just two many duplicated names even in one location. But I agree that simple name are more welcomed in the real life. So maybe our financial systems should be adjusted to use more field to uniquely identify a person.

What does the complexity of PCB design have to do with improving customer service?

I'm seeing things on both sides. They have bad customer service due to some reasons such as operational cost. But it's necessary for their business to disqualified you and they have the right to reject serving you since the service is free on your clients side. Please don't take it for granted that you must be served. That's why I suggest them if they cannot afford the customer support like other decent online financial systems, they may verify on large transactions only so that they may still get the chance to serve customers with small or medium transactions, while large transaction itself can cover the service cost.

On the other hand, did you see there is another post directly suggesting you to have your name changed with a middle initial. Don't think you are always 100% perfect and it's all other people's fault. This is another caveat in culture for the new generation. When conflict occurs, check on yourself side first. I gave you advice because I wish this type of thing would not happen to you again. If you don't learn the lesson, you may have more similar type of experience down the road. Didn't you see the other people's story with his credit record? Do you think it's fun?

You didn't get my point at all. Choosing simple name and always making job simple has the same culture background as fast food. I don't need to mention about the good or bad about it. Everybody can make his own choice. You may stick to your common name and have the other consequences. Other than you, yourself, who will care?

iPhone is not made with regular PCB design techniques, it's not that easy. VLSI design is not PCB design. With this type of attitude, you are not qualified for any of those professional work until you are trained or change your attitude. This is my point.

BTW, if you don't mind, can you please tell me how you down voted me? Is it done by complaining to the YC admin? I can have different opinion with you, but I'm helping you. I will not down vote you because I have different opinion with you. What a decent manner you have.

> On the other hand, did you see there is another post directly suggesting you to have your name changed with a middle initial.

Right, I responded saying that I already have a middle initial which uniquely identifies me in the US, but Square won't take it on the signup form.

> Don't think you are always 100% perfect and it's all other people's fault. […] When conflict occurs, check on yourself side first. I gave you advice because I wish this type of thing would not happen to you again.

You are correct. However, I believe I made a genuine effort to find out what's going on: I spend hours researching on Square's website, comparing policies with other payment companies and other companies that use knowledge-based verification, and trying to ask them to clarify things I didn't understand.

> If you don't learn the lesson, you may have more similar type of experience down the road. Didn't you see the other people's story with his credit record? Do you think it's fun?

The person shared a name with someone else, so the system decided to merge their credit histories after awhile. That is not the customer's fault if they make a wholehearted effort to fix things.

> You didn't get my point at all. Choosing simple name and always making job simple has the same culture background as fast food. I don't need to mention about the good or bad about it. Everybody can make his own choice.

I did not choose my own name.

> You may stick to your common name and have the other consequences. Other than you, yourself, who will care?

For me, there is no way to win this game. Yes, I could waste a ton of time and money changing my name, updating government records, convincing everyone I meet that I am not an identity thief, re-purchasing things like domain names, etc. On the other hand, I could waste a bunch of time getting mixed up with other people named Kevin Chen.

Philosophically, that's asking humans to change themselves for the machine's convenience. As an engineer, I think that's a backwards concept and it should be the other way around.

> iPhone is not made with regular PCB design techniques, it's not that easy. VLSI design is not PCB design. With this type of attitude, you are not qualified for any of those professional work until you are trained or change your attitude. This is my point.

My attitude (as seen in other comments and in my post) is that I try to understand the other side and expect people to treat each other with courtesy.

> BTW, if you don't mind, can you please tell me how you down voted me?

If you were downvoted, I didn't do it. I just wanted to get some clarification on a seemingly off-topic comment.

Thank you for your answer which clarified the misunderstandings. But your last post was not a clarification but raised a big question to me. It looks like I was talking nonsense about PCB design with customer service.

I never suggested you to change your name because I know it's your personal choice. Since I ran through it even with mistake and run a couple of rounds and waiting forever to get it done, name changing is still not a process with tons of time and effort. From this kind of experience, we learned that it is the government process. Because you haven't encountered too much hassle yet, you feel like this kind of tedious is not bearable. No, it's not. A lot of things are more tedious than that. That's why I took iphone design as an example. The same for software development and deployment. So much hassle.

Now I feel your attitude is a lot better. You did some research and try to understand their system. But still if you don't pay them a loyalty fee, you cannot argue. It's their choice and your choice is either go with it or take other action like changing your name.

The credit report example told us that it may occur at any time, and they are not going to change their process for the time being. I discuss this issue generally from the culture perspective because it's an alert to other people, not specifically go against you.

I feel sad for you to have this frustrated experiences. In the real world, we also have a lot of such experience. Again, think from the other side point of view, if they allow you which may take a risk for having a lot of free customers complaining against their customer support for real financial issues, what can they do? Then you may feel a lot easier to accept their decision.

Thank you for not down voting me. I took my time to make you understand.

How about 'Root Null'? With a name like that, their systems would tremble.

I guess eCommerce sites should know how to deal with online identity. Either verifying on transactions with large amount only or be really serious to come out with a paper process proven by the local financial institute. I recently encountered such case with US TreasuryDirect online. If they are not able to identify you, they have the paper process in place to you to follow.

well hello there little bobby tables!


I checked my credit history for the first time last year and discovered something similar with all three agencies. One of the bank accounts belonging to the other individual was actually older than me! I went through the online process with each agency and got it corrected. It took a little time but wasn't that hard. Don't have the exact link but if you poke around Experian's site you should find it pretty easily.

From the recent story - Square faces rancor from merchants over customer service:

"Barry said she grew so frustrated exchanging e-mails with customer service representatives that she drove two hours to the company's San Francisco headquarters to get some help in person.

Instead, she cooled her heels in the lobby for a couple of hours. No one would speak to her, she said, and the security guards threatened to call the police. Then Square deactivated her account, saying "high-risk activity was detected."


Frankly, if someone came uninvited to my office to settle a dispute, I'd feel somewhat at risk, too.

That's not what "high-risk" means in this context.

Right, because normal, balanced people don't expect customer service anymore.

The response "I'm sorry our decision is final and we cannot communicate any further" that vendors give (Google, Square in this case, etc.) is nothing short of stomach-clenching maddening. Just reading it fires up rage inside me.

I understand why they do it -- it's pretty clearly related to their anti-fraud / anti-spam / security systems, and I understand that by giving any further information, they're exposing those prevention measures to weakness. And I'm sure in cases of real fraud / spam / security risk, this is the right approach.

But man, does it stink for everyone involved when there's a false positive (i.e. in this case). There's got to be a better way of handling this. Some sort of escalation / appeal process?

(And if there isn't -- hint hint, companies that haven't gotten big enough to be immobile on this issue: Implement one.)

There are two kinds of companies: companies that are big enough to be immobile on this issue, and companies that aren't big enough to take on fixing the US's consumer finance infrastructure.

I went through this almost two years ago, with the key difference being that I was able to sign up with Square and accept payments around four years ago (whenever they launched). I even interviewed there at one point, just like you.

After two months, they closed my account because I was living in Puerto Rico at that time and there are no partner banks in Puerto Rico. Once I moved to San Francisco and linked Square with my new California bank account, I was able to accept payments again.

Then one day I got a notification indicating that my account had been closed, and that the decision is final. I contacted Support, and they reiterated that their decision was final, and could not communicate with me any further.

It is the weirdest interaction I've ever had with a company. I still use them as a payment method and I'm a big fan of the company, but I feel disappointed whenever I log in and they remind me that my merchant account is disabled.

> I still use them as a payment method and I'm a big fan of the company

Why? If you had such a bad relationship with a company, why use them and why being such a fan? I genuinely don't understand, if I had an interaction like this, I would never recommend them.

