If PayPal wants to mitigate risky transactions, give us a good mechanism to report fraudulent ones. I reverse dozens of donations to my open source project every month that are obviously fraudulent (testing a stolen credit card to see if it works). I have no way to report it to Mastercard/VISA or the cardholder. I have to reverse it or I get hit with a $20 chargeback fee on that fraudulent $1 donation. And when I reverse it, PayPal keeps their fee, so that has to come out of our funds.
FYI, there is no mention of "risk" in the submitted article, it's purely about copyright policing. You appear to be responding to misinformation posted by some commenters here.
You might have to institute a minimum donation amount, and link to a page explaining why. And I honestly don't think it will matter much if the minimum donation has to be $3 instead of $1 due to fraudulent charges & fees
Better yet - disable credit card donations and stick to just PayPal accounts. A set of people who are willing to donate, have a credit card, but not a PP account is vanishingly small.
The day would be rather bleak if paypal had monopoly on who can donate to whom. I would on principle never donate to such project, and hope that they would at least consider opening up an alternative method like bank transfer or bitcoins.
I've had nothing but trouble with PayPal. I give them another shot every year or three, but invariably have to jump through piles of hoops to make a first payment, if I'm successful at all. So generally end up using a card directly. Because PayPal is terrible.
It's the price of operation on the internet. There are more avenues of abuse and so they have to be very strict. This resulted in a lot of frustrations from the users, but there is nobody doing better.
I'm not sure that is true. I suspect it has a lot to do with the market. Anywhere that ebay dominates the online auction / trading business - maybe. Elsewhere, (such as NZ where ebay use is dwarfed by trademe) paypal account holders won't be nearly as common.
Paypal provide fraud management filters via the API. Payments can be flagged based on a variety of criteria and automatically rejected or held pending until they are manually reviewed. If you require more sophisticated fraud management tools, I would suggest using a payment gateway service.
> If you require more sophisticated fraud management tools, I would suggest using a payment gateway service.
PayPal is a payment gateway... In the case you mean payment processor... Stripe's antifraud is pathetic at best (sorry, love you guys). BrainTree isn't any better. Authorize.net is bottom-barrel. "Let's add MaxMind!" not helping, it's trivial to circumvent.
Nothing can defeat a human, and nobody can be 100% about detecting a fraudulent transaction. The things that kill you are the things that a payment gateway doesn't look at.
My history is littered with circumventing the rules, bending them and breaking them. I'm a "student of the game" if you will (well, not anymore, I now help prevent and detect), and there are things that I've developed/learned/executed/manipulated into getting a transaction through that was so stupid simple that I laughed when I saw the words "order confirmation."
Please, please don't trust your payment processor or gateway to be enough to prevent fraudulent transactions. They're good for the 90% of carders who are idiots. The remaining 9% are the ones that will hurt you, and that last 1% are the ones that will kill your business.
Until quite recently, they offered the only way of accepting credit cards without a written application and a substantial security deposit. In many countries, they're still the only realistic option.
The "problematic behaviour" you describe is invariably related to the fraud prevention mechanisms required to offer their service. That's the deal - Paypal are incredibly liberal in opening accounts, but they reserve the right to freeze an account pending investigation if something looks sketchy.
Paypal still fills a very useful role. I've used their services to receive payments for over a decade without incident.
I run a small business in Canada, and a hundred times this. For a long time my options were: PayPal, or sign a contract with a bank to get a binder with some instructions to use a horrible API. There may have been some weird options like e-gold, but nothing I could pitch to a business user. PayPal was easy to set up, captured credit cards so I didn't need to think about PCI, and did a non-zero amount of work to block fraud. We've since migrated to start preferring Stripe over PayPal, but it was Paypal all the way for the first 5 years.
> They ignore all legislation. They are pretty much a bank for free.
They're more regulated than all but a handful of international banks, and it's not at all free.
PayPal is a licensed money transmitter in all 50 states, the District of Columbia, the US Virgin Islands and Puerto Rico. Most of those states have bond requirements for MTAs, typically six figure deposits. They're subject to 52 different regulatory agencies in the US, in addition to Regulation E consumer protections and the USA Patriot Act federally. Their US<->international transfers are overseen by the U.S. Department of the Treasury’s Office of Foreign Assets Control like any bank. They're not an ordinary bank in the US only because many years ago a judge ruled that they don't qualify to be one by the nature of their business; they tried unsuccessfully to be licensed as one in order to get FDIC insurance on deposits.
