I rarely use Paypal, but was forced to use it recently for something with no other payment option. Whilst there I decided to change my password, and was horrified to find that they limit passwords to 20 characters.
It got me thinking about the standard assumption that any system limiting chars in a password must be storing passwords in plaintext and not hashing them, else there would be no logical reason to do so (since hash length is constant regardless of input length) - with the only exception being placing a really large limit (say 1024 chars) just to avoid performance issues with hashing really massive passwords.
But.. I refuse to accept that's what's happening here. It simply can't be the case that Paypal is storing plaintext passwords, can it? So there must be another explanation - but what is it?
The only thing I can think is that perhaps they are encrypting passwords, instead of hashing them, or started out doing this in the early days and have since switched to hashing passwords, but there were by then so many layers of validation cruft and/or dependent systems that somehow relied on the 20 char limit being enforced, that they were unable to remove the limit without breaking everything, and they've decided the tradeoff of just sticking with a 20 char limit is worth it.
Does anyone know of or can think of a better explanation for this?
I know the "logic" behind modern low password length limits for services like Paypal. Too many of their users are literally incapable of remembering their passwords and call/e-mail them bitching about how they're entering the right password and their account won't let them in and now they can't get to their money and bogus threats of legal action. So they encourage weak passwords and try to handle security on their side by flagging accounts for any reason and using 2FA. Recently they started requiring one number or special character in passwords, which puts them about 15 years behind the times when it comes to password policies.
PayPal allows directly adding totp now? When I added 2fa, I had to use a python script that emulates the stupid Symantec software they were using in order to get the secret; it instead gave you a code to give the Symantec app, which prevented you from using 3rd party apps.
Yes, I think it's somewhat recent. The previous time I checked it didn't let me, now it does. I found this from 6 months ago mentioning it might only be US accounts[1], and this from March[2].
If you forget your password then there is basically no way of contacting them. I lost my 2FA phone number, and wanted to know if there is anything I can do to get my account back? There is no contact form, no customer chat/phone number, and their issue tracker is only available if you log in. Finally, I found an email address on some other website, contacted them, then I got an email saying they answered my issue, and if I'm satisfied with their answer?
Of course, I never was able to see their answer because I cannot log in to open the issue tracker. So, in the end I just gave up.
Oh, I remember having that problem a long time ago! It's still like that? I'm pretty sure this was more than 10 years ago for me. I just abandoned that account.
There's basically a 0% chance that it is because they don't hash passwords and they're a limit on a table column or something. Paypal has faults, but they're not that incompetent. The more charitable logic for this policy goes like this:
1) for those who want security, 20 digits of random characters using a password manager is plenty
2) for those who actually remember and type a password (i.e., just a regular password), requiring them to keep it less than 20 characters increases the odds that they can actually type it in correctly (think elderly or more easily confused people here) and that reduces calls to customer service to complain that their password doesn't work.
A passphrase can easily exceed 20 characters and be memorable. They are usually considered a good security practice for people not familiar with (or not willing to use) password managers.
When I changed my password there, not too long ago, it was worse. The "change password" page (I later discovered) silently cropped the long random password I pasted, while the "log in" page required the saved (truncated) password exactly. I don't know how they expected anyone to figure that out.
I suspect the answer to your question is that what we know as "Paypal.com" is a collection of 57 different legacy systems that were hacked together over a period of 20 years. It's not that a designer sat down one day and spec'd out the design we see. It's more like it used to be much worse, and then they fixed 173 bugs (sometimes is an overly conservative way), and we're seeing the result of that.
Unless a software team is very careful, what the users see is software archaeology, not UX design.
>When I changed my password there, not too long ago, it was worse. The "change password" page (I later discovered) silently cropped the long random password I pasted, while the "log in" page required the saved (truncated) password exactly. I don't know how they expected anyone to figure that out
The British Airways site does exactly the same thing, took me about 5 attempts at resetting my password before I realised what was going on...
They've very slowly been getting better at various ridiculous UI issues. For example, they finally have a proper TOTP system (rather than their old security key that nobody used).
But yes 20 character password is infuriating. My guess is that, at some point, it's extremely hard to change the password character limit and make sure it's correctly updated everywhere at once. Passwords are used in several places and they're afraid of missing a few.
That's my most generous reading of the situation. I still think Paypal is pathetic. Their country locking is the most awful shit: you can't use a foreign phone number, it has to be one of the country you registered with Paypal. If you move country, tough fucking luck, you have to close your account and open a new one and that's "standard procedure".
My supermarket has different websites (for their card or online shopping), and one has a X-characters limit while the other does not.
It has been a BIG hassle to get rid of all the problems I had (and still occassionnaly have some trouble).
So while having a password character limit makes customers angry, it is better than breaking everything.
bcrypt is has long been regarded as the "best" secure hashing function, and it limits input passwords to 50-72 bytes. Assuming utf-8 input a character can plausibly be 4 bytes, which turns 72 bytes into 18 characters max.
It looks like Argon2 is newer and doesn't have a max length but still it's likely most sites are using bcrypt.
There's also a kind of handwavy "more than 20 characters is likely to be malicious input." Which is a little bit of a cop out but also probably true in general.
The reason for the limit is actually quite stupid. PayPal does store the hashed version of your password as is required of any user database that is part of a payment processing system. However, because PayPal has been around so long your password is transmitted to the server using a two-way encrytion scheme so that the server side can consistently apply hashing without requiring client side code to do so which makes things much harder and requires more bandwidth to be delivered.
Bandwidth concerns finanlly brings us to the reason that paypal limits the password size to 20. PayPal uses an authentication scheme that stores the encrypted password client side and requires it to be resent with every request (or at least used to). Because the password isn't hashed before being transmitted, and is present with every request, they limited the size.
All of this was designed and implemented more than 10 years ago and even though both the bandwidth concerns and the need to send the password with every request are both outdated and paypal has likely updated to newer systems that remove these concerns entirely, companies rarely re-examine these kind of hard coded limitations unless they are legally required to.
I don't know where the low password limits come from, but everyone has some kind of limit. I guess people just choose a "nobody will use a password longer than X" number. This is completely unrelated to the backend storage and hashed passwords are commonly limited this way.
A limit as low as 20 absolutely has its roots in insecure prehistoric password storage policies, even if the implementation happens to have been updated at some point in the past two decades to no longer store passwords in plaintext. As you say, everybody has some kind of limit, if only to prevent DoS attacks, but that limit should be closer to 1000 bytes than 20 bytes.
Yep, just look at the CTA's Ventra system, which came online in 2013. 20 character password limit, but implemented in the worst possible way: only on the web UI, and they don't tell you about it.
Basically, I generated a 32 character password in my password manager, pasted it in, got no errors when I made my account, and could login in Chrome successfully. However, I couldn't login on the mobile app. I tried manually typing, copy/pasting, nothing worked (it doesn't even seem like they auto-lock accounts after 15 failed login attempts...). So I went to change my password on my desktop and noticed it stopped accepting anything after 20 characters. The field silently truncated my password. So I typed the first 20 into the mobile app, and was able to login.
The worst part about this system is that since the mobile app doesn't respect the limit (not sure if there is a limit in the app, I was able to do 64 characters successfully), you can make your account inaccessible from web browsers with a >20 character password (meaning it's not a DB restriction, it's just an arbitrary client-side restriction, and it's even not implemented consistently). I reported this bug last week and got a generic email response, so it probably still works for now.
The rules surrounding financial institutions (in the US, at least) are weird and some of their information "security" rules are laughably out of date/ineffectual.
I'm not particularly familiar with those security rules (even less with the rules of other countries) so I wouldn't be surprised if this isn't a rule in one of the countries PayPal operates in that they just decided to use everywhere to make it easier.
Some financial systems, a large number of which run on mainframes, have databases where all fields are fixed length. (A database with fixed-length records is trivial to access randomly.)
One of my credit cards lists my name as "Christophe" rather than "Christopher" as they have a fixed-length 10 character field for first names. Customer support said it was unfixable.
It only takes one such system, in a complex web, to impose that limit on all systems.
A similar thing happens to me when I fly. My boarding passes usually truncate the middle name field which in my case (typically) results in the name of a religious figure rather than an uncommon or obviously truncated name.
This has never been an actual issue (or even commented on), but another middle name discrepancy has. Back in high school, there were some issues with my name on my state ID not exactly matching the school's entry for me.
Think more along the lines of "they once had a mainframe in their infrastructure which stored passwords instead of hashes, which caused their requirements to limit the length of passwords to 20 characters, even if that system is no longer in use, or now uses hashes."
I expect a relatively small minority of the HN crowd have exposure to decades-old mainframe systems.
It seemed a plausible rationale, given the state of the world ~2000 when PayPal was ramping up was very different.
Especially in the financial sector, I can see partners and/or requisite systems to interface with being heavily mainframe-based.
And now, even if PayPal is following best practices, it's possible one of their counterparties is stuck in the 1980s. People forget that "building Fort Knox around a private line from X DC to Y DC" is sometimes cheaper than "rewrite COBOL system of record that no one alive worked on."
My experience with multiple identity systems matches the mainframe or mainframe era explanation. Old systems had to draw a line. So they did. And those lines still ripple like waves through modern systems even now.