They only banned me from accepting payments. I can still use them to pay at any establishment that uses Square, which, here in the Bay Area, is a very common sight.

Aside from the refusal to explain why I cannot accept payments, I haven't had any negative interaction with the company. They just seem unable to provide any further information, for either legal or policy reasons.

> They only banned me from accepting payments. I can still use them to pay at any establishment that uses Square

Other than that, Mrs. Lincoln, how did you enjoy the play?

I agree with the GP poster, I'm at a loss to comprehend why you continue to "enable" companies like this to continue bad business practices.

Unable to do something for policy reasons just means "we decided not to do it". It's their own policy, which they can change anytime, so they can hardly hide behind it.

Wow, amazing. I always thought Square was going to rise to top by being better than Paypal in the customer support corner. Guess I was way wrong.

So this is what millions of low income, undesirable customers face every day when they try to join the financial system by opening a checking account. What OP has experienced is the next iteration of that. What happens to society when the gatekeepers of our technologically enhanced future decide for some arbitrary, non-appealable reason that you are an undesirable and you may not participate. Everything from accepting payments via a dohickey on your iphone to even having an iphone. Or maybe the internet. Maybe you can't have the internet cause the we say so authority says they don't like the neighborhood you live in or something that was in your credit history.

I'm getting failed on a similar knowledge based identification on coinbase right now. Failed twice already. At least it's not a final decision, to their credit.

There needs to be laws against this almost certain dystopia. That's one reason why I support the EFF.

And people wonder why Walmart is so popular with the working poor. Bluebird credit cards (even takes direct deposit), prepay phones, low prices, and low friction. They were advertising health insurance last time I was in there. I do believe they had minute clinics at some places.

I'm having the same problem with Coinbase. And I'm not even under 21, like the author of the article. I'm 28 and have a credit history. But since my name is common enough, I get questions based on my own and others' histories. I even double checked my credit history to make sure there wasn't anything suspicious in there. Coinbase is simply pulling in other people's data.

I wonder if there's an identity theft vulnerability waiting to happen here. You're getting questions based on other people and you know one of the answers must be correct. I wonder if an automated system could use that to find the correct answers for a given name.

File a complaint with the:

(1) Consumer Financial Protection Bureau (CFPB): http://www.consumerfinance.gov/complaint/, and,

(2) New York State Department of Financial Services (DFS): http://www.dfs.ny.gov/consumer/fileacomplaint.htm.

This will make it more likely that you see a favourable resolution. Further, this assists due process in identifying and resolving problems in our financial system.

seems like it would be tough to file a complaint for them not letting you process. I would imagine that right (to deny your business) is spelled out in their TOS (something, which in my experience@wepay, is something that regulators fixate on).

if they were holding your money without a schedule of release, that would probably be a stronger ground for a complaint.

CFPB and DFS complaints open an officially mediated channel between you and the company. Regardless of what is in their ToS, there should be a good reason for denying services with no option for assistance than - this helps that reason get teased out and evaluated.

Further, when consumer finance issues come up in D.C. or Albany it is these complaints which inform the debate. Having no documentation means regulators flying blind.

Keep in mind that financial services are regulated, and they cannot simply TOS the regulations away. It may well turn out that there's grounds for action here, and the people who know the regulations are best-equipped to say if there is.

(3) Try Shopify's POS. I do not work for Shopify and have never used it so I cant speak for it beyond its advertised features. I have been comparing POS's lately and Shopify is cheaper and has an API to allow you to manage your inventory or allow others to make tools to help you.

(4) If you research any other POS's reply here so I can see. ;)

Thanks JumpCrisscross, I'll try that.

KBA (knowledge based authentication) is what that question-answer type of system is called. Typically companies don't implement it as the sole form of identification for the exact reasons that you mentioned.

I found it very surprising that Square doesn't provide an alternate method for identification, it's mind boggling even. Something like Instant Bank Verification (similar to what mint.com or venmo does) would be a good alternative and carries no additional overhead for Square.

If no response try the BBB and find one in your area to file a complaint so that their management has to answer you.

How the heck is the BBB supposed to force their management to answer? All they can really do is try to shake down Square for a fee.

If they don't respond, the case is marked as unresolved or something like that. Square's score will get dinged. So they have to say something (assuming they care about the BBB score).

They just have to pay the BBB tax to remove it.


That's the shakedown the GP was referring to. The BBB is a scam.

Personally, no business owner I know cares about BBB. BBB is more of a shakedown than yelp.

Just to add some context, this is a not unexpected consequence of Square's approach, which in many ways parallels what Paypal did in the ecommerce space.

Prior to Square the individual / very small business market was underserved (for real-world transactions). You had to go through a PITA application and due diligence process with a processor. And you typically had to pay significant up-front costs and ongoing fees to maintain your account.

There's a reason for that: the processor is financially liable for any fraudulent merchant charges. If a merchant signs up and puts through $10K of fraudulent charges and skips town with the money, it's the processor that pays.

So Square did two things. First it lowered the upfront costs by piggybacking mobile devices to turn them into low-cost swipers.

But the second very crucial thing they did is hidden on the back-end: they streamlined the signup process and support costs. They did that by doing exactly what you see here, using alternative ID and credit check methods. And making their customer support largely a self-service operation.

The good news is that the particular case you see here is probably fixable with continued improvement. But that's why it happened.. they are replacing an otherwise more costly and burdensome signup process with something largely automated. And there's a lot of money at stake if they screw it up and let fraudsters on board.

> The good news is that the particular case you see here is probably fixable with continued improvement.

Everything I've seen of Square suggests that they really are adopting the Paypal approach of "fuck you unless you're big enough or can rally someone big enough to make us care".

That is not fixable, really, without massive change. As much as I'm loathe to say this, I think the financial-services industry is in dire need of waves and waves and waves of frivolous litigation. If it were possible for cases like OP's to end up costing Square even a few hours of a corporate lawyer's time to get the complaint dismissed, that would be enough to tip the scale and make real customer service the cheaper option.

Really, everything? Do you have any examples to share? My impression is the vast majority of their sellers are small businesses.

Just search online. There are plenty of frustrated posts by Square users (some of them small-business owners) who've had their money held and been unable to get ahold of someone to resolve it.

I know how it used to work -- I've been following Square from the beginning. I just don't think it would cost that much to outsource verifying a DL and bank statement that I upload to their website.

"I am sorry, but our automated verification system cannot process your information, if you wish to continue, we would need to bill you a 25 dollar verification fee to cover additional information gathering."

Its certainly better than their response.

This does not solve the problem "Fraudsters will appeal their denial, happily pay the $25 fee using a stolen credit card, and then skip town with their first $X,000 in payments."

If the fee is to pay for better checking, then it's a fake $25 payment that results in a denial. And in this case square is still accepting them to make payments but not receive them, so there should be no problem with the $25 bouncing. In the general case perhaps they could demand cash for the verification fee.

You'll generally not find out that a credit card was used for a stolen payment until weeks after the payment goes through. At that point, it's too late for Square.

Sorry did a bit of editing as you replied. But I think you misunderstood the idea. The $25 is not to prove them trustworthy, it's to incentivize square to do a better investigation into whether someone is trustworthy.

It doesn't matter very much that someone could use a stolen credit card for that $25 payment, because square would deny such a person during their deeper investigation and lose less than $25 dollars total. And there is little reason for the criminal to do this because it will get one of their nice card numbers blocked faster.

Or ignore the second paragraph and charge cash for the service of doing a better investigation with responsive customer support.

Their response could be better, but you can bet that one would result in an HN post complaining about it too.

That sounds great. Bill, wait for money, and return it after the identity is verified?