They are a licensed bank in all of the EU, with a bank charter in Luxembourg, regulated by the Commission de Surveillance du Secteur Financier. In Australia, they're licensed by the Australian Securities and Investments Commission as a financial product and by the Australian Prudential Regulation Authority as a purchased payment facility provider, which is a type of authorized depository institution (i.e. bank). In most of southeast Asia, they operate under their subsidiary PayPal Pte. Ltd. which is a licensed stored value facility regulated by the Monetary Authority of Singapore. They operate in 203 markets in total, most of which have separate financial regulations and regulatory bodies PayPal has to comply with.
I used 2checkout.com for years and years for a small business in Canada. Switched to Beanstream.com years ago (lower fees, but doesn't accept amex in usd).
I'd never use or recommend paypal for any business. Their history of seizing funds, freezing accounts, and pulling money from bank accounts is atrocious.
> but they reserve the right to freeze an account pending investigation
In reality their processes for investigating are often a neverending nightmare that punish innocent people, or in this case are hampering one of our only hopes for reasonably secure mobile communications:
http://neo900.org/news/paypal-trouble-delays-project
It seems like buyers prefer protection a lot more than sellers do. Or maybe sellers just don't have any power to decide, and have to go where the buyers are.
> It seems like buyers prefer protection a lot more than sellers do.
It's a consequence of the regulations on credit cards. The cardholder can reverse allegedly-fraudulent transactions. Paypal can't reasonably do something else while processing credit cards, so they don't.
It's quite stupid because you end up with customers who aren't even looking for credit, they're willing to prepay and are willing to trust the seller, they just want to transfer funds digitally. But they can't because the seller/card processor doesn't trust the buyer not to reverse the transaction and the regulations don't allow the buyer to abandon that right up front.
PayPal could at least offer the option for purchases funded entirely from existing funds in the buyer's account. That they don't suggests that protecting buyers is more valuable to them than protecting sellers.
Debit transactions have the same sort of protections.
The main difference between debit and credit is that if you're the victim of fraud with a debit card, money has been taken from your bank account and you have to fight to get it back. The fight is usually not very hard, but it takes some time. If it hits at the wrong moment you may have trouble buying food or paying rent on time, even though you'll get the money back before too long.
Or that the barrier to entry for competitors is too high. It's pretty difficult to replicate the synergy PayPal had with eBay, which drove the number of Paypal customers up so high, so quickly.
Like, they never blocked your account for logging in from abroad?
My first account is still in zombie state because it can't be closed without sending them scans of some papers I couldn't care less about sending (and didn't have them abroad). There was no money there so I simply opened another one, but still an annoyance.
PayPal is more relevant than ever. As simple as it seems, sending legitimate money from point A to point B could not possibly be any easier than with this service.
Their invoicing system is ridiculously simple, nearly everyone I'm working with keeps cash in there or connected to it (or very worst, a credit card attached), it hooks up easily with FreshBooks, contractors like it since PayPal handles the 1099-K themselves, and it just works.
I see no reason to change. I just don't keep an absurd amount of money in the account and I feel safe using it.
The poster above wasn't saying that the NEED for Paypal was no longer relevant, he/she was saying "here's a company with a lot of unhappy customers - why hasn't another company come along that solves the same problem with fewer complaints?"
(At least, that was how I read it).
As a consumer client, the only problem I've had from Paypal is the difficulty of changing my name.
One of the big problems with using bitcoin for something like this is you're not just sending money. Your converting to a different currency, sending money, and converting it back. It would be akin to me wanting to send money to my Dad by converting it to Euro first, sending it, and him converting it back to USD. Neither of us have any interest or use for money in Euro or bitcoin. We both have/need USD.
You also get the volatility of bitcoin. If I send $10 to my Dad in bitcoin, it might be $9 by the time he gets around to converting it to USD. Or $11. Bitcoin could plunge in value (for seemingly no reason that I can tell) and be worth $5. I have no way of knowing what the value of that will be for him when he gets it.
If I want to send my Dad $10 on PayPal, he gets $10. He gets it instantly in his PayPal account as $10. If he transfers it immediately to his bank, it'll be $10. If he transfers it next week, it'll still be $10. It's guaranteed in value.
Also, I don't know if this is still the case but dealing with bitcoin is a pain. If I want to buy bitcoin at Coinbase and I don't have a credit card linked to my account (until recently, you couldn't even use Mastercard), I have to wait a few days for my BTC to arrive, even though they are directly linked to my checking account. I have no idea what the value of my BTC will be when it finally arrives a few days later. I have to send it to my Dad, he has to sell it back to USD (at least at Coinbase, at a lesser rate than buying it). The value could change dramatically at any of those steps.
And if you want to add a card at Coinbase, yeah, that's fun. When I added my card, my bank immediately kicked the attempted authorization out for fraud reasons. 10 minutes later my bank called me about it and I approved it, but the Coinbase told me I couldn't try again for a week. So I had to wait another week before trying to add my Mastercard again.