"Mainframe" doesn't seem like an actual answer to me. Why can't mainframes handle passwords longer than 20 characters? Are mainframes incapable of doing password hashing? Can't modern databases have text fields with a max of 20 characters, why is that problem unique to mainframes?
Great analogy! Despite enjoying a long relationship, Paypal will very possibly stab you in the back and rob you blind in a blink of an eye then become incommunicado.
"Oh, yeah, don't worry, 3D secure can't be forced for all payments, but we got you, we'll enable it when we think it might be abuse. Also, our seller protection covers you."
All the time: "Here is a customer that made 12 purchases during the last 13 months. We took the money, but you have to prove that the card wasn't stolen and that the customer got what he paid for. We didn't enable 3D secure for this transaction, so please fix this for us and we'll give you your money back. Also, if you don't we'll take some more money from your account. Seller protection does not cover this as services are in a gray-zone."
240K frozen and taken since 2012 and still counting! At least I've started to win all the cases, but it takes a lot of time. Time to switch to stripe where I can force 3D secure...
I very rarely have to contact PayPal for anything, but I’ve had to talk to them a couple times. My experience is that they absolutely will not answer any question they don’t have a pre-written response for, instead choosing whatever they think is closest to what I am asking, even if it doesn’t answer the question. I’ve even had them send me the same response again when I explain that it didn’t answer my question the first time. If I need something specific like the fedwire tracking number for a transfer, I’m basically SOL because they don’t have a response for that, they just send me links on how to view my statement.
I don’t know why companies do this but I notice that companies that don’t compete with Amazon tend to have horrible customer support, but as soon as Amazon enters the market suddenly everyone picks up the phone second ring, has chat, and sends out hand written e-mails.
> they absolutely will not answer any question they don’t have a pre-written response for, instead choosing whatever they think is closest to what I am asking, even if it doesn’t answer the question
I got the exact same feeling when talking to them. It sounded like they understood my problem, but the proposed resolutions were obviously not a match. Reasoning about it with them got me nowhere, they clearly had no other options.
This is one experience. I have some exchanges with paypal and their answers were perfectly accurate and personalized. After many transactions, I have no reason to complain for now.
About the case of the OP, I once had 2000€ credited on my bank account for no reason. I knew it was an error and did not touch it. Several days after, the amount was silently debited. No message from the bank. This is not specific to Paypal.
>Several days after, the amount was silently debited. No message from the bank. This is not specific to Paypal.
Except if you asked the bank, they'd say there was a system error we had to correct, sorry for the inconvenience, please take our survey. PayPal will say you sent/refunded the money, we never touched these funds and can do no wrong, and if you can't produce documents that never existed related to this transaction that was entirely in error you can kiss your account goodbye.
This is not a customary experience - Pretty much any interaction with Paypal support that doesn't involve you losing hundreds or thousands of dollars is an uncommonly good experience.
Paypal is a well-oiled machine until you trigger some exception that creates a case with their legendarily incompetent support - at that point, the results will be essentially random and often apparently malicious, no matter the facts of the case.
Once I ordered some expensive gear from UK and only option to pay was PayPal. I ordered and paid for the goods, order shipped and a few days later I get a mail from the selling company asking why I locked their account for fraud protection or some such. PayPal sent me the money back and I got the goods. Offcourse I didn't use PayPal again and sent them a normal bank transfer instead. Was also a better exchange rate than PayPal.
Whoa, I just got off of a call from PayPal as to why my account was banned.
Turns out, 15 years ago when I signed up, I was 15 (I am 30 now) and that is against their terms of service. So my account is permabanned and they said to make a new one with a different email.
I can understand they don't want people under 18 to sign up, but for fucks sakes, it was 15 years ago, this feels like a fairly stupid policy.
I would like to add that the customer service experience in this instance was pretty good - they had a queue system where you can leave your number and they call you back instead of keeping you on hold forever, and they representative was helpful and professional and told me straight up that I could make another account.
Tip: don't follow their advice. My friend had a similar situation (signed up while underage and was banned) and they have banned all subsequent accounts as well. If you are permabanned from PayPal, you are permabanned, as a person.
I've been fighting a similar issue. I woke up one morning to an email that my account was permanently suspended, along with several family members' accounts that don't live with me. All of our accounts were shut down at the same time, with no reason given. None of us had used Paypal in months, and I haven't received money on Paypal in years. We can't get a hold of anyone to find out what happened.
Probably because they can't legally hold the data of a minor (who wasn't able to consent to their data policy or whatever at the time) so they have to delete everything.
Nope. The account isn't deleted, it's locked. And if they did need to delete the data they could easily delete everything from when they were under age.
Eh, kinda. If they entered their name/address/phone when they were underage, it's still data collected from a minor (even if it hasn't changed). To cleanup PayPal would have to have them re-enter everything... which is basically the same thing as creating a new account.
I'm not saying they're right, but I can see why this is the easiest way for them to fix the legal situation.
Raises a question - if they've deleted _everything_, how would they know they are banned? Surely just keeping email address + "banned" (especially for a specific reason) is storing their data.
I recently had a similar experience with eBay, though it got resolved:
-I had an old eBay account that was closed through inactivity
-I wanted to buy some headphones so I decided to create a new account
-When I went to eBay it had already given me a username through some sort of linked google account feature that used the google account I was logged in to
-I tried to buy 2 $40 headphones and it wouldn't let me, saying I was over my temporary purchase limit
-I figured maybe you can only buy one item at a time as a new user so I tried to buy a single pair of $40 headphones and got the same response
-I thought it might be my VPN, but my VPN was off at the time.
-I created a normal account linking it to my normal email and everything seemed well. I purchased the headphones successfully
-A few minutes later, I got an email that the first account had been suspended for suspicious activity. I first thought this was fine, until I read that I was not allowed to use any other eBay account ever again in my entire life. There were no options listed for recourse. Reading internet threads suggested that they were serious about this and that even if my other account still worked, they would eventually find it and close it.
Eventually I called and got a rep. I got the feeling he didn't believe me, but he fixed the issue so now I can use eBay again without worry. The whole experience left me a bit shaken though that triggering some automated flag nearly resulted in being cut off from one of the largest marketplaces in the world for the rest of my life.
You are lucky. I had a very old account that got suspended. Any further account on the same address also got suspended. They blacklisted the address.
I called and spoke with them for an hour and they would not tell me why they suspended the account, other than "I have reviewed the information and have decided the suspension is correct. But cannot tell you why it is being suspended." they kept repeating that she personally reviewed and therefore suspension must be legitimate. I said to her that her review of the account sucks.
And I had my pitchfork out to sue because they should not be doing that.
Yeah, that's what I was afraid of and I think I got lucky. The big thing for me is that I don't use eBay much but I'm getting married soon and my fiancee is moving a very far distance and she will need eBay to get decorations and such to help make her feel at home. I hated the feeling of inconveniencing her over some weird glitch that I was powerless to fix.
Why did this shake you so bad? You talked to a rep and they fixed it. That's what customer reps are for. If you have humans combing through records for malicious activity and reading off a rubric, you probably would've had the same issue.
There's a few different reasons:
First, reading about similar experiences didn't make me optimistic. It seemed like 50/50 between getting someone who would help and someone who would tell you that the case is forever closed without recourse. I got the feeling that the in weird cases like mine these techs didn't actually understand what was going on and it was just the luck of the draw of what tech you got.
Second, I realized how powerful these big platforms like eBay are. I looked around for alternatives in case I did get permanently banned and I sure didn't find much. What was particularly creepy to me was how being an undesirable to eBay could potentially spread: they track your account, name, address, credit card number, IP, and so on and seeing any one of these can lead to bans on other accounts. In a lot of ways this makes sense, but in theory, if I happened to log on to my banned account at my mom's, it could match my account with her IP and ban her account as well. I doubt this would happen in eBay's case as support reps would probably help her if that happened, but it definitely brought to mind the Chinese social credit system where linking to an undesirable can make you an undesirable yourself.
Third and most important was personal. I'm engaged to someone who is planning to use eBay. I wouldn't care too much about being banned off of eBay but I would hate to see her life become any harder just because of some weird glitch.
The irony of this whole thing being that people are constantly creating fake accounts to bid on items and not pay. I rarely sell stuff on eBay, but when I do, some 0 feedback buyer with a fake address wins my auction, then never pays, and will never get banned. I just have a hard time believing that they do a good job at account auditing at all with how often I get fucked on my sales.
I’m going against the consensus here, but why was this guy so concerned about the reversal of a transaction that never should have happened in the first place? It wasn’t his money. Someone at PayPal obviously manually reversed the transaction when they realized the mistake. These things happen.
I’ve been using PayPal personally for 10+ years without issue. I also own a company and have processed hundreds of transactions and withdrawals through a business account with them without a single problem. I’m not saying that dealing with PayPal is without risks, but it’s also possible that we’re hearing a vocal minority here.
You don't have a problem with money flowing in to and out of your account, so long as it all balances out in the end? Really?
Then you won't mind if I borrow the keys to your account. You'll never notice a thing.
Even if PP is just covering their embarrassment over a mistake, it is still nonsense on stilts that they stonewall and bullshit about transactions flowing through your account. Who knows if they're even legal transactions? Someone could be playing a game.