Well, if their identity verification services are a sunk cost, then no, don't return the money.

If they verify the identity and know they are going to make it back in fees or however square does business, then sure.

$25 gets, what 1 or 3 hours of unskilled labour? How good investigating can that get you?

Again, fair argument, the 25 dollars was just me throwing out a number. If you want to get better identity checking the underlying idea is you can push the burden of cost onto the user and make them pay for it, because they are going to make money for themselves by using your service.

So what would be a fair cost? $1,000? Imagine what this blog post would be like with that 'cost': "Strip won't let me sign up unless I pony up a shake down fee of a grand!"

You can automate the DL verification process using Jumio. You hold your DL in front of your computer's camera, Jumio reads the info, and verifies the information. IIRC, Western Union uses Jumio for this very purpose.

...what? I as a consumer would not trust handing over any identifying information to some paid-by-hour/contracted schmuck in a internet cafe in Asia.

Of course not, but you might trust them to the same verification outsourcing companies that already handle your identifying information whenever you apply for a new job or sign a new apartment lease.

I am all for automation - but this is the same problem as Google has: there is no human intelligence available for the rare cases where the automation does not work.

The comparison to Paypal is funny. Paypal has decided that I don't exist, or, if I do, that I'm somehow ineligible to buy things through Paypal using my credit card.

Buy. Things.

If your site does payment processing through Paypal then, through some accident of account processing or technology or the history of my account, I can't use any of my 3 payment cards to buy what you're selling, because Paypal believes it needs to (for reasons passing understanding) link directly to my bank account before any card with my name on it can be used through Paypal.

You can purchase through Paypal without logging in, there's a little text link at the bottom of the purchase page under the "sign in" box. They'll also taunt you if you enter a [mandatory] email address that matches a known account, but this is also skippable.

Paypal demands a login when I use any of my cards. Then, when I log in, it demands that I verify my bank account.

It's a trick. The verbiage on the page strongly suggests you have to log in, but there is a little link or something to skip it. It has been a while since I bought through paypal, but I always skipped it because it was so much more of a hassle to log in.

No, I think this means PayPal recognizes tptacek's CCs and forces a log in. Even with a new card, perhaps they'll just base it on the name and refuse to process it without an account login.

Even with a new card? Are you sure? That'd be surprising, given the overwhelming duplication of first name/surname combinations.

I think you're referring more to the "jlee" and "rsmith" combos than the "tptacek" ones.

Paypal fairly recently switched from "login encouraged" to "login mandatory".

I bought something this morning without having to login..

If your credit card is in their system then the only option is to login.

Did you ever dispute a charge or have an incident with PayPal? They will block users forever (or a long time) I've seen the error code on the other side. Basically "PayPal doesn't like this guy due to a past issue so he's not getting through"

weird. PayPal actually suspended my account the first time I sold something, but I just called them and they fixed it. That's why I said PayPal > Square.

Oh hell, anything that gets in the way of swiping or typing a credit card loses sales. Also, it's really intrusive without much WIIFM.

I thought that what guest checkout is for, even though it's a per-merchant configurable option: https://www.paypal-community.com/t5/About-Business-Archive/G...

I am seeing some parallels between how Paypal operates and deals with their customers and how Square deals with their customers, you know the ones that make them profit from the fees they charge for using their service? Sadly, this is how big commerce works. You try and try to get a human response and you're met with the old favourite, "Our decision is final" nonsense.

I recently encountered this with Electronic Arts and their Battlefield 4 game. I forked out about $150 AUD for the base game and premium addition only to be informed my account has been permanently banned after coming back from a month in Europe on holiday because they said I was cheating. Well actually, they wouldn't give the exact reason, but that was essentially what their response implied. When I asked for whatever proof they had, they said our decision is final and we can't show you any proof.

I am in the process of getting a refund as I paid by credit card, but this is definitely a commonly recurring theme amongst larger companies who struggle to deal with their customers and ultimately retain them. What kind of business model punishes their customers?

Good luck, I think you have a real chance of getting some human response now that this is on the front page of Hacker News. My understanding is that this is how people get responses from people over at Paypal as well, create a loud enough noise for someone higher up to respond as to avoid a PR nightmare and get your problems resolved.

From the fine print on the linked Identity Verification Service page [1]:

>Due to the nature of the origin of public record information, the public records and commercially available data sources used in reports may contain errors. Source data is sometimes reported or entered inaccurately, processed poorly or incorrectly, and is generally not free from defect. This product or service aggregates and reports data, as provided by the public records and commercially available data sources, and is not the source of the data, nor is it a comprehensive compilation of the data. Before relying on any data, it should be independently verified.

I'd guess the failure rate of using this service was deemed an acceptable trade off to implementing an independently verified service.


That's true--every system will fail. I took issue with Square because the humans supposed to fix things when it fails are not allowed to do anything (company policy?). Amazon and PayPal people were helpful.

"Dorsey likes to make fun of PayPal, for people my age, Square’s user experience is usually orders of magnitude worse."

That will leave a mark.

TL;DR => go to the top.

First, I had worked for one of California State's departments as a contractor, but hadn't been paid in two months. I called my State Senator, said I had working for the California in his district without pay for two months, and that I needed his help. I got paid the next day.

Second, I had been wrongly charged over $10,000 USD at a city hospital, and hadn't been able to fix the situation. I contacted the Mayor, explained that I was being charged for a service I didn't receive, and asked for his help. The bill went away.

Last, American Express sent me to collections (related to the hospital bill above), and the collections agency was trying to con me into paying more than I owed. I called the office of American Express' Chairman of the Board, and asked if they could help me deal with the collection agency's shenanigans. They pulled my account of out collections, and started dealing with me directly.

Recommeneation => track down Jack Dorsey or someone on their board, and explain the situation. It just might work!

Getting a blog post on HN is the equivalent, no?

(Disclaimer: I write fraud detection algorithms for Eventbrite, and work closely with the team that built the fraud systems at PayPal.)

I'm sorry this happened to you. I personally believe the burden of proof should be on the company. However, that some choose to err on the side of caution is perfectly understandable.

The thing is that companies that handle credit card payments are very vulnerable to fraud because they are liable for consumer chargebacks [1], at least in the US. This is particularly unfortunate since US cards also happen to have pretty poor security (which also has probably something to do with the fact the merchants are liable, and not the banks). Stolen credit card numbers are extremely easy to obtain (cf. Target breach) [2], and once this is done fraudsters have basically two main ways to extract money out of it:

1) Use the card number to make purchases online, or better yet, find a self-service platform that lets you become a merchant then purchase your own offerings (eBay/PayPal, Eventbrite, etc.).

2) Duplicate the card (made much easier by the US' slowness in adopting chip-and-pin), and use it to pay for goods or to load the money on some account. Square is perfect for this since you own the card-reading device, which makes it much less risky than attempting to use a duplicated card at an ATM or at a retailer.

Now, the problem is that you potentially need a lot of cushioning to withstand fraud attacks: while the processor only makes profit from the transaction fee, they are liable for the entirety of the charge, so one single fraudulent transaction can wipe out the profit of thousands of good ones. Being attacked by a fraud ring for hundreds of thousands or even millions of dollars in a single day is not impossible (in fact we've seen this happen, and Eventbrite's transaction volume is much smaller than PayPal's or even Square's), so this is a lot of risk to take on for a company, especially a startup.

Regarding the bad customer service you've received, there is a specific reason why companies often decline to comment on fraud security checks: by allowing you a way of recourse, they would be disclosing information about how their system works, which makes it potentially vulnerable to attackers. For example, if they said "sure, just send us a copy of your driver's license and we'll lift the ban", this would be a signal for fraudsters to try to fake such documentation.