Bitcoin has a lot of usability issues for non-tech people. And using it for a simple USD->USD money transfer is like using a jackhammer when you need a scalpel.
You are describing the most convoluted way of using Bitcoin. You just don't do USD->USD transfers with BTC. Instead you hold an amount of BTC and you pay with BTC for services that accept BTC. Conversion USD->BTC and BTC->USD is hard simply because banking system is trying to make it hard.
> If I send $10 to my Dad in bitcoin
Have you tried to use BTC to do business with Amish? Or any other made-up situations where you force BTC on people who don't know how it works or have no business using it?
But that's primarily what I use PayPal for: sending money to family and friends. Paying for my share of dinner, or concert tickets in a group buy, that kind of thing. I will occasionally buy things using PayPal (usually eBay stuff), but mostly, it's simply a money transfer mechanism.
For that, PayPal is perfect and BTC is overkill. Parent said "You obviously have never used Bitcoin." I have. For this, it's a pain whereas PayPal is flawless ever time.
> Conversion USD->BTC and BTC->USD is hard simply because banking system is trying to make it hard.
But is it really that much harder than any other currency exchange? Off the top of my head, I don't even know how I would buy, sell or change Euro to USD without physically going to the bank.
> Have you tried to use BTC to do business with Amish? Or any other made-up situations where you force BTC on people who don't know how it works or have no business using it?
See, it's this type of attitude that makes people groan when talking to bitcoin advocates. You're calling a situation that I have personally encountered and provided a detailed accounting of to back up my assertion "made-up" and comparing me and my family to Amish?
> You're calling a situation that I have personally encountered and provided a detailed accounting of to back up my assertion "made-up" and comparing me and my family to Amish?
You've exposed your father to losses without explaining to him that BTC is in fact not USD and USD/BTC is a floating exchange rate. I don't see how this is problem of BTC and not your own personal screw up.
> You've exposed your father to losses without explaining to him that BTC is in fact not USD and USD/BTC is a floating exchange rate.
You are assuming that both of us were not aware of that. We both were and were interested in trying something new. But it is still a reality of using Bitcoin when the entire transaction is not in bitcoin.
Anyway, the larger point remains: there are some transaction that bitcoin is ill suited for and PayPal is great for. Sending money to people is one of the core features of PayPal that works like a breeze whereas buying and selling a different currency just to send money makes little sense.
"Situation is real, but the problem is made up". You did made up that point, after all.
Once again - if you are using other currency, being it BTC, CHF, EUR, RUB or CNY, you are exposing yourself and counterparty to exchange rate fluctuations. Difference is - with BTC you have some extra possibilities.
As for PayPal - yeah, it's a breeze until it's not. I.e. until they've blocked your account because reasons. With BTC I own my money. With PayPal, PayPal owns me.
For 99% of the population (which matters a great deal), Paypal is far easier, faster, and safer than bitcoin (which isn't even a single entity to deal with but rather computer science theory put into a proof of concept).
LOL. The other comments stand for themselves, but I'll add that not a single person operating in my industry uses bitcoin. This is delusional thinking once you get outside of the hardcore tech sector.
The businesses I deal with enjoy US dollars and simple tax situations. Not the opposite.
Honestly, when I'm dealing with a trusted merchant, Bitcoin is less painful than a credit card, especially if there's nothing to ship (e.g. with Namecheap and Prgmr). I have Mycelium on my phone - I scan the QR code, punch in my pin, and order completes a few seconds later.
And with an absolutely useless website. They have two UIs, like windows 10, an old one and a new one with the website randomly switching between the two and many options or data that are only visible in one but not the other.
I explained this in another post about paypal. Basically, paypal has a monopoly on international transactions for Americans. I ended up switching to Bitcoin, but not everyone is able to do that.
"It's an absolute egregious shame that PayPal, after more than a decade of problematic behavior, is still relevant."
What alternatives could you offer? I really don't feel like entering my Visa details in some random website and Bitcoin is still a mess to acquire and use. Yes, PayPal has it's cons, but unless some other service arise that could offer comparable convenience (fast email & password checkout) and safety (no need to enter personal or financial information) I don't see how it can become irrelevant.
Within the last month, I've found that I can no longer access my bank's website over my VPN, and Netflix has started blocking access while use a VPN as well.
I can somewhat understand the bank's motivation, but offering two-factor authentication would be a much better way of boosting security than blocking VPN traffic.
As for Netflix, it's totally short-sighted. Netflix is literally unusable from my home connection without a VPN (thanks, Time Warner!). Now that they seem to be consistently blocking my ability to use the service, I'm planning on canceling.
In all fairness, that's probably not Netflix' decision, but a requirement of the content publishers and licensing deals.