Before you assert the belief that Paypal would never risk laundering money, you maybe want to look at Wachovia, HSBC and Deutsche. And it doesn't have to be "Paypal" in some formal sense; it could be employees there.
It is incredibly naive to play "what, me worry?" about sketchy things going on in your accounts.
You would never notice a bank correcting it's own error on your bank statement. They don't post it as a credit followed by a reversal - they remove the accidental credit. It just disappears from your statement.
It happens ALL the time, and you'd never notice or be notified.
This is such a weird comment, reversing of transactions happens for mistakes on checking accounts too, such as a deposit to the wrong account.
On top of that the vast majority of people don't get a notification every time a transaction happens on their checking account. Some banks are implementing a notification feature for some transactions nowadays, but it's rare, new, and opt-in. The general case is money just flows in and out without much fanfare.
Some banks show you transactions that are pending. If a transaction never goes from pending to settled then it literally just disappears without a trace. Standard behavior.
I think the more concern is that it was withdrawn without notice to the account holder while denying it was PP who authorized it. I don't think the post was really worried about keeping the money but more or less, what if PayPal decided randomly to deduct a ton of money with no reason and no notification to the account owner?
I'm guessing we have a failure in communication between the poster and ebay support.
Additionally, a seller on ebay probably fat fingered their ebay information, so when the item was sold, the seller accused the customer of fraud (I never go the money!) and the buyer thinks the seller is fraudulent (I sent the money!) and probably reported the "seller" which is actually the poster as fraudulent.
That, plus the increasingly irate phone calls from the poster and the refusal to ID themselves led PayPal to shut down the account.
Can’t this happen with regular bank accounts too? Cheques and transfers can be reversed or altered long after they’ve entered your account without any approval from you or even notification to you. Sure the PayPal support process here sucks, but I don’t think they did anything wrong by reversing the transaction.
The person writing about this isn't upset that the transaction was reversed. They're upset that the transaction was reversed without notification, and that PayPal is claiming that the transaction was reversed by the account holder and not by PayPal itself. If this happened to me, I would assume that my account had been hacked.
There's also the issue of this resulting in the account being suspended. If this was just a normal transaction reversal, they definitely did something wrong for it to result in account suspension.
For sure, but I've never seen a bank that notifies you when a transaction gets reversed, altered or canceled. It just happens invisibly. IIRC it's actually a feature, in that some companies will open a transaction against your account (for example - a deposit on a rental), and then cancel/alter it if the funds aren't needed. That part of the story is 100% normal for big financial institutions in my experience.
And yeah, PayPal support is legendary in just how incompetent it is - I won't deny that. But it seems like the author was originally upset about something that is a normal part of banking.
This feature doesn't really make sense if you combine it with PayPal's aggressive notifications about the original transaction. If I'm being notified about a relatively large transaction, I should also be notified if it's changed or canceled.
To me, how great a company is for a business is decided by how much they have your back when shit hits the fan, not when everything is working as intended.
You’d expect that Paypal would notify him of the reversed transaction. Or would at least be able to tell him it was reverted instead of accusing him of refunding it himself.
Ok, play devil's advocate, but someone could be laundering money through his account. The laws and penalties are extremely severe and being naive is no defense.
No, most people would not be this agitated about a mistaken transaction being silently refunded. At best they'd probably assume the notification went to spam or something and went on with their day
My bank doesn't notify me about any transactions, I have to check my bank book manually. Once a mistaken transaction showed up and disappeared a few hours later, with no trace left behind at all. I just assumed it was a mistake and didn't bother getting angry.
You're not agitated by being called a liar, nor being implicitly accused of fraud?
It sounds like PayPal, or someone, made a mistake that PayPal then processed a fix on. When the guy called to say someone took money from his account with no notification, "what happened?", they said _he_ had actioned the refunding of the money. Which he hadn't.
They lied, purposefully and deliberately. But there's a good chance that the person on the phone wasn't lying IMO, instead someone altered his account in a way that didn't show [to their phone reps] in their system ... which is IMO much more messed up.
So PayPal lied to him.
Then they asked for details of the transaction that they said he had refunded and "blocked" his account for not providing them.
Government financial services should impose heavy fines on things like this, not informing a creditor when debits are made on their accounts. His PayPal account should have a user traceable error (with doubled entries in the other relevant account entries) -
money paid from $ACCNUM with $ACCID
money paid due to PayPal error and refunded to $ACCNUM
I mean come on, is basic accounting beyond them?
If they could do accounting properly then they wouldn't have to implictly accuse him of fraud (demanding the transaction details).
My experience of PayPal has in general been pretty good, but I did have a person pay for something from eBay, then when I was sending it - like just about to head to the post office I realised I'd not checked the payment. On checking the transaction link in eBay the transaction didn't appear on PayPal .. uh oh, so I checked PayPal and I couldn't find a transaction for the amount in my account list. So I checked eBay and the buyer had asked to cancel the completed transaction ... so I said yes, very begrudgingly. Then a few days later the buyer asked for the money back, but I never had it, and they (assuming they weren't lying) had a transaction for paying me ... which should be impossible with proper accounting because that transaction should include an entry in my account ledger too his payment and my receipt are one transaction.
My suspicion is that their database processing is lacking and their account ledgers as displayed to users don't properly demonstrate the status of accounts.
Lied perhaps ... or somebody made a mistake. Support rep might just not have understood the information they were seeing on their screen. Why immediately say THEY LIED rather than, they were mistaken. I find it more fruitful in life not to assume bad faith from the outset.
Fair point, PayPal were possibly mistaken because they've designed their system badly. They have it in their power to ensure they're not mistaken. Choosing to tell a falsehood as truth ... now, there's a name for that ...
I'm assuming good faith on behalf of the OP primarily because I've had a similar experience of missing transactions on PayPal.
PayPal exists, by design, in a legal gray area where they do almost everything that a bank does, but aren't legally a bank and thus avoid all the regulations and liabilities of the banking industry. Removing funds from your account sent in error (something normal banks do) and not telling you why is fully within the realm of a non regulated money transfer service. Use fed wire transfers next time. They're irreversible.
Once a mistaken transaction showed up and disappeared a few hours later, with no trace left behind at all. I just assumed it was a mistake and didn't bother getting angry.
I had an unexpected deposit show up in my bank account last year and then disappear a day later. The bank sent me a letter in the mail explaining what happened.
years ago, when Wells Fargo first introduced the ability to deposit a check via their mobile app, there was apparently a bug that caused it to sometimes deposit the same check twice.
so, i deposited a $1000 paycheck (was working for a local guy, fixing computers) once and did NOT notice that i actually ended up with $2000 in my account. This went on for at least three months, when all of a sudden I lose $1000 from my account. Apparently Wells Fargo had figured out about the bug and found all the accounts that had gotten double deposits and 'fixed it'.
A friend of mine had declared bankruptcy, meaning he wasn't eligible for any kind of credit whatsoever, and his bank let a $10,000,000 withdrawal go through and put his account into overdraft. Naturally, this was on a Friday before a long weekend so he had to wait until Tuesday to get it corrected.
When the bank corrected it the transaction completely disappeared, apart from the screenshots he took there was no trace of it whatsoever.
> I just assumed it was a mistake and didn't bother getting angry.
No need to get angry, but you might need to get careful. It's a bit like seeing a single cockroach in a restaurant; you can't just kill and remove it then declare that everything's fine.
Contacting them and confirming that it was a mistake is basic CYA, it establishes with them that it's not your transaction and hopefully gets something on file.
(I've just got off the phone with EE after a mysterious charge appeared on my account. They couldn't tell me where it had come from or even when it was applied, so after putting me on hold for a while they agreed to just take it off again. But I only spotted it because I'm checking my bills carefully after a previous dispute ...)
Conversely, I'd be very annoyed if I didn't immediately get a notification from my bank about a decrease in my balance. However, I don't think either of us is qualified to speak for most people.
Receiving unintended funds can have all kinds of unintended consequences, including related to law enforcement.
In his case, he just got suspended and asked to provide documents he is physically unable to produce (contrary to presumption of innocence).
the next day, and after almost two weeks since the refund to place (but only one day after the long phone discussion) my account was blocked as "suspicious" activity and in order to unblock it I will have to provide original product receipts of the product I was "selling", something that I do not have as I do not even know what I was selling!
Yeah but it didn't here. Any negative consequence this man experienced was due to his anger and outrage. Calmly handling this situation would have resulted in a completely different outcome.
Yet again, emotion and anger are now somehow the company's fault.
If the customer’s emotions are affecting their account status, then it is entirely the company’s fault. If a customer is upset, a federally regulated financial institution should never be able to just shut down their account without recourse. That’s why we have regulations and laws, so some random customer service rep (possibly from a country with far different rules and regulations) can’t power trip over a customer.
This is incorrect and not how paypal handles refunds.
This is merchant 101: always refund suspicious payments before your payment processor has to do it, it'd be really bizarre if Paypal was somehow the only exception in the industry.
FDSGSG is absolutely correct. He should have immediately processed a refund on the $600 as soon as he saw the transaction. By not doing so he risked getting a chargeback and loosing not only the $600 but an additional $10 PayPal chargeback fee.
There is no risk of OP loosing $1,200 to two refunds if he went through the proper refund procedure. A transfer can only ever be refunded once.