Overall, it's a complex issue and unfortunately frustration is part of the game (trust me, if PayPal could have found a way to make operations smoother and less frustrating, they'd have done it). At Eventbrite we've chosen to assume this risk and be more liberal with verification because we decided that providing a good user experience is worth losing some money over (and because we have faith in our ability to keep up with the fraudsters), but this is a decision every company that handles money has to make and it's not an easy one.

[1] http://en.wikipedia.org/wiki/Credit_card_fraud#Merchants

[2] fun fact: you'd be surprised to see how big this underground economy is; it's so well-oiled that some sellers even provide customer service on the credit card numbers they sold, and offer money back guarantees if the card has already been deactivated

It's attitudes like this that make life miserable for a minority of people.

Google: Our products work for most people. If they don't work for you, we won't support you. Good luck with our competitors.

Paypal, Square: our fraud prevention metrics are generally reliable. If you're a false positive, we won't serve you. Good luck getting your money.

Comcast, Time Warner Cable, etc: Our Internet services work pretty well for most people. If they don't work for you, enjoy spending an hour or more in customer support hell. They may solve your problem. If not, good luck getting home internet from our non-existent competitors.

Imagine if the rest of the world worked like this:

* People whose legs work can use the toilets here. In a wheelchair? Good luck finding somewhere else.

* Only people who can drive a car can get state-issued ID. Can't drive? Good luck not officially existing in the eyes of many.

* Only people without a history of chronic illness can get free health care. Pre-existing condition? Good luck with your third job to pay for your treatments.

It is absolutely Square's prerogative to determine who they will and will not serve. And if you choose not to serve someone because they are an inconvenient minority, it's your call. And it makes you kind of a jerk. Expect to be called out on it.

Square: you are PayPal. You are Comcast. You are the old and busted status quo that the new hotness will usurp one day. Don't like it? Prove it otherwise.

He did a pretty good job explaining the problem which seems quite complex. Cut the guy some slack, it doesn't sound like he is in a position to make necessary changes, such as making the banks liable for their own crappy security procedures.

There are two kinds of attitudes one can take:

1. It's a complicated problem. I will explain to you why it is complicated. Now it is your problem.

2. It's a complicated problem. I will own the problem. I will insulate you from the problem as much as possible.

It's not pyduan's fault, and I'm not asking him to own the problem. But explaining why the problem is complicated or excusing bad behavior because it stems from a complicated problem is an active barrier to actually fixing the problem. How many indignities do we suffer daily simply because complicated problems have entered the status quo and become our problems?

Hard problems should be challenges, not excuses.

I think you may have misinterpreted my comment (you know I don't work for Square right?).

> Hard problems should be challenges, not excuses.

Which is precisely why I mentioned in my original post that my preference (and Eventbrite's) goes towards doing the opposite and trying hard to give the user the benefit of the doubt. By doing this we expose ourselves to more risk because we want to transact with everyone -- without risking to disclose too much about our policies, you'll notice our system is very tolerant for mistakes and missing inputs, and in case something does go wrong we have a dedicated support team to deal with these issues. This makes building and training our algorithms that much more complicated if we want to keep our risk profile in check but it is a trade-off I'm happy to make, so I'd like to think I'm not guilty of what you're accusing me of.

Overall, my point was just to provide some context on where Square comes from since OP seemed confused about what they perceived as a ridiculous policy. The comparisons you picked (Comcast, Google) are a good example of why it's interesting to talk about fraud (which is a topic we rarely have in mind when building or using payment services): fraud is not a simple inconvenience for startups -- it's something that can potentially put the entire business at risk, so you have to have both the ability and the willingness to take on that risk. In the absence of controls I can think of many ways to defraud Square out of millions of dollars in the matter of hours. They're strong enough to take the hit it now, but one single such attack while they were younger could have put their success in considerable danger had they not taken some precautions.

Of course this is no excuse for not having a friendlier or more reactive support, but Square or not Square I just felt this is a topic worth bringing to the spotlight.

I realize you don't work for Square...

I took exception to your comment not because I thought you were representing Square but because it seemed like your comment was using "fraud prevention is hard" as an excuse to defend Square's treatment of OP.

> I just felt this is a topic worth bringing to the spotlight

It's always good to have an experienced, rational explanation of why a company might have engaged in some seemingly-ridiculous behavior. Thanks for providing that. Unfortunately, such an explanation often gets used as a crutch or an excuse for not aiming higher. How many years did individuals and small businesses have no recourse from PayPal before Stripe, Square, et al. came along? Do we really want to have that long of a gap again just because the new incumbents can hide behind the same "it's hard" mentality as the old?

So while I'm sorry that I interpreted your comment incorrectly as defending the "fraud prevention is hard so let's marginalize the minority" argument, I wanted to make sure that I expressed my dislike for that mindset before it took hold.

So while I'm sorry that I interpreted your comment incorrectly as defending the "fraud prevention is hard so let's marginalize the minority" argument, I wanted to make sure that I expressed my dislike for that mindset before it took hold.

So you're saying you were in too much of a hurry to jump on his back to read what he wrote? At least put the apology at the top of your comment rather than at the end of all the excuses.

>> Unfortunately, such an explanation often gets used as a crutch or an excuse for not aiming higher. How many years did individuals and small businesses have no recourse from PayPal before Stripe, Square, et al. came along? Do we really want to have that long of a gap again just because the new incumbents can hide behind the same "it's hard" mentality as the old?

What's the solution here? If I assume you aren't advocating legal requirements for how easy companies have to make verification (which, let's be honest, is a non-starter since laws generally make it harder to verify than easier), the only real solution is to call out companies that do this, which should in turn spur competition from those who think they can do better. It's unfortunate that it takes as long as it does, but I'm not sure if there is a better system.

That said, writing this post is exactly the type of response that should encourage improvement and competition.

I'm not sure, at an implementation level, what the solution is. But I know the only way to get there is to not view the problem of fraud prevention without alienating the minority to be an insoluble problem. And that's the response my comment was intended to provoke.

You seem to be demanding that someone somewhere make the problem go away. Personally I hope whatever grows out of bitcoin (maybe even bitcoin) makes it go away. It's a hard problem. It's not ideal for customers, merchants or payment processors.

The reality is that it's not solvable right now without compromises. Transaction fees are high until it get solved. It could take 5, 10, 20 years. We won't know until it gets solved. Big hairy problem. I don't think it's fair to get up and demand this be solved.

Who are you making this demand to?

I'm not making the demand that anyone solve the problem. I'm making the demand that we not view the problem as fundamentally insoluble.

There are several categories of service which are in this category where a private company's decision not to service certain customers amounts to a problematic (and sometimes arbitrary) discrimination. Credit cards & financial services, payment processing, insurance (auto, health, tradesman etc.), some rental markets. There are a bunch.

These tend to be oligopolistic or monopolistic markets where where decisions are made methodically by algorithms, actuarial & statistical analysis & such. Low margin industries.

The problem is that accessing health or financial services is something bordering on the realm of human right. I understand and sympathize with the objection to the proliferation of"positive" rights. The "right to housing" for example has been tried and (not everywhere) failed or at least caused a lot of collateral damage.

But, I also sympathize with the statement that access to (for example) financial services is pretty fundamental and needs to be accessible to everyone in order to maintain a base level of egality necessary for democracy. So if by whisky you refer to…..

It's a hairy problem. I think square & paypal should make it a priority to be fair in a common sense way, even if it raises costs somewhat. If not, they will eventually get stuck with ombudsmen or regulators.

> * People whose legs work can use the toilets here. In a wheelchair? Good luck finding somewhere else.

So you're saying a business discriminating based on credit rating is equivalent to discriminating against the disabled?