Concerning the Time Warner issue - I can't say that I ever noticed being the victim of traffic shaping and throttling in similar fashion, but that's just outrageous; How can that be legal?
ISPs typically don't outright throttle Netflix traffic. Instead, they simply neglect to build out capacity to wherever Netflix traffic comes from. I recall one case where it was just a matter of running some more cables between two pieces of equipment in the same cabinet. And of course they'd be happy to build out that capacity if Netflix will foot the enormously inflated bill.
I don't watch Netflix, but I often have extremely poor speeds for YouTube videos at peak times on my FiOS connection. Of course Verizon says it's Google's fault for not paying for infrastructure upgrades, clearly not Verizon's responsibility to ensure I can actually get the 300Mbps they advertise.
For youtube on FiOS specifically, you can change your dns servers away from verizon's and it'll start going a lot faster. I can't find the link right now, but using their dns servers points you to cdn/caching nodes hosted by verizon, which are generally massively over saturated. If you switch to google's public dns or another public dns service (or run your own resolver if you're a masochist like me) you usually end up hitting edge nodes that aren't completely saturated and you get far far better speeds.
I think it's my ISP's job to provide the advertised bandwidth between me and exchange points which offer access on fair, reasonable and nondiscriminatory terms.
My nearest exchange point is probably London Internet Exchange. If an ISP advertises X Mbps, and Netflix can deliver X Mbps of data for me to the exchange point, it's my ISP's job to get that X Mbps of data to me.
It is Verizon's responsibility to make a reasonable effort to provide that 300 Mbps to the Internet that the customer paid for, especially as content providers are bending over backwards to give Verizon that capacity for free.
Yes, this is exactly what the issue is. (I have worked on these types of deals before).
All of these types of media deals stipulate that the licensee has to implement appropriate technologies (often spelled out on the contract) that support the licensing restrictions of the content (usually something like "commercially reasonable efforts" which gives Netflix some wiggle room over what measure are "reasonable")
Time Warner just needs to stop increasing capacity with whichever peer the Netflix traffic goes through. It's a wonderful way for them to avoid net neutrality under the protection of 'network congestion'.
ISP Packet shaping. They do it even though they say the don't. When you go via VPN they don't know your connecting to Netflix and don't mess with your traffic.
I am one of the network engineers for time warner cable and we don't do any throttling or traffic shaping on customer traffic. We have Netflix boxes colocated but they might possibly get overloaded at certain times because people are using Netflix at an increasing rate. Sorry you aren't having a good experience, if you want to tell me which part of the country you live in I will try and have someone look into it.
Nope. Your ISP just let their handoffs with whatever transit provider Netflix get overloaded which kills throughput. When Netflix pays the ransom to upgrade the links, your videos will stream nice again. Netflix paid ransom to the ISP I use, so my Netflix works well. It has nothing to do with active throttling.
I don't think there is any explicit shaping / throttling happening on US wireline networks these days. There was a huge blowback against Comcast for trying that ~10 years ago, using Sandvine gear to throttle bittorrent traffic at peak times.
There is still plenty of implicit throttling going on though, with broadband providers refusing to provision enough capacity between their networks and the content source networks. The existing links then become congested at peak times and performance is degraded for the customers trying to access that content.
VPNs may improve performance in this situation not because they are hiding or disguising the content, but simply because the traffic is "re-routed" around the congested links. Assuming that the links from content network -> VPN host and VPN host -> end user are not also congested.
This is correct. Sometimes the VPN connection will be bad, and I just change which host I connect to, the traffic is routed a different way and then it works fine.
It will be on the same list, if you are filtering VPN's and other "anonymizers" you usually end up blocking all IP's that are not assigned to commercial/residential ISP's.
IP blocks which belong to data center's, cloud providers, VPN providers etc. are quite well known and easily identifiable with a simple lookup.
So you can easily find some no-name VPS provider or get a VPS on AWS/DigitalOcean/Azure/Racksapce but if the site is actively restricting access from VPN's/Proxies it won't help you much in most cases.
Possibly, but I suspect that the address pools for many of the major players (Amazon, Rackspace, DigitalOcean, etc.) are also known and not getting smaller.
There might be options related to IPv6, but since Netflix has been supporting that for streaming since 2012 I suspect those are also covered.
What if I connect to your PC using a vpn so it looks like it's just you watching it? I tried connecting to the UK national lottery from abroad via a VPN to my home PC and they could tell.
this works well with windows machines, however beyond that it could be really really flaky. especially freebsd/mac/linux are mostly inaccurate.
PTR's are set on client machines aswell or in some newer IPv6 based networks you mostly get a PTR aswell. fingerprinting the tcp implementation can't work on network fragmentation and when you drop some packages through a firewall, yes this is mostly not in home networks and most home users won't use linux at all however since netflix and other streaming providers opened for linux aswell, they will actually just allow linux users to use a vpn since they can't detect it safely without false postives like they could on windows.