The only way I see this going wrong is if instead of doing a refund you create a new transfer to send the money back, but you obviously shouldn't do that.
Id be pissed if a bank silently refunded money from my bank account without my say so, if money enters my account I want some input in it leaving.
I suppose the key is if Paypal put it in the wrong account then cleared up after themselves, I don't think that's a refund as such, you should be telling the account holder when they ask though. The other option is the payer paid money to the wrong account, in that situation this guy should be getting notified.
This isn't just an issue of 'not his money'. How are you supposed to know if your account is hacked, or some weird fraud is going on, or even just a straight forward, he sold something and thought he got paid for it.
I don't even have to have my say, but I sure as hell would want to be notified with an explanation (ie: refunded customer, money sent to incorrect account)
> Once a mistaken transaction showed up and disappeared a few hours later, with no trace left behind at all. I just assumed it was a mistake and didn't bother getting angry.
In many (all?) countries, your bank would've acted criminally. If money has been deposited to your account, only you or a court order can get it out again. If somebody "just does it", they are on a similar legal basis as somebody that forgot a jacket in your house and decides to break your lock and enter your house without your knowledge or authorization to get it back.
>A payor can attempt to reverse a payment made with an ACH credit only if the payor claims the beneficiary was already paid by a previous ACH credit entry, or the beneficiary was the wrong recipient of the funds, or the original ACH payment was in the wrong amount. Otherwise, the credit is considered final.
No clue how that works in different countries. Here it's pretty simple: once the money is in the account, you can't do anything. While the transaction isn't complete, you can cancel them obviously.
There's a good reason for that: nobody want's banks to take money out of accounts because they "feel that's the right thing to do".
There's one notable exception: SEPA direct debits getting reversed. Using DD requires a special agreement with your bank, however, and it won't happen that money ends up in your account without you requesting it - or if it does, you will get a phone call from your bank where somebody explains the situation, apologizes a dozen times and asks you to look into the matter and authorize a reversal. Acting on their own would be a criminal matter and likely be of interest to the regulators as well.
So if you decide not to reverse the mistake transaction you just get free money?
Unless it's a real lot of money going through the courts to get reimbursed would be impractical and if you transposed two numbers while typing an account number then you might not even know who the money went to.
> So if you decide not to reverse the mistake transaction you just get free money?
No, the law gets involved and at some point, a judge will decide whether you owe the sender the amount they mistakenly sent. It's basically the same for "I mistakenly sent you 100 that I meant to send to my friend" and "I mistakenly sent you 100 when I only meant to send you 50 that I owe".
And yeah, it's a hassle. At least you can generally find out which account the money went to, and with new IBANs, you need to mess up multiple digits, since they include a checksum. If the checksum doesn't match, the money bounces back into your account. Previously, some banks required that the account number and account holder match (within reasonable limits, misspelling the last name would work), but that changed with the IBAN system, only the account number matters now.
You're simplifying matters. If money was clearly sent in error, the bank can protect it from being spent (and subsequently refund it), unless the recipient disputes it:
> When you notify your bank or building society that you have made an electronic payment to the wrong account, your bank will commence action on your behalf within a maximum of two working days.
> Where your bank finds clear evidence of a genuine mistake, they will contact the receiving bank on your behalf with a request to prevent the money being mistakenly spent. As long as the recipient does not dispute your claim, you will subsequently receive a refund of the protected funds within 20 working days from when you notified your bank.
Stripe. We moved most of our payment processing from Paypal to Stripe last year, they're unbelievably more competent (an extrapolation from the quality of the tooling and APIs) and actually respond with meaningful input when a problem arises.
I just got an invoice from Google Account. Basically, scammers send people invoices stating that they exceeded their 5GB and people have to pay $120 not to lose their Google account. I'm sure there are tons of rich idiots who will pay $120, but I wonder why:
- There was no merchant contact info. They managed to upload Google's logo and use Google Account as the merchant name. Isn't PayPal doing any basic blacklist check, etc. or check against stock logos (there are tons of companies now, which provide logo by provided company name).
- There's not way to report the invoice as scam attempt - I can only "cancel" or "archive", which sends the "merchant" an email and they can know that my email belong to a valid PayPal account after that as the email is sent by PayPal.
In general, after so many in business, PayPal is a lazy, slow, and stupid company. I am sorry to say that, but it's the truth. Their developers are a bunch of old timers, who have entrenched into the company and there's no innovation going on. There are many, many, many complains about PayPal, which I can list here. Most of the are very simple to spot and fix by PayPal, but, no, they are untouched for years.
I feel like their dev teams is maybe a dozen people who just do maintenance of critical issues and that's it. Their recent interface upgrade took years and it still sucks and feels like in the dawn of DotCom. Compare PayPal to Stripe, let's say - there's no room for comparison! Stripe innovates at a huge pace, they provide a much better DX (Developer Experience), and are so much nicer to work with!
PayPal recently acquired Xoom - a very expensive and shady money transfer company. Compared to TransferWise, they are a total joke. In general, I think PayPal is managed by technological morons!
P.S. PayPal Here is also a disaster compared to the rest. I bought the device (as PayPal gives nonprofit discounts like Stripe but unlike Square) and many of our transactions failed, so, we switched back to Square. Now we're integrating with Stripe's reader, so, we'll get the best of both.
My guess regarding why PayPal does so badly with edge cases: they probably use very low wage "contractors" to run customer service and support.
Google, Facebook, PayPal all rely on their automated systems working perfectly and handling as much as possible. But there's always edge cases where things don't go as planned, and they require human intervention. But big tech wants max profits, so they try not to hire anyone, and those that they do hire are as poorly paid as they can get away with.
So you get very uninterested and unmotivated people handling customer support.
Similar to my experience, especially the ping-ponging between eBay and PayPal. In my case, I _did_ actually sell something, but then the buyer decided to return it. Somehow both my eBay and PayPal accounts got into a 'locked' state, with no way to resolve it instead of contacting customer service. The experience with their CS department was beyond frustrating - they're happy to send 'red' letters demanding refunds and transaction fees despite cutting off all my ability to do anything about it.
Reading this post has given me the final nudge I need to look into closing both those accounts.
Is it too much to ask for regulations for payment transactions to step in, at least in EU? I know we're not too regulation-friendly here, and I haven't made up my mind yet, but I tend to think it's only consequential that digital payment transactions are considered a field where governments should exercise authority, on similar grounds that give (or doesn't give) government authority over establishing a currency in the first place.
Note this isn't a snark at paypal specifically. I'm just interested if anyone with an economic background has an opinion to share.
The EU has a lot of law about digital payments. In September this year, a new provision will come into force in the entire EEA that requires digital payments to be made with two-factor authentication, for example. I don't know whether or how that affects PayPal though.
Ugh, I'm really going to need virtual phone numbers for all these "second factors" (i.e. linkable identifiers), I'm just not sure where to get them. Twilio requires a credit card, and most other businesses that offer this look super shady.
I won't install an app on my phone. It probably won't work without Evilcorp Play Framework, it probably won't work with root, and even if neither of those are an issue, I still don't trust my device enough (I won't install banking, password managing, or pgp apps on there, it's too much of a play thing for that). My trusted things are computer-based, not a mobile device that goes everywhere and that I want to be able to use without having to unlock the screen with a complicated password every time.
So it'll probably be SMS, and otherwise they can ship me a second factor -- as the Rabobank already does for as long as I know: they basically send you a payment terminal that creates 0 cent transactions on your card, if I understand it correctly. While a bit annoying, it is safe and not too inconvenient.
That's great news. I hope it will finally result in international support for more secure internet payment. I can do so domestically, but as soon as a transaction is international, credit cards is basically the only thing that's accepted.
Given the expansion of "Faster Payments" and "open banking" (banks must support APIs!), I wouldn't be surprised to see the EU try to mandate a bank-to-bank ""federated"" payment system. Norway already has Vipps everywhere, although that's more like Venmo than Paypal.
Those are fairly small pitfalls. You can send money back without a refund button. Authentication is done through your bank, if your bank has 2FA, then you have 2FA for Interact. Not sure what you are referring to about the payment address, but declaring the email the unique ID seems to be a decent solution for me.
It’s difficult to understand why people are even using this service anymore. PayPal is not your ‘pal’ and to use them safely you need insurance and leverage all the way. The only reason I can imagine is that it works most of the time. But the times where it fails are invariably a disaster.
> PayPal survives because they keep end users happy, we (the people using PayPal to take payment or integrating it) aren't the end user.
I have no clue where you get that idea. PayPal was freezing end-users accounts, had a bad support and very inconsistent refund limits since forever. Almost everyone I know who heavily used it had issues with it at some point in time.
Yeah as long as you just use PayPal once a year to make some payment through your debit card it's okay, but any advanced user who use it more often will eventually get in trouble.
PayPal generally these days doesn't get hacked. As an alternative to supplying credit card number to a random online merchant, it is infinitely more secure.
I have no doubts about security and avoid giving my card credentials to random merchants it's exactly my use case for PayPal, but I still got account randomly locked several times over 10 years.
What exactly caused it I have no idea, but might be traveling or using VPN. Once I tried to make fairly big $2000 transaction to pay for my new laptop and spent a week re-verifying my identify with them.