I think he's saying that businesses discriminating based on incorrect credit ratings when in fact the person is demonstrably credit-worthy, and it's the business who is at fault for not checking correctly, and not providing an alternative route to getting things checked, is somewhat analogous to discriminating against the disabled.

In each case it's not the customer's fault, and the customer should not be discriminated against. It's not an equivalence, it's an analogy. In each case the business is denying service for a reason that is not the customer's fault. There is an analogy to be drawn, even though it's not an equivalence.

I think here it's not a matter of "credit worthy", it is a matter of, "does this person exist?"

@ColinWright - From what I understand, Square's verification exists to make sure the person signing up is who they say they are. So if I find someone's social security card on the ground, or guess the SSN (not that hard in some cases), I can't sign up for Square pretending to be that person. I don't think they are running credit checks. Their provider simply scrapes credit reports as an additional source for questions ("Which of these banks do you have an account at?" or "What's the street number of your first mortgage?")

We're using the same terms in slightly different ways. You're talking about acknowledging that someone really is who they are, but being unwilling to extend them credit. I'm talking about not being willing to extend credit to the entity in question, whether they are who they say they are or not.

It's a genuine distinction, but perhaps it doesn't really matter. Perhaps it does, but regardless, we're not really disagreeing. Square is refusing to provide access to the individual because they claim it is risky to do so. They're saying it's because they can't confirm his identity, but it's still a refusal to extend "credit" to an "individual."

I'm pretty sure Square knows he exists, especially given that they allow him to accept cash payments. The title is (possibly justified) hyperbole. They know he exists, they just choose to ignore him having decided he's a bad risk for some of their services.

> People whose legs work can use the toilets here. In a wheelchair? Good luck finding somewhere else.

Sounds like a lot of Europe.

Which part of Europe have you been?

In the last 2 years? Holland, Germany, Austria, Spain, Portugal, Denmark, Poland, Czech Republic, Slovakia, Slovenia, Croatia, Hungary and Italy.

Or all of Asia

Which is precisely why things don't always "scale" elegantly. There's always someone, somewhere, some how having an exception to the rules of your system.

Everything you said was true, but that wasn't being debated.

The point was that Square has terrible customer service. The other payment co's mentioned actually support people with this problem.. they allow the user to mail proof of ID.

Square doesn't pay enough people to work support, instead opting to deliver an artisanally crafted, gorgeous "Fuck You".

The thing is, "but fraud and chargebacks" are not an excuse for treating people like shit. If you can't provide even the bare basic minimum of customer service, you deserve to be bankrupted by a competitor who will.

> ... To treat people like shit...

Don't you think it's an overstatement? At least They responded to his question and he did not lose any money.

He didn't say he was ignored, he said he was treated like shit. I would say his description is pretty accurate.

Actually he did say he was ignored. He said nothing about being treated like shit.

This makes sense. These policies are probably warranted for actual credit card companies. But, the OP's grievance was with Square, which isn't liable for fraud and probably doesn't need to use such excessive security.

Frankly, it often seems as though many consumer financial companies (like Mint and Square, etc.) go out of their way to make their service harder to use simply to increase their "legitimacy."

Sites like Mint refuse to remember login information and automatically log users out after a short period of time. As far as I'm aware actual bank account can't be accessed from Mint; data is only reported. In the grand scheme, this information is not particularly important.

It would be far more catastrophic for someone to gain access to my email account or social network profiles (where they could actually do damage) than it would be for them to learn what (little) I have in my bank account. Yet, we all survive using only standard security on most of our other accounts.

Moreover, there seems to be a huge disparity between credit card security in the real world and credit card security online anyway. In the real world, I hand my credit card to numerous people with whom I have no relationship and whom I can't trust at all, every single day. No one thinks twice. Yet, when someone wants to look at their bank statement, they need to bend over backwards. It just doesn't make sense.

Integral pieces of the financial apparatus might need to be totally secure, but consumer web apps that don't ever handle money don't, and should put user experience first.

>This makes sense. These policies are probably warranted for actual credit card companies. But, the OP's grievance was with Square, which isn't liable for fraud and probably doesn't need to use such excessive security.

I think the parent comment (which seemed fairly well informed) actually says the complete opposite of this, that is, not only is square liable, they are specially exposed.

Square is absolutely liable for any fraud. They are playing the role of the merchant in this chain. The cc companies will push any chargebacks to Square who, because they have decided to take away the security of a traditional merchant account, have little or no ability to reclaim funds from their merchants, especially fraudulent ones.

Additionally, if the fraud and charge back rates get too high, say over a few tenths of a percent (!), the cc companies will either cut them off or raise their interchange rate -- either one kills their business model.

>This is particularly unfortunate since US cards also happen to have pretty poor security...

I remember reading about someone (or some startup) trying to address this issue by using public key crypto to address the short-comings of credit cards in the states. The fees were supposed to be substantially lower and the major sources of fraud eliminated. But they kept hitting an invisible wall with every financial institution that was pitched the idea. It was a fascinating read (be sure to read all the parts).


Seriously: Why doesn't the US implement chip-and-pin?

> Why doesn't the US implement chip-and-pin?

The consumers don't implement chip-and-pin because they don't control ANYTHING.

The retailers don't implement chip-and-pin because they buy their point-of-sale terminals from some supplier and they choose the cheapest one, which only has a magstripe reader, not a chip-and-pin reader. They're not losing any business this way because everyone's card supports magstripe readers.

The card issuers are actually kind of interested in chip-and-pin, and have been for a couple of decades. But there are some serious problems. The cards cost more, and it's not fun to shoulder that expense without some benefit. Worse yet, the chip-and-pin cards are harder to use (you have to memorize a pin) and that loses customers. A couple of experiments with more advanced cards (notable the American Express Blue Card which had some SERIOUS advertising money behind it) have been abject failures.

But this is all about to change. The rate of credit-card fraud by organized crime has finally reached the point where the credit card companies realize that they MUST act. While some of the cost gets pushed onto merchants, the majority is absorbed by the credit card companies and that's cutting into their profits. They can start issuing chip-and-pin capable cards, but it won't help because there aren't any reader terminals in the US. So they've found a way to fix that problem: by pushing the cost onto someone else.

Starting in late 2015, any card-present transaction done with a chip-and-pin capable card (or chip-and-signature which will be used more heavily in the US because of that usability issue) which is found to be fraudulent will be the liability of the merchant, not the credit card issuer, if the merchant had a magstripe-only card reader. This, they hope, will finally change the US infrastructure, motivating major retailers and mom-and-pop small businesses throughout the country to spend collectively 100s of millions to billions of dollars on new card reader hardware.

SOURCE: I work for one of the top US credit card issuers.

I work as a retailer in Canada.

When the banks issued people chip and pin cards, we upgraded our terminals. We had to because people needed to use the chip and pin cards. We didn't have an option to resist it because all that does is harm our ability to take payment.

I also notice though that from consumers, interac debit seems to be more popular than credit cards for general purpose, and those have always required a pin.

Does the US consumer primarily use credit cards? Or do they at least use them more than Canadians (or maybe Europeans?).

I can see the difference in behavior between knowing a pin and not having to being a big difference in consumer adoption, moreso than retailers being willing to accept the cards. Like I said, when we had chip and pin introduced years ago, we just had to be able to support it whether we wanted to or not unless we wanted to start turning people away.

But if consumers have always used primarily credit cards or cash, I can understand them avoiding the move towards having to remember a pin.

The way that it was dealt with here is: If the merchant has a magstripe-only reader, my card will not be accepted. Everyone card is a chip and pin card, and people rarely carry cash. If you don't upgrade your hardware, it's not just a matter of being liable for fraud, it's simply that you can't continue to do business.