And MTU differs extremly between US and Europe (Thanks to PPPoE and PPPoA)
PTR is wrong. My Server is a home user and I'm a server?! Also this guy has a better database since he can detect linux 3.11 however on my home network I'm behind a proxy, thats something he didn't detected.
Edit: Oh and on IPv6 only networks with DNS64 and NAT64 you will get really aweful results if you operate on a ipv4 based service (i'm looking at you netflix)
ok this is what I was really wondering. So Netflix can tell that you are using a commercial connection to access the service? Can they also tell that you are forwarding in the case of a proxy or something?
That is what I don't get, because if I spin up a digital ocean server in London and put openVPN on it, they can probably tell the IP block belongs to a cloud services company. However, they can't just be running ips against a list right? So what is the work around?
Any given IP is "owned" by an Autonomous System[1], so if you see a user whose IP is from AS14061[2], you know they're coming from DigitalOcean and you can say, "No content for you". They are basically checking your IP against a big list and seeing where you're coming from.
In some cases it is more ambiguous, say the IP belongs to Verizon but it happens to one of the blocks Verizon provisions in the EU or as part of their PPI infrastructure. You only know this because someone has annotated this metadata (eg MaxMind). Or if its a Comcast Business account IP, do you call that commercial and block it? It could be someone at home who forked out for the business class service. This is again where IP-surveillance companies come into play.
In even more ambiguous cases, the IP belongs to AS####A (A hosting company) but is announced by AS####B (A residential ISP), such that traffic from to or from the IPs belonging to AS####A looks for all the world that it is really AS####B's traffic. Do you treat those users a residential because ISP-B is potentially renting that IP space or do you call it commercial?
Huh, I don't get it, why are US corporations so eager to take on them the tasks that should be done by law enforcement? What does PayPal gain by playing police and taking on liability for checking the content of transations? What kind of other petty crime are they going to start policing and can they be held liable if they fail to?
PayPal looses money on fraud (charge-back fraud mostly I assume). They had to pioneer fraud prediction/detection tech to even survive, let alone be profitable.
Actually after Peter Thiel left PayPal, he founded Palantir, which is strongly inspired by their fraud tech. Just more general.
Sure - in an ideal world the law enforcement would just catch all the bad guys and manage to get the money back. But when that doesn't happen a business has to account for it.
>Sure - in an ideal world the law enforcement would just catch all the bad guys and manage to get the money back. But when that doesn't happen a business has to account for it.<
IMO, the resources aren't there...and it's not complicated...
Cyber crime, fraud, identity theft...the manpower is simply not there to keep up with it all...sometimes you're lucky if someone has the time to complete a ticket, or report...
It's very possible conditions could get much, much worse before/if they improve...
IMHO, at a business level all sorts of decisions are being made that aren't going to be popular with the public...
I would guess that the policy was originally written for shady piracy merchants that are at higher risk for fraudulent payments. Now that it's in place, it's easy for a copyright holder to come knocking who wants to license their content in Australia but can't because the Australians are already watching their content on Netflix, who only had the UK rights. It's too late for them to rewrite the policy just to pick up a few hundred dollars in VPN buyers' transaction fees without angering deep-pocketed opposition.
That seems like exactly the use case for bitcoin. It shouldn't have much impact on the people who actually strongly and immediately need a VPN - they were probably not using paypal anyway. But it's still a shame they are doing that, because it will make those services far less accessible to the normal people.
It's easy to understand: PayPal is mitigating risky transactions. It makes sense, is perfectly legal, and frankly... I applaud their continued efforts to combat fraud and other bad actors.
EDIT: Downvote all you want for disagreeing... but this (fraud and risk mitigation) is exactly why PayPal "won" the P2P payments space.
I'd have no problem if they just said, these products have an enormous rate of fraud, so we're dropping them.
But instead, their reason is that these products bypass copyright protections. No mention of fraud or anything related to the actual transactions they're processing, they just don't like the products.
Which, fine, PayPal can choose to support or not support whatever products they like, but I'm not going to applaud them for playing copyright police with products which have, as the Supreme Court would say, "significant noninfringing uses."
I'm guessing PayPal isn't blocking all VPN services, just those which are insufficiently subtle about their ability to use them to bypass Netflix's location restrictions. Maybe UnoTelly should rename to UnoDefinitelyNotForWatchingNetflix.
The Supreme Court argument is immaterial. The Supreme Court can and does deem a lot of things legal (eg free speech for hate groups), which are a legal necessity. I'm proud that our country embraces such freedoms, even if I personally don't always agree with the messages. For example, I wouldn't shop at any store that actively promotes hate speech, even though the speech is legal.