There's really no good reason for anybody to be asking people for their credit card number any more. 3-D Secure exists and all the major schemes have implementations.
Given two merchants, I'll choose the one that uses a credit card over paypal every day. At least with a credit card I've my bank _and_ the scheme on my side. With paypal, it's me (and my bank) against the world ...
PayPal user since 2012, multiple monthly recurring transactions, about a dozen total transactions per month. Have cashed out bitcoin multiple times through Coinbase. Never had a problem.
Far less issues than I’ve had with my bank actually (random declines, locked out of my account due to technical issue) in the same number of years.
Lucky you. Other people have had very different experiences.
These new-monopolies all seem to have the same features: robo-traps that trigger problems for users, robo-support (or support-by-script) that doesn't solve the problems, and no apparent motivation to actually solve problems when they happen.
Stronger regulation might fix some of this, but generally there should be some obligation to act ethically and responsibly.
(I know I'm dreaming, but consider how we got to the point where this requirement might as well be science fiction instead of a realistic consumer expectation.)
It's a two-sided market with one-sided dispute resolution, like eBay. Customers love it because it almost always finds in their favour. Sellers hate it because it almost always finds in favour of the customer. Neither side really wants to pay higher transaction fees in the hope of better justice from the dispute resolution.
Ultimately if you get into a bit enough dispute with Paypal you have to consider using the real courts.
I'm a seller and I actually like the buyer protection, because it emboldens people to buy a product from a small and relatively unknown seller. Customers also don't have to give me any of their personal or financial information except for where to mail their package.
Now, an aspect of running even a small business is that I have some cash on hand, and a profit margin to cover the cost of eating one or two disputes if necessary. If a $100 sale goes down the toilet, I don't lose $100, but only my original cost of goods.
Where I read about horror stories is individual sellers who are selling things like a second hand electric guitar. In those cases, the buyer and seller are probably both not swimming in cash, so having their money tied up in a dispute is in fact painful. And that entire economy is rife with fraud and outright theft. Also, electric guitars are a case where there is extensive room for dispute about the provenance and condition of each piece. This gives the buyer an easy way to claim "item not as described."
In my view the hot business model for using the small payment services is selling an inexpensive physical good with a generous mark-up.
I don't pay for labor. Amusingly, an MBA student interviewed me about my tiny business, and could not wrap his head around the fact that I don't count labor in my cost of goods. I do have a rough estimate of profit, and of how many hours I work. The closest thing I could offer him was a ratio of these numbers, which is typically around $100 per hour. I make my widgets in my basement, and am usually able to take care of everything in one evening per week. It's the closest thing to passive income that I've been able to come up with so far.
I follow a rule that's common among micro-businesses, which is to waste zero time on disputes. I always offer a full refund right away, along with a boilerplate list of troubleshooting suggestions. In virtually every case, the customer comes back in a few days and agrees that my product works. But because of this, I consider a dispute to be an immediate loss, and not a dollar amount hanging in limbo.
Because, as a business here in europe, and potentially other parts of the world, I need to offer an instant payment method that doesn‘t expect customers to have a credit card since that‘s not a given at all. Paypal‘s ability to add your banking account as a source of funds has allowed customers to instantly pay for goods long before credit cards became more common here.
Paypal is used in about 40% of our sales and we didn’t have any issues in about a decade. Even from personal experience as a buyer I can‘t report any major issues.
Is there insurance for when banks/payment processors do odd things? If there isn't, that seems seems like an interesting business opportunity. (I personally don't think it would be much fun to sort out PayPal's misdealings and customers trying to defraud the insurance company and/or PayPal, so count me out.)
I've been using PP for several years without a single incident. I use it because I don't have to write Code or maintain a server to process payments. My business uses a passive web page. My online order form is written in plain HTML, in a text editor, and I was able to fully test it in a few minutes.
I keep my eye out for alternative services because like many others, I've heard horror stories, and would not mind having a backup. So far I haven't found anything.
A possible reason for my good luck is that I run an "analog" business. My product is a physical good that I make and ship, so the customer gets something tangible and that's the end of it.
I don't want to cast aspersions, but the horror stories I've read are either one-time incidents with eBay sellers, or complex digital services where the product is an intangible.
PayPal manipulating, removing, or holding hostage the balance of your account?
Yes that’s normal for PayPal.
Getting a the runaround about how and why it happened?
Yep, that’s expected too.
Actually getting a non-form letter response of any type?
That’s just lucky. We couldn’t get an account rep on the phone for almost 4 days when ~35k was suddenly deducted from the account. Nor when they accidentally cancelled all of our customers subscriptions while working an an unrelated fraud incident. Of course in both of these instances the customers blamed us for not being able to process refunds and being unable to reactivate their subscriptions.
P.s. never ever link any account with shared funds to PayPal. Business or otherwise, open a completely separate account for PayPal if you must use it.
Imagine having PayPal place a hold on the funds in your account to make sure refunds/fraud can be handled. Then when a customer does request a refund you’re literally unable to process the refund because it won’t take it from the funds you just received that are held. So now you automatically lose all disputes and they just start raiding your linked bank account. So why did they hold the funds in the first place?
Actually that doesn't even work. When they don't have a payment method on file that they can abuse, they'll be happy to send your PayPal account into overdraft and start threatening legal action to bully you into settling the balance.
Really the only thing to do, as soon as you see a "pay with paypal" screen is to go away screaming.
Here's the anecdote: I had had a company with a bank account and PayPal account, then dissolved the company and closed the bank account. Months after that, a former supplier of the now nonexistent company who had PayPal authorization deducted funds fraudulently from the PayPal account, claiming they had rendered services that were never rendered to a company that obviously and provably no longer existed.
PayPal sent the account into overdraft. When they couldn't deduct payment from the bank account that no longer existed, they started sending threatening communications to get me to settle the balance. I took things up with their fraud unit to get the transaction cancelled. Their fraud unit dismissed my case without looking into any particulars regarding the services that the vendor didn't render or the company that should have received services that no longer existed. To them the only thing that mattered was that, years ago, I was, in actual fact, stupid enough to click on "Pay with PayPal", the ramifications being that vendors are entirely within their right to use PayPal as an instrument of fraud and legal intimidation against me. It's your own damn fault, sir, for being so stupid and using PayPal.
Knowing that taking the legal route would have been way more costly than the amount of the transaction, and wanting to sleep soundly again against the backdrop of PayPal sending threatening communications, I wired money from my personal account to settle the balance and jumped through a shitload more hoops to make sure the PayPal account was properly closed and couldn't come to haunt me again in the future.
I think that's how they get away with it: Since the transactions they handle tend to be small, no one will take legal action.
I'm starting to notice a trend in PayPal fraud cases: a user has an issue with fraud. User contacts PP. PP's fraud department won't discuss the matter. PP does something oafish to lose a customer.
The critical point seems to be that fraud won't talk to customers.
It makes sense that PP moves quickly when fraud is suspected. What doesn't make sense is that they're so secretive about the events that take place on a user's account. For all we know, user's could be facing legitimate fraud issues that can be addressed with cooperation between PP and user. However, a user cannot cooperate when they have no idea what's going on.
If you can't discuss cases of fraud with your customers out of fear of revealing information to the defrauding party, you may need to do more in vetting the identity of users. I don't mean the intricacies of fraud with customers like patterns and markers for fraud. I mean getting to the bottom of the disputed transaction. You're shooting yourself in the shoot in any other case. PayPal is concerned more with user count and transaction volume than individual account retention. You would think that you want your customers to be proactive in cases of potential fraud.
It seems like they never learned from their every-user-is-a-credit-card-holder days.
OP here. The fact that I am actively engaging in conversation with them, to resolve this, should bump me up a notch on their trust level (of course I could be playing an "iocane trick" [https://www.youtube.com/watch?v=U_eZmEiyTo0] but there is no way to honestly prove this).
Also the fact that they reply to my initial question about the refund, with an absolutist "After investigating, YOU have logged in and YOU have initiated the refund", when I know I have done not such thing, immediately makes me think that I've been hacked or somehow have fallen a victim of fraud.
Further inquiries to clarify the issue, only leads me to get my account blocked/locked. I have no idea how this can be considered fraud protection from their side! And all this means that all in all I agree with you about the lack of competence of the fraud protection team...
I had an ebay transaction where I sold a piece of equipment, and the buyer was shopping around and didn't want to keep my product despite listing it as "no refunds." The buyer claimed the product was defective and they allowed him to ship it back at my expense. I told ebay that I tried to help the buyer resolve any issues and they didn't even bother dealing with it and just closer the dispute. I called them and they claimed I agreed with and initiated the refund. I didn't. I called PayPal and they bluntly said that this is an ebay issue and that they're not involved. This is despite the fact that they froze the funds in my account. They straight up said they aren't involved. Both eBay and PayPal are complete shit and shouldn't be trusted. The fact that they cornered the market allows them to do this kind of crooked shit. It's absolutely ridiculous and I'm not paying the balance. They can close my accounts at this point. I don't give a shit.
> Really the only thing to do, as soon as you see a "pay with paypal" screen is to go away screaming.
I recently bought some piece of clothes and paid with paypal (had some money in it and I wanted to spend it before Paypal decides to close the account for whatever reason).