Hi, Canadian immigrant to the US. People in the US tend to use debit cards tied to their bank accounts which are also Visa / MasterCard cards. These cards can be swiped as either a debit card (requiring a PIN, similar to Interac) or a credit card (requiring only a signature, or nothing at all in some cases, like a gas pump). They don't force you to use it as a debit card because that would preempt certain transactions, like online ones. (My theory is that this is part of why the US has a far bigger online economy than Canada, beyond simple population density.)

Canada also has far stronger central controls on, for example, their banking system than does the US. In the US, such things would be considered onerous government regulation, even if the long term impact was positive.

Interac is a Canadian-only thing, BTW.

I believe other European countries have something similar to Interact (a universal terminal for debit cards from different banks)

What are the hardware costs per chip-and-pin reader?


It doesn't seem like such a big investment for a mom and pop. Wal-Mart/Target would have to buy 50-75 per store but the costs would be relatively the same.

Whether or not it is "a lot" depends on a lot of details like what price you're getting offered, how big your profit margin is, and how much you have to pay to the person who installs it, configures it, and trains you to use it. These costs may be much more than $500.

Empirically, I can say that despite the credit card industry asking nicely, almost no merchants anywhere in the US have installed pin-and-chip readers. (Of course, there has been essentially no benefit to them either.)

So, I guess as soon as the benefits outweigh the costs, just like any other business decision, retailers will be installing chip-and-pin readers here.

Exactly. That's why I think the threat of having to shoulder the fraud risk will encourage people to upgrade. Not only is it an additional cost, it's an UNKNOWN cost, which is quite scary.

> Seriously: Why doesn't the US implement chip-and-pin?

Chip and PIN was shown to be flawed in 2010 at CCC[0]. This isn't why the US doesn't use it, but it it's a bit of a disaster in its own right.


Interesting! I don't have a strong enough background to know if Ron Garret's suggested protocol is superior to chip-and-pin or falls to the same sort of attack mentioned in the link, but surely a strong and water-tight implementation is floating out there somewhere in the collective ether.

The problem is presumably getting everyone to agree and move at once. Same problem with all the early 90s Internet protocols. Chip n PIN really messed up though, it was a big opportunity for change.

Chip-and-pin is actually starting to roll out now, with a deadline for some types of transactions in October 2015: http://www.qsrmagazine.com/exclusives/are-you-ready-emv

That's annoying, now that it's been broken let's roll it out. Why not do the next big jump in payments, and just totally skip over chip and pin?

Thanks for the insight -- that makes a lot of sense. I guess you could forge a driver's license with a skilled Photoshopper on the team, since those are hard to validate. (as a consumer, it's still frustrating though.)

> by allowing you a way of recourse, they would be disclosing information about how their system works, which makes it potentially vulnerable to attackers.

Then companies, like the one you work for, need to band together and lobby for change. This is classic 'security through obscurity' bullshit and its hurting user experience.

I already know what fraud detection system paypal uses:


This kind of informed comment is why I love HN. Thanks.

As someone who has never used a credit card and never will due utter disgust in that they can't even get basic authentication right, here's a big fuck you. I am a constant victim of retarded sites that try to pin down some identity other than a password to users. Trying to identify people you don't know is plain bullshit, and the industry should stop. Why the fuck do I have to prove who I am to a computer? This is like trying to explain to a lemon what color is. The only thing all of this bullshit amounts to is that id fraud is incredibly easy, because nobody knows what information they are supposed to protect.

Stop fucking using IP addresses in conditionals. Same goes for anything else that is not a username+password or unguessable token. Period. If you're in a job that's prolonging this behavior, quit. There is an endless supply of places you can work at if you're a good developer.

I had a similar experience recently when I tried to get my free annual credit report. To verify my identity they asked me questions about my financial history, mainly about my credit history. Well, I haven't had a loan in many years, so they had to dig deep into the archives and asked me about the monthly payment amount on a car loan that my wife had over ten years ago. My financial records actually go back that far, but hers don't, so I was unable to "prove" that I am me (with "prove" in scare quote because IMO it's highly questionable whether getting the right answer on a multiple-choice quiz can possibly "prove" anything about anyone).

I also had a similar issue trying to set up a fedex account over the phone. I couldn't do it online because their site was down. I called over the phone and they made me answer a bunch of questions from over 10 years ago. Since I missed 2 questions they refused to set up an account for me, and refused to ask a new set of questions. It was infuriating.

I was asked about the term for a car loan I had and I had absolutely no idea what it was. I never knew because it wasn't important to me, I had no desire to pay the loan for the duration of the loan - so I just went for the lowest interest rate I could find and no early penalty. I had my own payment plan that was a year long that I planned for and followed.

And don't be forgetful or old... I'm way over 60 and since I cannot remember names and places I lived 30 or 40 years ago, I am constantly locked out.

So if they have the data, why couldn't a pirate, NSA officer or errant banker?

Perhaps a better test is what I choose to forget.

I really dislike these ID verification services. I had my identity stolen about a decade ago; worked it out with the police and credit bureau. To this day, I still get verification questions related to the fraudulent credit card account. Do I answer truthfully and not get verified, or play the game and choose the "correct" yet wrong answer? (answer: play the game.)

So could I potentially vex an enemy by trying to sign up for Square in his name, and blowing the questions, so that he gets banned from Square?

(I realize I could possibly answer this experimentally, but I'd rather keep this theoretical)

You could even automate it using the white pages I guess.

The whole "Prove you are who you say you are by answering questions a fuzzy computer system says you should know" seems very Kafkaesque.

It's sort of funny, that all three verification questions listed would be answerable by an attacker, but at least two would be easy for normal people to get wrong.

would they be correct by an attacker?

If she knows anything about the target (glossing over the fact that the actual target is square), an attacker could get correct answers with high probability. Twitter, FB, LI, etc. provide people the target is likely to know. In many locales you wouldn't even need an exact address to know which streets cross which other ones (although frankly how hard is it to know someone's address?). And of course there is a direct mapping from social security numbers to states, so asking the SS question in that fashion adds no security.

All of this ignores the fact that these are multiple choice questions. Attackers don't have to win every time. 1/64 of targets would be vulnerable given no knowledge whatsoever. This is just an upper bound on how useful this set of questions is for Square, while the rest of TFA constitutes a convincing lower bound on how harmful they are to those who would legitimately use Square.

I like how I had no problem, when I was sixteen, setting up Paypal so that I could buy some random components for some old PDA's from china on ebay.

But this is seriously upsetting, the tone of this writing wants to rip my heart out for the author. I can only wish that this gets resolved decently.

His comparison also reminds me how Amazon's customer service is absent as much as possible. Automation and all that. Yet on that topic, it seems people don't mention Google as much. (I wonder if they filter that out in their results..)

Amazon customer service absent? They have some of the greatest customer service I've ever seen. If I need help with my Kindle, I can click a button to get a human to call me immediately, so I don't even have to pay for an international phone call. The one time Amazon sent me an incorrect parcel, I got connected to a real human who initiated an immediate & instant refund while I was talking to them and let me keep and/or sell all the items I'd received mistakenly. For such a large company, Amazon's customer service is really good. (I agree that Google's is nowhere near as good, though.)

If you're flagged by them as an unfit marketplace seller (weird that this can happen when you've never sold a thing on their marketplace before) then their support is horrendous. They get a person to explain politely that there's no appeal, they won't say what the matter is, and they just don't care if you're now tainted for life by the last person who lived in your apartment who apparently was shady.

Ahh I see, I wasn't thinking from the perspective of a marketplace seller on Amazon.

I do know that in fraud prevention it's common to not explain what the problem is, because it tells fraudsters which filter they've tripped (and potentially how to evade it on their next attempt), but it certainly doesn't help genuine people caught in a false positive.