Maybe PayPal is getting flak from rights holders (even Netflix), which makes VPN traffic too risky right now. Maybe they're really dogmatic about the issue ("we hate VPNs and copyright pirates!") or maybe they really just don't want to get caught in the middle of a political battle that they don't care about.
Which is completely separate and different from you original comment. Gotta love it when people just decide to move the goalposts and pretend they didnt.
This comment was perfectly inline with my original comment. My original comment said: "PayPal is mitigating risky transactions." In this case, they stated that the risk is due to copyright infringement. For some unstated reason (eg. directly or via pressure via rights holders), PayPal has deemed that such website operators are "bad actors" and are an unnecessary risk.
EDIT: Instead of making a snarky, low-information comment, I suggest you actually refute what I said. That's considered good HN etiquette.
Maybe they have data that shows otherwise? Obviously there's no causality but it's feasible that there are high levels of correlation amongst users of their service. Or maybe not. I have no idea and neither does anyone else here, unfortunately. Everyone is just engaging in Kremlinology based on crumbs of information.
In the context of payment processors, "risky transaction" means fraud.
People are criticizing you because it looks like you wrote your first post without understanding the issue and now try to defend it by altering its meaning through redefinition of common terms.
This article is about Paypal banning VPN providers who are using Paypal to accept payment for providing VPN service. It has nothing to do with people trying to buy things with Paypal over a VPN where Paypal can't log a reasonably trustworthy IP address; in that situation, there's increased likelihood that the paypal account is compromised, but preventing a VPN provider from taking payment using Paypal has no effect on fraud committed via people using their VPN service. They are separate issues.
Maybe a few VPN providers are fraudulent, but the major ones aren't. You pay them, you get a VPN. You pay for SmartDNS, you get that service. It's what people do once they have those services that's considered bad by copyright holders, and so they're applying pressure to payment services like Paypal, to get them to stop processing payments for those services.
If you look into the campaigns copyright holders are waging, the major one is an attack at funding sources for all kinds of services: file hosting, VPNs, etc. They are attacking those services and their funding, because trying to go after people who use those services—for things copyright holders don't like—has proven largely futile.
Again, what this article is NOT about: If you try to pay for things offered on a completely legitimate website and you pay with a completely legitimate credit card, but you're browsing using a VPN, it's likely to get declined. Risk of payment fraud or goods purchased using compromised accounts—via VPN which makes fraud harder to trace—is an issue but it's separate from what the article is talking about, and it's distinct from what people in this thread are complaining about regarding the article. While some people might legitimately complain about bans on payment for services over a VPN (it makes it difficult, if you don't trust your ISP or wifi service, to go VPN-only if you can't buy most things), it's fairly clear that such payment-provider or retailer behavior is motivated at combating fraud.
The issue here is entirely about copyright holders being mad and threatening the payment processors of service providers, because service providers are doing things copyright holders don't like, not because the service providers have unacceptable payment-collection risk profiles.
Upvoted for taking the time to explain the nuance: blocking VPN providers vs. blocking payments occurring over VPN.
I suspect (without supporting evidence) that PayPal is only doing this in response to external pressure (eg. from Netflix, RIAA, MPAA) rather than making the decision unilaterally. I think it's unfortunate that PayPal has caved. But from a business perspective, I can understand why they've decided to cave: The transaction volume is small relative to the cost of fighting the rights holders (in legal costs, but potentially even in the political arena). Like all other banks dealing with cutting-edge issues (eg. weed legalization), they're being cautious; they have a lot to lose.
eBay had it's own P2P payment system too. It lost to PayPal, because PayPal was superior at many things (eg. marketing), but also because they cracked the fraud problem (which was an existential crisis early on in their history). I recommend reading the book "PayPal Wars" for a better historical accounting.
True, but that was all very early. The Paypal acquisition happened in 2002. "Success" in the P2P space in the late 90's/early 2000's was at a much, much, smaller scale.
You said: "...Paypal being the default payment..." I'm saying: They didn't just get anointed as the default by eBay; they became the default (and survived this long!) by taking an aggressive stance on fraud and risk.
Also... the scale wasn't as small as you think. According to the numbers [1], PayPal was doing >$2B in transactions at the time of acquisition. For perspective, estimates from 2014 [2] put Stripe at $1.5B in transactions (and a company valuation of $1.75B). Paypal wasn't small, even in 2002.
Yes, a product that "just worked" for the largest emerging P2P market plus making money while doing so is the important part. Not accepting advance payments for shady cruise ship rentals or any of the other fringe stuff that leaks onto HN constantly didn't hurt. An important lesson for the startup crowd here.