There was a panel saying "you allow the clothing company to ask for whatever amount of money there is in the account and if there isn't enough we will take it from the credit card linked to the accound". That credit card is the one I used to put money in the account in the first place.
A few days ago I decided to give money to a charity a friend set up on facebook for his birthday. Had a choice between paypal and my credit card. Same kind of Paypal panel but I felt better giving facebook my credit card than linking Paypal and Facebook.
I am nervous and I am going to buy a pi or something and close the Paypal account forever.
My credit card is a "fill it to use it" kind. You need to put money on it from your bank account and then it acts as real Mastercard. So there's always 0 euros on it except when transfering money from bank account to buy something online. And I can put the money back from the cc to the bank account, no fees. With Paypal I can't, it's like I am forced to spend it now.
Do they use accounts linked for withdrawal to transfer money as well? I have an account linked so I can withdraw PayPal money to the bank, but I don't want them to get money from my bank account to PayPal.
The point I was trying to make that is actually more general than PayPal was: When you want to take back control over convoluted and untrustworthy systems that end up accessing your account in some way, you can't really do it at the level of the payment mechanism.
I've done this a fair amount in the past: When I would do business with a vendor that I don't trust all that much with the way they do their billing, I would give them a credit card number for a prepaid credit card with tightly controlled balances, instead of giving them anything that's linked to my main bank account.
But it doesn't really help. When the untrustworthy party wants to deduct a payment from the mechanism you've given them and it can't, then they will instead just turn to bullying and threatening legal action, and you end up paying them whatever is in dispute because you won't want to risk them taking legal action.
Another consideration that enters into this is the dark and murky territory of consumer credit rating. If there's an account that's in your name, regardless of whether it's PayPal, a prepaid credit card, a bank account or whatever, and there's a charge that hits the account and there's no balance, then this is an event that they'll collect data about, and that may be disseminated in ways that you may not realize, and it may come back to bite you in the ass when you want to apply for a mortgage or something. So it's best not to go that route.
At the end of the day, the only thing you can do is to not do business with certain kinds of entities at all. And PayPal is definitely on my list of entities not to do business with.
No, because of the same consideration: The amount at stake was just too small to justify a court battle.
But I really think that the banking regulator should take note of user stories such as the ones that are regularly all over HN and get to the bottom of it. After all PayPal, at least in Europe, is subject to the same regulation as other banks and payment processors. And if that's not the job of a banking regulator to take note when a financial institution has such shitty processes that consumers regularly suffer damages, then I don't know what is.
Also, maybe a private lawfirm should put together a class action or something on the basis of all those user stories. I realize that cases tend to be rather different to each other, but I'm finding it hard to believe that there aren't some things that happen so frequently and so systematically that it should be easy to take a stab at in court on behalf of a larger group of users who have suffered damages.
How much was in dispute and how much would it have cost? Most attorneys offer free initial consultations. Did you get a quote? For a lot of these kinds of disputes, you can do the paperwork yourself and not even involve court. For example, (if you're in the USA) many common disputes involving companies claiming you owe them money fall under the Fair Credit Reporting Act, which I've found to be very consumer-friendly and incompetence-unfriendly. Remember, your opponent generally also does not want to spend more money than they believe is owed in order to resolve the dispute.
It was something like €100, so really not something to bring in lawyers about.
But, standing on principle, I would have really liked to lodge a complaint with the regulator. Only problem: Since I was acting as a company (that now no longer even existed), it was never a consumer transaction, so consumer complaint wasn't a viable route, and you obviously hurt your case, even if it's just a complaint with a regulator, if you then settle the balance since they'd read that as you admitting guilt in some way.
Not settling the balance and lodging a complaint with the regulator could have had the side-effect of raising the stakes for them. So in a situation where they'd not normally take you to court, they might now actually do that since there would now be real money at stake, if the regulator launches into a full-scale audit into their processes & business practices. In such a case, winning a court case against me would have helped them in calling off the dogs if the regulator were to take an interest.
If you ask me, it should be the other way round: The banking regulator should play the role of public prosecution. When you complain against them with the regulator, then the regulator should either (a) tell you to bugger off without charging you for the privilege and allow it to end right there (b) take on your case in the sense of taking it to court on their own dime and if it looks like it was processes & business practices that were at fault then they should come after the financial institution for that kind of a failure hard.
I got an eBay order and shipped it out, transferred the funds out of PayPal.
Buyer sends me an eBay message saying "OMG I'm so sorry but my eBay account was hacked." I believe them because when I googled the shipping address the package went to a foreign freight forwarder.
I don't worry because the address was "confirmed" in PayPal, so I'm protected from fraud. I always make sure to ship only to confirmed addresses.
eBay account owner initiates fraud investigation.
PayPal refunds buyer while the investigation is pending,
I have several linked bank accounts, they didn't touch them, my PayPal account just goes negative.
PayPal sends me an email telling me I can't have a negative balance and I need to fund my account to get my balance to zero, against their TOS to carry negative balance. No biggie, I fund it. I think I was even able to fund it with a credit card.
Fraud investigation proceeds. I have to provide a tracking number to verify I actually shipped the item.
A few days later PayPal decides it's fraudulent, but I'm covered under their seller protection.
PayPal refunds me the money, I transfer it back to my bank.
I'm perfectly happy with how it was handled.
I guess that doesn't make a good blog post though.
First, PayPal doesn't like it when your dispute ratio increases. The best way to handle disputes as a merchant is just to give the customer what they want. Most times this is a refund.
Second, when fraud occurs most PayPal users dispute any transactions as soon as they get their account back.
Third, You cannot refund a payment from a held or rolling hold balance. PayPal retroactively applied a rolling hold to our account of ~30% of our monthly gross transactions for a rolling 90 days. The way this works on PayPal, at least at that time, means that until your rolling hold balance is equal to 30% of your last 90 days transactions any funding of and payments into the account IMMEDIATELY get sucked into that rolling hold. We would auto flush the completed transaction account balance nightly. So now we're in a situation where trying to refund a customer wants you to add funds to your account, but as soon as the funds are added they are applied to the rolling hold. So, you click Refund on the dispute and you're unable to refund it. Eventually the dispute is automatically closed in their favor and the account balance goes negative. At that point you can fund the account and it'll apply to the negative balance first.
This was my experience at least, and trust me it was one of the most stressful events I ever encountered. Most of that stress was not knowing what was going on and why, and trying to get anything out of PayPal. Their processes are so opaque for merchants in many cases.
Do you have an alternative? most of Paypal's conduct around these cases is defined by the regulations. If you think Paypal is bad, try Skrill (which I guess is the EU Paypal). And no, I don't mean actually try it, i still have $700 locked in there which i believe they're taxing for inactivity, because all they have for ID verification is an automated 3rd party system.
What i would love is for these services to require ID for opening account, not after depositing over $250 (when you have skin in the game and have to verify your id or lose the $), they won't though because they would have a 95% churn rate on registration.
A _lot_ of banks allow you to generate 'virtual credit cards'. It's basically an auto generated valid credit card number.
You can use them for recurrent expenses or make them single use (the card is cancelled after first payment).
You can also max them to any arbitrary value. So if I need to buy 23.03 dollars of something online I can issue a card that maxes out at 24 dollars. So even if the details were stolen you could only take the remaing cents until it maxed.
None of this is new or innovative I never really understood the need for paypal in online shopping.
You say that but it's literally the only way to counter scamming sellers on the internet. PayPal needs to stay, at least until there are viable competitors.
How is it "literally the only way to counter scamming sellers"? There are so many competitors out there that offer better services... Stripe, Google Pay, Moneris, Braintree, Square, WePay, Authorize.net, the list goes on...
I'm talking about eBay and Craigslist sellers, not companies. Anything I buy from companies I can just put on a credit card and chargeback if scammed.
Edit: also googling around none of those seem to have the solid buyer protection that PayPal has. With PayPal I can just open a dispute with a picture of the error (color is off or whatever) and within a relatively short time period the seller is forced to reimburse me the full purchase cost, including shipping. That's very valuable as a customer.
Maybe in the US it's simpler, but recently I had to do a chargeback on my Polish credit card and first of all I couldn't even initiate one until the transaction was fully processed(while it was only showing as "pending" on my account), so that took 3 days, then I could file a chargeback by making a complaint about a transaction, which I was then told would be "reviewed in no more than 2 weeks" and that is genuinely what happened - the transaction was reversed and the money returned but it took the full 2 weeks from the day I requested a chargeback.
Money Transmitters are a heavily regulated industry. I bet this way of operating is just standard procedure to save their own neck from heavy regulatory fines.
What would be an alternative solution in your opinion?
I hope Libra (the new currency from FB) will set a higher bar.
I can confirm that PayPal is horrible to legitimate merchants. One would expect better fraud protection given the high fees they charge. I never expected they would simply “freeze” our funds without explanation.
Maybe. But Paypal and all the other fintech are still based on traditional banking with all its regulations and inefficiencies.
I doubt Libra, if it's ever actually launched, will escape those.
A few years ago, I sent my youngest son to a well-known online retailer to buy some computer gear.
What he got was a counterfeit, a fake that was broken.
He started the refund process, but I was pretty miffed that my reputation with my kid got mixed up in these poor business practices. So I emailed management and asked that they apologize to the kid.