As a customer, yes, they can be (are) great. I have close to 1,000 orders in seven years, tens of thousands of dollars.

Yet I sold a camera lens on Marketplace. Perhaps the tenth thing I'd sold. I was willing to be patient to get a better price. Nine items sold, no problem.

This one arrived three days after the "expected delivery date". The buyer complained, and my Marketplace account was canceled. I could appeal. I pointed to history, inclement weather. Said I'd be willing to be flagged "Fulfilled By Amazon-only", if that was possible.

"After review, our decision stands and you will remain permanently disqualified from using Amazon Marketplace."

I ran into a similar issue trying to get verified by Coinbase. I answered all of the questions truthfully, but still failed. After 2-3 times I just began to brute force it. It turned out that one question in regards to a duration of time was completely wrong. Luckily Coinbase let's you do it as many times as you please, just with a 24 hour pause between each try. Come to think of it, they should probably send you an e-mail whenever an attempt it started.

I enjoyed reading all the explanations for why this is a hard problem to solve but it really boils down to a simple problem: customer support.

Any decent support operation would actually talk to this guy, provide workarounds for their broken system (which is clearly broken for this particular occurrence), apologize and promise to improve things.

The fact they they provided a shitty service would be the top on my root causes list.

There are also lots of reports online regarding Square holding payments to sellers, without much info why. Plus they have no phone support, only an email address.

This was much more frustrating than I might have expected when it happened to me on Amazon marketplace. My girlfriend listed some books for sale and was a model citizen of the ecosystem, but they killed her account and held her money for 90 days after the first book sold. When I went to sell some things a few months later, my account was closed minutes after opening it. I have a stellar rating on ebay with 15 years' experience, excellent credit, and a long history as an Amazon customer.

After living in that apartment a bit longer we got some mail for old tenants that seemed to indicate some sketchy activity. I believe they may have been fraudsters. However, despite several emails and calls to Amazon I am told there is no appeal whatsoever any reason, and that's that. The callous disregard for customers is breathtaking.

Needless to say I use DigitalOcean, ebay (that a company can be more user-hostile than ebay is shocking) and avoid Amazon whenever possible.

And people keep asking what the advantages of BitCoin are over Paypal/Square/Credit Cards/you name it.

At the cost of removing any buyer protection whatsoever.

A lot of that buyer protection is only needed because of a system that is prone to fraud because of bad design. ie: your employee can steal your customers credit card information and sell it. That kind of fraud is _not_ possible with Bitcoin. So the one thing that is left is the case where a company is dishonest and doesn't provide the product or refund. There is no reason that the dispute mechanism has to be linked to the payment that problem can be solved over time for those who want it.

While agreeing this is a useful feature, it can be offered by marketplaces just as good, if not better. For example, Silk Road (where everyone was necessarily anonymous) had an escrow service which worked just fine.

At least from the scuttlebutt I heard, almost all sellers on Silk Road required new buyers to release the money from escrow before they'd ship anything, and some of them were taking advantage of this to selectively rip off new buyers.

As a long term employee at PayPal, it has always amazed me how much of the bad rep we carry is because of the abstractions we bottle and sell as a company. Money, banks, credit, identity, regulation, fraud, cash, etc. are all loaded, fragile and complicated systems on top of which online payments is built and it is a very different problem as compared to sending and receiving e-mail. Money itself is thousands of years old and is not an invention of the internet. It is done differently everywhere and the sheer number of middle men involved is expected but still mind blowing.

A good payment system has to fix the leaky abstractions below it someday somehow, to be really great.

Well crap. I have social data for millions of people. I could put togeather a backup version of this easily. Does anyone have a use?

Square is just another PayPal and I don't understand why people can't see that.

Because it has a pretty icon.

You have to be 18 to sign up because you need to be able to sign a legal contract.

I would just work with Braintree.

I was implementing payment system for https://appenlight.com from paypal to some other solution that would not require paypal account. We've evaluated Braintree and Paymill - as App Enlight is european company, so our options were limited. Before Paymill took its time to reply to me (~22 days), I already managed to validate, sign all the papers and actually implement Braintree solution to our application.

One more thing at first Braintree support told me they might not be able to work with us because of some restrictions on company legal form by processor bank, but after I have sent them all the documents, everything went fine and got approved. Maybe you can try with them.

You mentioned that your name is common, and reminded me reading about the frequency of certain Chinese surnames. So I looked up this:


I'm making an assumption that your ancestry is Chinese, I believe it is even more popular in Taiwan.

Apparently, according to a summary of the 2007 census there were 7 surnames which were shared by over 20 million people, of which one of them was "Chen".

For a comparison, the article also mentions that the most common surname in the USA, "Smith", is occupied by 2.4 million people.

Let's look at some population estimates:


China is estimated to have 1,360,720,000 people, whereas the USA is estimated to have 317,559,000. The first article states that the frequency of "Smith" is about 0.84%. A quick calculation on the old python interpreter gave the frequency of "Chen" as roughly 1.47%.

What surprised me reading those two articles is that the USA is the third largest country by population.

I though I'd look to see if my surname, "Tucker" (no prizes for guessing which expletive it rhymes with) was popular in the UK. I first looked at this:


... Listing the 50 most popular surnames. I didn't find it, but the list has a column titled "Associated Town" (I was not aware of this convention). At the bottom of the list is "Davis", which is associated with the town of Gloucester, my home town. I'll have to look a bit harder for its actual frequency, it is also used as a first name for both boys and girls. My first name is "Robert", which can also be used as a surname if appended with an 's'. I could have been called "Robert Roberts", or "Tucker Tucker". Reminds me of Rik Mayall's character "Richard Richard" off that vile comedy "Bottom", while co-star Ade Edmonson's character had the charming name of "Eddie Hitler".

Come to think of it, what's the etymology and frequency of "Hitler"? ....

"The surname Hitler is a variation of Hiedler, a surname applied to those who resided near a Hiedl ('subterranean river')."

Cheers, I had a look and I found this, very interesting:


It's trying to be a non-repudiation system based on something only you and they know. Unfortunately, without a credit history or paying utility bills, credit sources alone aren't enough. So why not use other facts such as partial DoB, partial SSN, parent/s SSN, etc. only when no other details are available? It's not ideal, but it's better than either losing business or falling back on something much less secure eg facts that are in the public record.

I always seem to fail these kind of identity verification systems. It has made it a pain to get a bank account online and to get a credit report.

It's time for us to understand that Square is the bare-bones bottom-of-the-market provider. Just because they seem slick and high-tech doesn't mean they're Apple. They want to be the Wal-Mart of payments, driving down their costs at every turn. There's nothing wrong with that, but it's something that we, as potential customers, have to be clear about.

Walmart understands that being on the low end requires an attention to the realities of the low end, Square doesn't seem to get that.

This is another problem with payments that rely on the Credit Card rail. I hate the credit card rail. The CC rail doesn't know who you are, it doesn't know anything, isn't convenient online, and charges merchants insane fees. Forget it, unless you want to pay with money you don't have (aka credit, aka how only 30% of consumers use CC's)

I know that names are somewhat holy to some, but your legal name is another matter. User Kevin Chen, but change your legal name to include a middle name. Preferably something unusual but fluent.


Legally, I do have a middle name, and in the United States, it narrows things down to just me. But Square does not take it in their signup form.

I'm in my 40's and have this problem with any system that attempts to use this method to identify me. My father has the same name as me. (I'm a II not a JR)This seems to be too much for these systems to handle. I've never managed to authenticate successfully with this sort of system.

This is the same kind of issue I've run into with T-Mobile and their adult content filter. I can't turn it off because they use financial data to find out if your 18. So because I didn't have student loans or a credit card I can't disable it without going into a store.