They definitely do some dumb stuff but they also process five billion transactions per year and people need to take that into consideration. The scale of the fraud and the scope of worldwide regulations they deal with is way beyond anything you can imagine.
That does seem possible, but then I suspect that buyer protection is also one of the reasons why eBay "won" the online auction space, and has a strong position in general online retail.
People always act like Paypal can just do whatever they want - they lose tons of money to fraud and are heavily regulated. That drives a lot of the annoying things they do.
I am guessing more VPN accounts tend to be purchased using stolen credit card numbers than an average online transaction. As crackers use VPN services to render their own services.
The number of chargebacks or fradulent transactions reported on your merchant account usually raises red flags and calls for account review. I am sure its pretty easy for paypal to identify such accounts with the data they have.
When carding, which means using stolen credit cards to buy things online, people usually use two layers of security: a VPN, then a SOCKS5 proxy. The latter is usually geographically located in the country/city your card is from to circumvent CC provider checks. Both components are commonly bought from traders who again use stolen CCs to buy/rent them.
The most basic anti-fraud check is comparing card issuing country against the IP location. If there's a mismatch, it's a first red flag. If you see someone popping up from a VPN or a Tor exit, it's largely the same thing.
This is true but irrelevant to the situation at hand. This isn't about blocking transactions done over VPNs, but rather blocking purchases of VPN services.
If you were going to commit fraud, wouldn't you take steps to be anonymous? I'd guess PayPal has data that shows a significant number of fraudulent transactions happen through VPNs.
I don't follow the logic of this rebuttal. The parent comment's argument implies that VPNs are disproportionately likely to harbor fraud, which isn't true of (say) phones in general.
Some customer bases are just shady. If you don't mitigate fraud, it's not fair to push it uphill to your service providers. They will stop providing service when you're more trouble than the money you generate. Business 101, this is not a tech issue.
Look at a merchant account agreement sometime, there are all sorts of businesses deemed too risky for conventional payment processors. It's not unique to PayPal and you would be almost instantly in bankruptcy if you didn't set restrictions on the types of businesses you process for.
Restricted activities include some obvious sketchy areas (check cashing) and some less obvious sketchy areas (human hair, fake hair or hair-extensions).
Why? Any company is free to set their limits on who they want to work with.
When it comes to financial situations, it's all about risk. It's completely within their right to mitigate that risk based on the profiles of the industries they deal with and this is what keeps them in business.
I see this as a responsibility of a vendor and not PayPal. An example is an online store which only accepts payments from the UK so when I was on holiday I was unable to use that site. I had to use a VPN to be able to buy the product and deliver to my house in the UK.
I can understand a website blocking users from other locations or VPN users but for PayPal to do it seems unnecessary and a way to hurt genuine users.
Good. The more idiotic restrictions PayPal adds the more likely people will stop using it. I don't understand why the VPN service accepted PayPal to begin with.
Here's hoping this doesn't get buried, but this story isn't telling us anything, and PayPal still allows DNS and VPN services.
UNLESS they're advertised as tools for piracy/circumventing the law.
The services that got banned here were being too cheeky. They weren't advertising a VPN, they were advertising the facilitation of lawbreaking behavior.
If you advertise a high value item like an iphone on gumtree, almost immediately you will get several buyers offering to buy it right away using paypal. If you're unfortunate enough to accept, they receive item and then reverse payment.
Any person can buy bitcoin. You don't need an "account". It's not harder than setting up a proxy. Ransomware authors apparently have a pretty good set of tutorials.
If you use their service, you're subject to their rules. It doesn't matter that in enforcing their arbitrary rules they're killing your business or even stealing your assets. Big companies like Paypal and Amazon can do whatever they want, even break the law, with no repercussions. They can close your account for legit reasons, bullshit reasons, or no reason at all.
As a business, relying on such companies is one of the biggest risks you take. Use Paypal? Risk losing access to your funds. Use Amazon? Risk losing access to your computing resources, shopping platform, etc. You have no recourse if you anger the big gods of the Internet. Best not to depend on them at all or the smaller gods that also depend on them. Paypal's not taking payment from VPNs? Use Bitcoin and cancel that Netflix account. Why pay ten bucks a month to Netflix so they can pressure Paypal into shutting down legitimate businesses when you can pay it to a legitimate business (VPN) and watch whatever you want? Sure, torrenting is probably illegal, but one method shuts down small businesses and is immoral while the other one hurts no one ("losses" from piracy are not real). You may not agree with this conclusion, but there is no doubt that this is the direction of thought companies like Paypal, Netflix, and Amazon are steering their consumers in--on purpose.
Shame, sooner or later the VPN service I've been using for the past 6 years will get one of these notices as well [1]. I've been using them to get a dedicated IP and also tunnel all my public wi-fi traffic. It's legitimate use, however I can see how over the past years their website has evolved from business-oriented to be more towards geo-blocking circumvention and targeting the average Joe.
[1] They have other payment options, too, but all are worse than PayPal.
It's not against the law to bypass geoblocking in the US either, and in both AU and US, you can (and probably have) executed contracts that prohibit you from doing that regardless of local statutes.
What proof would you expect them to need other than your login associated with requests to their website or their content CDNs from IPs associated with VPNs?
Its not a court of law, its terms of service. They can terminate your account without any recourse. That's how business work (unless you can prove they're discriminating against you based on a protected class).
"Another clause proposed by Australia, the US, Singapore, Peru and Mexico would also seek to prohibit circumvention of "technological measures" put in place by copyright holders over their works. The definition is broad and there are a number of exceptions still up for debate, but it could be seen to include the use of virtual private networks to access geoblocked content such as Netflix from outside the US. This comes despite the Australian negotiators seeking to raise the issue of geoblocking as a concern for Australian consumers as part of the negotiations."
US/AU: For purposes of greater certainty, no Party is required to impose liability under Articles 9 and 10 for actions taken by that Party or a third party acting with the authorization or consent of that Party. Negotiator's Note: CA seeks clarification of this footnote.
Technological protection measures are not measures to protect technology. They are measures made of technology to protect intellectual property.
Yes, implementing TPP would require that anyone who circumvents a TPM be liable to civil and criminal penalties. Yes, getting access to Netflix content that you are not authorized to get access to, by using a proxy or VPN or any other tool, would be circumventing and would expose you to those civil and criminal penalties.
Nothing in this Agreement prevents a Party from determining whether and under what conditions the exhaustion of intellectual property rights applies under its legal system [13].
Article QQ.G.10 has the following for Australians:
US/AU: For purposes of greater certainty, no Party is required to impose liability under Articles 9 and 10 for actions taken by that Party or a third party acting with the authorization or consent of that Party. Negotiator's Note: CA seeks clarification of this footnote.
---
Basically, most Australians have watched whilst they were considered second class citizens and price gouged by U.S. corporations who don't pay any tax in Australia, and in a rare moment of insight our government forced this through.
I'm not sure what sort of victory you are talking about. Yes, each country can determine the precise expiration dates of, say, copyrights... but the TPP obliges it to be at least 70 years. And yes, Australia can choose not to criminalize Australia itself deciding to violate TPMs, but they are obliged to criminalize Australian citizens violating TPMs.
So Australia can break TPMs itself, and Australia can wiggle a few days here or there in determining just how long copyright protection lasts. So what?
PayPal dropped support for a Canadian VPN provider. Will PayPal continue to support Australian VPN providers, since AU gov permits geoblocking, even against Netflix ToS and the wishes of content rightsholders?
While I don't how they can prove that the traffic primarily through those VPNs were infringing on copyrighted material, it is easier to prove that traffic through a VPN is attacking Paypal accounts for user or transaction fraud.
Paypal is an absolutely worthless organization; the recent tie-up with the Uber and other companies to directly use their app for payment has resulted in money being used directly from my bank account over the credit cards that I have added, there is no way to set default payment method. I really do not how a big company like that can operate on such shameless policies, too big to fail has hurt people more than anything else.
This will be painful for many people seeking privacy and security. But still, they would be better off if forced to use more private payment methods. For now, Bitcoin is commonly accepted, and not all that hard to use. And in many places, online payments can be funded through cash deposits at convenience stores etc. Such payment methods also reduce fraud exposure for providers.
PayPal isn't competitive on fees, never mind its other issues. Dwolla is a whole lot cheaper, although USA only. It was designed to bypass card fees. VPNs should accept cash by mail, too, or at least money orders.
If the subject of this policy is a service for people outside the US who want to pretend they're in the US ( to get Netflix etc), then your point is rather pointless.
General complaints about PayPal are landing all over this thread, and Dwolla answers many quite nicely; you're welcome.
As for the article, I would say: a pox on both houses. I endorse neither EULA violators nor PayPal as an Internet police force doing online civil forfeiture.
The way to handle Netflix/PayPal is by international treaty regulation for nondiscrimination and uniform product quality. Netflix/PayPal is likely in violation.
Overseas users are in luck: treaty actions will only work OUTSIDE the USA. Kickstart a trade lawsuit. Any lawyer will work on contingency against deep pockets. Kickstarter only need fund initial research.
last time I tried using PayPal, it failed my transaction with a non-useful error message. I disabled my VPN to PrivateInternetAccess and then it went through.
Pretty annoying that they don't inform users of this guaranteed failure prior to attempting, but whatever, i already learned not to use PayPal unless required.