It took almost forever to get them to figure out that I was not asking for a refund. I was asking for somebody to explain what happened, apologize, and take steps for it not to happen again.
He finally got a refund, although whether it was from my actions or his nobody knows. He said it came in three chunks, as if various departments were each pitching in a bit.
I thought my point was pretty clear: as leadership, when you take your company and allow its reputation to suffer like that, this is something you are responsible for and need to take action to fix. The money has nothing to do with anything. But they only have certain predefined channels that they seem to be able to communicate through. Anything outside of those channels causes a weird org fault.
I've worked with call centers before, and it continues to amaze me the strange place we are putting humans. They're paid to answer the phone, but after that? They're basically little robots, paid to execute a predefined program, adding in a bit of human-sounding noises now and then to make things slightly more palatable to the person on the other end.
> Inappropriate automation and human/machine confusion bedevil call centres. If you could solve your problem by filling in a web form, you probably would have done. The fact you’re in the queue is evidence that your request is complicated, that something has gone wrong, or generally that human intervention is required.
> However, exactly this flexibility and devolution of authority is what call centres try to design out of their processes and impose on their employees. The product is not valued, therefore it is awful. The job is not valued by the employer, and therefore, it is awful. And, I would add, it is not valued by society at large and therefore, nobody cares.
> If you could solve your problem by filling in a web form, you probably would have done.
How true is this of the general population? I suspect that a significant fraction of call centre volume could be dealt with through a web form.
That said, the rest of the point is true: the lack of agency in call centre employees likely results in a huge amount of wasted time and frustration both for the customer and for the company.
Call centers, warehouses, and distribution centers; all places where people seem to be required yet their creativity and input isn't. For a large part, we treat them like they're just meat robots.
I remember the first time I saw the computer-controlled voice-directing picking. You wear the headset. The computer tells you what to do. I see this way of working eating up more and more workers.
One economist put it this way in a recent column I read: robots aren't taking your jobs. Robots are becoming your bosses.
>It took almost forever to get them to figure out that I was not asking for a refund. I was asking for somebody to explain what happened, apologize, and take steps for it not to happen again.
This is not the payment processors job, this is the merchants job. Instead of PayPal you could just as well have contacted Visa/MC/Whoever or your issuing bank, they wouldn't have been able to do much for you either.
I processed a few hundred thousand in revenue through PayPal subscriptions starting around 2008. Everything went fine for a few years, then I moved to Stripe because of the horror stories that kept popping up about PayPal (frozen accounts for 6mo+ with no recourse, inability to contact anyone, etc.).
It just isn’t worth the risk, IMO. At least with Stripe I know I can talk to somebody if a problem arises.
Yeah, had this happen to me. Currently my account is limited, they want me to send proof that I have shipped things that do not exist. I am not a merchant or anything like this, I just sent money to my gf and she sends money to me. It's fucking stupid. These companies are absolute shit.
Paypal may, under good circumstances, fix problems they have themselves caused.
However, the concept of explaining to a customer why they did something is utterly alien to them. This just does not seem to be part of any process they have. It bewilders them to no end if you ask them for an explanation of anything.
Interesting that you are in the UK and still had trouble. Do you think that you got the money back because of the way they are regulated within Europe as a bank rather than the way that they are not regulated in the USA (which is where most of the horror stories I see seem to come from)?
Yes, my experience with PayPal has involved inconsistent UIs, bad UX, locked funds, and incompetent customer service. I only use paypal where absolutely necessary, such as for selling on ebay.
I avoid PayPal, but in the rare case where there is no other payment method possible and i really need something, i simply create an account, do the transaction, and immediately delete the Paypal account again.
I once closed my account only for it to be re-opened 4-5 months later by them with a debt balance assigned.
Long story short is that someone I'd previously transacted with owed them money so they determined that they would take it from my account and recover it from me.
I complained the Financial Ombudsman in the UK. They agreed with my position that it was unreasonable for me to be held financially accountable for people I've transacted with indefinitely.
Paypal stuck to the line that "You cannot close your account in order to avoid a debt". Despite the fact that I had no debt, except the one they assigned me several months after account closure, out of nowhere.
I opened my paypal account in Sep 2003, and deleted it in November 2013. Even though I didn't have to concel their "support team" it started to feel like a scammy site I couldn't trust by 2010 or so.
I've found a few sites over the years which only supported Paypal as an option, in every case I've chosen to buy elsewhere or not at all. Paypal is not a company I could support.
That sounds like normal procedure from a bank. If someone deposited a million to my account in error, the bank would (and should) most certainly just correct the error even if it means "decreasing the balance" on my account.
I expect them not to hide it though, i.e. I expect to see the transaction log to say "+1000 deposit -1000 correction", and I expect them to be open about the mistake IF I ask. I do not expect them to give me a call to explain what happened, however.
This is behavior I expect from any entity where I have an account with a balance, whether it's a commercial bank, PayPal, or anyone else.
The mistake of having a deposit in your account shouldn't be furthered by the bank, or other company, removing money from your account without notice. They don't have to do a in-person phone call, a text message/email/automated call.
There are many situations in which a person could receive money and genuinely think it was theirs to spend. Some of those situations could be ones in which the spending could be extremely detrimental.
And I'd bet their fraud detection machine learning bingo tool will learn "owner did not contact us after the ban" as a correct ban and continue to be more obnoxious to all the other customers.
Oh well, whoever are still using Paypal should know by now what they are risking.
You could read one of these stories and come away passionately more pro or more against chargebacks, but the real solution for both situations is just more transparency and communication.
In SG's case, if they're right that the money ended up at the right place, fine, just let everyone involved know what happened, how PP came to that conclusion, and what options there would be for the parties to appeal in the case of fraud or mistake. It sounds like in the PM story that that approach would have resolved everything faster there too.
Transparency isn't going to kill you in this situation. You may be worried about privacy risks, but just make a clear policy as to what you can and can't say during the initial phases of disputes.
Transparency will resolve the easy cases, but there are real dilemmas here between buyer and seller rights. I feel like some of the tech that is taking over the roles of payment systems are just pretending these dilemmas don't actually exist. eBay definitely stumbled through buyer vs seller rights for a while, maybe still doesn't have it right.
Cryptocurrency is an interesting spin. In some ways its stance is that chargebacks are so anathema that they will design them completely out of consideration.
Recently had a terrible experience with PP Dispute process.
1 - Bought tickets for a show via twickets.live
2 - Seller (supposedly) sent a transfer request to me via the ticketmaster portal.
3 - I received, nothing, tried to contact seller, got no reply till after event.
4 - Open a dispute as I paid for something and received nothing.
5 - PP sides with the buyer citing ‘evidence’ the tickets were sent to me
6 - PP won’t share ‘evidence’ with me, wont reopen my dispute, no option to create a new one.
Now I’m down a wad of cash, didn’t go to the show, and got no opportunity to do anything about it. Closed my account immediately afterwards.
PayPal is horrible, both as a merchant and a customer. In every single way possible. From APIs to service, to explanations to everything. It's time for someone else to take their place and everyone stop using PayPal.
I'm not surprised. I accidentally created a seller account trying to create a test account for a project I was working on. I never verified the account as I realised quite soon. I've never sent or received any money.
But can I close the account? Nope! I have to send official paperwork to prove it is a valid seller account before I can close it.The only reason I want to close it is so I can reuse the email address. But you can't even change the email address.
I still sometimes make the mistake of trying to login to paypal without a VPN. I once lived 50km westwards in another country and if I try to login to my account accidentally, it'll lock me out, also after I VPN back into the original country I still can't login. It is randomly resolved after a cool-off period.
When you call support, either in the original or the new country, they both offer the same thing:
- change your password (I know my password, and though they seem to understand, their script seems to tell them to offer this)
- close your account (what, after telling you my email address and the last 4 digits of my bank account (not even a credit card)? That's password-equivalent?!)
Support tells me it's not supported to login to your paypal account from another country. Don't thousands of people do this every day? On holiday, while traveling for work, or moving countries like me... doesn't this happen thousands of times a day? I live an hour driving from five different countries, it's not uncommon for anyone here to be somewhere in, y'know, the EU.
A few years ago I remember being locked out of a PayPal account (which I just forfeited) for not knowing my security questions. Like, duh, you think I answer truthfully what my favorite food is for a payment account after I (the 13 year old leet haxxor) 'hacked' a classmate's Hotmail by guessing a very common favorite food? They still use security questions, but these days I enter my current password there so I can at least answer when prompted.
> Support tells me it's not supported to login to your paypal account from another country. Don't thousands of people do this every day? On holiday, while traveling for work, or moving countries like me... doesn't this happen thousands of times a day? I live an hour driving from five different countries, it's not uncommon for anyone here to be somewhere in, y'know, the EU.
Yeah, exactly. I had the same thought when support told me to open a new Paypal account from the country I live in abroad and only use that account when I'm abroad.
Wait, what? Their official policy is to use a different account for N countries you spend any time in?
To link my new US bank account to my Paypal account, I ended up using a US VPN and then gave Paypal my friend's US telephone number so that he could feed me the security code.
It made me suddenly feel very precarious about how I currently use my Paypal account. I would've thought international-use was one of Paypal's main marketing bullet points.
Though, to keep things in perspective, Paypal does let me do things that my bank certainly doesn't, like send and receive money for free internationally and work remotely for anyone with a Paypal account. I can't complain too much and I'll give them the benefit of the doubt that they are hamstrung to some degree by psychopathic anti-laundering/KYC bullshit.
I hope Facebook's Libra will be more polished and be built on the expectation that people ever leave their country of origin.
Completely expected. As a developer that has been forced to integrate with PayPal numerous times I'm not surprised the customer service side is as abysmal as the developer side. Terrible service, run-arounds, just shitting all over the bed in general. Don't even get me started on their fraud resolution.
They are simply the biggest name in the business and have been around the longest. There is absolutely no other reason they deserve the market share they have.
I had a similar experience with Uber Eats. Though I despise PayPal, I think this problem is common to these large companies that outsource all customer support. There is no venue to actually reach someone who gives a damn and at the top, they like it that way because they don't care about anything except how much money they are making. It is deeply flawed. I wish there was a good alternative to PayPal.
PayPal is stuck between a rock and a hard place. At their scale they are are constantly targeted for all kinds of criminal activity and are under enormous pressure to follow rigorous laws pertaining to handling money.
They keep trying to balance this with good customer service, but I'm not sure you can do any better ... and I hope nobody thinks that cryptocurrencies are the answer.
Same thing happened to me. I git charged for a “refund” for a sale I never made. It took myaccount into the red and they demanded money and even more ID from me so I closed it. Stuff like this is why I don’t keep money in any place other than my bank acct. They also instantly and without warning locked my account after receiving 2000 dollars from a friend before that and demanded official documentation after I started investigating what happened citing EU laws. I wouldn’t have minded that since I’m not a criminal but surely locking away someone’s account without explanation is not a good way to take care if users. Especially if you’re basically a bank.
Maybe I am in the wrong here but my approach each and every time to a project where I deal with someone elses' money is to try and figure out the most secure and most informative way to do everything, afterall it's one of the biggest responsibilities you can take on as an online service provider.
I have to say that I have been lucky with PayPal so far and I have a PayPal account for a long time. I only use it as a buyer though. I really like it when a website has a PayPal option so I don't have to give yet another site my card numbers including the security number on the back. I think that maybe twice over the years I have needed to get a refund and apart from the process being a bit drawn out I had no problem. But then the unhappy stories are usually from vendors so maybe my experience is nothing special
Just avoid Paypal, I’ve always had issues with them from funds being blocked for no reason to my account being blocked, their support is an absolute nightmare, also my friend sold something on eBay the buyer said she didn’t get it so PayPal took the money back from my friend, she sent it and it was signed for but not at the address listed on PayPal the address that has been given by the buyer so it’s not protected. Shady shady business
I got once a mistaken transaction on Paypal, the "buyer" contacted me to ask me to refund their money because it was a mistake. I issued a refund and Paypal took 30 cents fees because of the refund. I contacted paypal to ask why I was charged for a mistaken transaction and they just told me this is how it works and there's no way to avoid that.
I once ordered a domino's pizza via paypal. The app did not complete the transaction. I did find however 20 transactions to dominos on my paypal account. I tried to reason with Paypal that I did not authorize 20 transactions (just one), but Paypal did not want to reason with me. In the end, Dominos refunded 20 transactions.
If you do a calculation of the number of Ebay purchases that are handled by PayPal, it's certainly in the millions, and probably hundreds of millions. The rate of outright fraud is unfortunately very high, and the average person is so prone to error that PayPal must employ many people to handle all the cases.
Once you have a very large organisation, consisting of many staff handling cases, all of whom need to be acting consistently, you face the real statistical likelihood of fraud within the company itself. Any sufficiently large company will have employees that try to defraud it.
The upshot of this is that large companies handling many transactions like this, especially ones that will often be disputed, must implement security not just to prevent fraud from outside the company, but also inside.
Such security measures are often very difficult to work around by employees trying to do the right thing by customers who are in the right, but where something unusual has happened that those security systems didn't anticipate. I can imagine this often frustrates the intention to have a smoothly working system.
You also can't easily make changes to accommodate such corner cases without opening other security holes, both within and without the company. And it takes a long time to formulate and disseminate new protocols that your employees should work to. And then you have to communicate any changes in the way you handle things to your customers.
Running a company like this must be an absolute nightmare of logistics. And it is surely made worse in that Ebay seems to have the ability to authorise chargebacks and refunds in disputed cases that can then be appealed to PayPal itself.
But the alternative is in my opinion worse. As a buyer, you must pay for an item before receiving it. I am aware of so many complaints online of fraudulent sellers making off with tens of thousands from fraudulent sales, and there being nothing anyone can do about it because of banking privacy laws. Having a service like PayPal seems essential to reducing fraud in such online transactions.
In summary, I can perfectly understand PayPal wanting to perform a security check for every long time customer for whom a flag was raised by some security protocol.
And naturally, there are going to be many false positives, and many unfair decisions taken at such scale.
Independent arbitration would indeed seem like a good idea. But who is going to pay for independent arbitration for potentially millions of disputed transactions? The reality is, almost every single transaction that has already been appealed to PayPal that can be appealed easily to an independent arbiter, will be. So you simply double the (already high) cost of such a service.
Paypal has taken thousands of dollars from me and won't let me access my account with a pre-paid phone. It's hard, but avoid them if you can. I inherently distrust Facebook's Libra project because of Paypal's involvement.
I guess someone inside PayPal is using random people’s accounts to launder money. Deposit dirty money into innocent account- let it sit for awhile then take fresh clean credits out. In Greece? My guess is that it’s an arms dealer
Paypal strategy to get the ID:
1. Ask the user to sign up.
2. Pretend everything is complete.
3. Wait for the user to get a payment or money.
4. Block the account and ask for the ID.
Like call the 800 number back? No. At the time I was making about $100/hr so the hassle wasn't really worth it. I figured if they send they check, great, if not I can just bitch about it from time to time on the Internet...
Very weird case. The person got angry even though it was not his money to begin with. Absolutely no harm was caused to him. The person demanded explanation why an erroneous amount of money visited his account. Yet it's none of his business. There was a moment in this incident where any reasonable person would have just moved on.
> Notification of deducted money is something that is quite reasonable to expect.
You choose to say it like that. "Notification of deducted money". The money was first added, then removed. It would have been different if it was first removed, then added. But it wasn't.
OP here. If you do NOT get a notification that some money were removed from your account you will NEVER know of the fact (unless you are logging in everyday to check the balance and the account movements) My bone is NOT with the valid/legal refund, but for the fact that Paypal did NOT bother notifying me. If that refund was somehow invalid/illegal/callitwhatyouwill, I will have never found out for months. TOO late to do something about it by then
You just decide to care about the notification. The money that was added on your account and subsequently removed was just bits on hard disc. Those bits didn't affect your life until you decided to demand Paypal to notify about it.
It is his business, it's his account. What if he'd had an auto-transfer setup to clear his account and it sucked up the money before the magical refund? Then he'd have PayPal up his ass about "hiding funds".
Would you let some 3rd party use your PO box or parcel locker as long as "it was none of your business"?
It's not his account. It's a service paypal offers. They own the service, the bits, everything. He owns the money. Paypal added some money that was not his, and then they took it away. Nothing of his was touched.
tl;dr:
1. Erroneous deposit appears in account
2. Soon after, the money is removed
3. Account holder makes a big fuss and falls out with paypal about it
Getting offended, emotional, indignant, and angry about any of this was completely uncalled for, and if this is how you go through life, you're going to continue to have these kinds of problems at a rate much higher than the average person has these kinds of problems.
Do you work for merchantinc.com? They seem to own and operate paypalsucks.org and have a history of advertising themselves with forum spam similar to your comment.
The same happened to me. 10 years ago my personal account was frozen. They requested additional verification. Getting any information on why my account was suddenly frozen lead to nothing. Paypal was not able or willing to explain to me what caused this issue.
This was the moment I decided I did want to do any further business with them.
As a buyer I would never want to use cryptocurrencies. There is absolutely zero customer protection without the cryptocurrencies going trough a middleman, at which point it's nothing else than another version of PayPal.
This is the primary reason I, and I assume a lot of others, use PayPal - not because of their amazing customer support, but because of their customer protection which works just fine in 99.9% cases - which is still a lot better than 0 customer protection.
You never heard of bank transactions going sideways before? You should have opened the issue when you saw the funds, but you let your greed get the best of you and now your pissed you lost....what exactly?
It got me thinking about the standard assumption that any system limiting chars in a password must be storing passwords in plaintext and not hashing them, else there would be no logical reason to do so (since hash length is constant regardless of input length) - with the only exception being placing a really large limit (say 1024 chars) just to avoid performance issues with hashing really massive passwords.
But.. I refuse to accept that's what's happening here. It simply can't be the case that Paypal is storing plaintext passwords, can it? So there must be another explanation - but what is it?
The only thing I can think is that perhaps they are encrypting passwords, instead of hashing them, or started out doing this in the early days and have since switched to hashing passwords, but there were by then so many layers of validation cruft and/or dependent systems that somehow relied on the 20 char limit being enforced, that they were unable to remove the limit without breaking everything, and they've decided the tradeoff of just sticking with a 20 char limit is worth it.
Does anyone know of or can think of a better explanation for this?