If you visited and interviewed there, I'm assuming you tried emailing one of your contacts?

Welcome to the world of financial services. They're not designed to help you.

I want to quickly chime in as well. I don't want to defend Square, but they are simply using a service and are relying on its information. It sucks that your account didn't get approved, but I do not agree with your final statement: "Design is how it works, not how it looks.". Square uses a third party service, and I actually know which one it is. They regularly update their information, yet there are still issues with identities, as it is not a perfect "science". Square definitely did the best to their ability, but due to the fact that they rely on someone else, it won't be perfect. I have worked with the provider in question myself, and I know of the pitfalls. I believe Square definitely solved the issue as best as they could considering the limitations.

How is refusing to offer any other way to verify identity solving the problem well? The poster was able to fax identification to PayPal and other companies to be able to sign up.

Taking the decision of a data set that is known to have flawed data on at least a small percentage of the population as final, and having no way to appeal is pretty terrible really.

"I believe Square definitely solved the issue as best as they could considering the limitations."

Considering the limitations they allow for to keep costs and risk down, at the expense of decent customers being caught in the net.

Same exact thing happened with Dwolla. Couldn't figure out if the identity verification service used my old address, current address, or my parents' address. I'm still locked out...

Sounds really silly and backwards. Why they simply don't use strong online identity detection? Should be simple and secure.

identity verification of small merchants is a really hard problem to solve with 100% accuracy. (or even 90% accuracy) At WePay, we use Facebook identity to help supplement KBA. It's not 100%, but does dramatically increase success rate.

I have the same problem with raise.com - they refuse to sell me anything.

> Design is how it works, not how it looks.


Does Bitcoin think you exist?

How's that relevant? The problem that the op is presumably attempting to solve is: "I want customers to pay me using a credit card".

It's very relevant. Square is just another broken implementation of a broken system.

Until we accept that centralized payment systems only benefits the central entities, we're going to be stuck with these problems.

"Build a new financial system" is not a relevant answer to "How can I accept payments from the majority of Americans?".

No need to build a new financial system, the new financial system is already in place. It needs wider adoption.

In the time it took him to write the post complaining about Square, OP could have integrated BTC payments via Coinbase. He could even offer a BTC discount, since he's saving 2-3% on processing fees. If his product is in demand, customers will find a way to pay for it, even if they haven't used Bitcoin before.

There's no bitcoin equivalent for the experience of being able to have someone physically swipe their credit/debit card in your phone for point of sale payment. Bitcoin cannot replace all point of sale transactions that Square enables.

NFC via bitcoin wallet apps.

And once more the crowd asks, "who's going to use it?".

There is a very, very tiny competitive advantage to supporting Bitcoin. There is a catastrophic competitive disadvantage to not supporting the basic method of Internet transactions.

Who says you have to stop taking cards? But physically, there's very little difference between an NFC swipe and a card swipe.

The entire context of this discussion is regarding a person who cannot accept cards. It is pointing out that Bitcoin is a non-solution because the user base is so small and most people pay with credit cards. You need to keep in mind the context in which you are responding.

The guy can't take cards and this thread is nattering on about how Bitcoin is the answer and you're asking that question when I point out that Bitcoin NFC apps don't replace that he can't take cards?

QR code payments phone to phone are even easier. I'm seeing street fair vendors who started taking square last year taking bitcoin now with QR codes on phones without much resistance. I don't know what their volumes are like.

Or someone will recreate it, support credit cards, and eat his lunch because that someone can actually do business with people who don't know what SHA1 is.

> Until we accept that centralized payment systems only benefits the central entities, we're going to be stuck with these problems.

That's beyond ridiculous. The main reason here is that they are trying to prevent their service from being used for fraudulent purposes. How would Bitcoin change that? Realistically, there would still need to be some form of identity verification. The actual problem here is that it's really hard to verify a person's identity over the Internet. The questions in the article can be answered by a determined attacker, so it's clearly the verification system that's broken.

I don't know about that, chargebacks are a pretty nice thing.

@nathancahill http://xkcd.com/325/

The ending says that "any recipient" can initiate a payment, but of course that's not true; see OP's complaint.

Why do you need them? With Bitcoin, your credit card can't be skimmed or stolen, you can't be charged twice or for more than you authorized.

As far as not shipping a product you paid for, economics takes care of that. Not delivering purchases is a bad business model.

Are you sure about that? If you get 1000 people to pay $100 for your "product" that you don't ship to them, that's a pretty good profit. You can just walk away with the money, never to be seen again (under that name at least). How the economics would take care of that is anyone's guess.

And precisely because of this the we have chargebacks.

As a merchant it would be lovely to accept payments only via bitcoins. As a customer I'll avoid purchasing anything if I cannot issue a chargeback. So the only way to get me to actually buy anything via bitcoins is to remove all alternatives.

> Not delivering purchases is a bad business model.

Even if this were true, there are still X number of people who got ripped off with no recourse.

> With Bitcoin, your credit card can't be skimmed or stolen

No, but your private key can be stolen/lost, and in that event, you don't have the benefit of fraud protection.

If your private key is lost or stolen, you have bigger problems.

Correct. However stolen credit card numbers are a much smaller problem than that.

...only benefit the central entities...

The "central entities", whatever they may be, are certainly not the only parties that benefit. To be successful, we must broaden the appeal of the changes we hope to see.

I'm sure your comment will get bashed plenty...

But, I'll admit to thinking the exact same thing. 2-3% transaction fees and the BS admin overhead that comes with accepting CC payments is ridiculous.

Oh yea, and merchants are (usually) liable if they accept a stolen credit card. What a crappy system...

Bitcoin is only "no or low fees" because it has no regulations and protections. It'll need those to get broad government, consumer and merchant adoption. And then it won't be fee free.

it's also free because the payment processors, the "miners", are payed by freshly-made bitcoins. once we hit the max number of bitcoins, they'll charge fees to run the "mines".

Why would it need regulations and protections?

OK, I'll bite.

In your opinion, what regulations/protections are required that don't currently exist?

For me to start using a mechanism to pay on the internet, there would need to be a way I can get a refund if it doesn't arrive, or is broken, or the company goes out of business, or if my computer was hacked to make the payment. I would have to be confident that I could call up and get a refund even without having kept careful documentation of the interaction. And there would have to be history/legal precedent backing that up.

> When they can’t find you in their database, they pull irrelevant questions associated with somebody else’s dossier — especially if you have a common name like I do.

How is this not an information leak? If I know there is only one other person with my name within the area, then I can obtain information from him this way. (Since there will be multiple choices about that person suggested in that questionare)

Ironically, when I opened this page it showed me this:


This story loaded right above https://news.ycombinator.com/item?id=7131231 (the Bitcoin exchange arrests). Kind of ironic.

The way I see it, this is the same as trying to check into a hotel without a valid ID or credit card. If they can't verify to a reasonable extent who you are, the hotel will just refuse doing business with you. Is that discrimination? No, they would be certain to lose money overall if they didn't do that, even if you in particular are a nice person and intended to pay cash on checkout.

As long as Stripe made clear what their position was, as to not waste this person's time or money, I don't see a problem here. It can be a business decision to flip a coin and permanently turn away all the customers that get the wrong side, if doing that magically increases profits. You can't even call it bad customer service since they are not a customer and will never be one.

Square, not Stripe. i just signed up and got my Stripe account approved for live transactions, and they didn't need any of this fishy stuff. just "normal" things like a bank account.

Indeed, I meant Square, thanks for catching that.

Funny name confusion, they're both payment processors, one deals with magnetic stripes and the other one is named Stripe.

Applications are open for YC Summer 2021

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact