About a year ago, I bought clothes online using PayPal for my mother (and shipped to her address). PayPal blocked the transaction and temporarily suspended my account until I could verify a detail. When I logged in to verify, it was asking for the recipient's (my mother's) birth date. I thought it odd that they would ask, and also know, the birth date of someone PayPal has no association with.
I called their support (finding a human to talk to was difficult) to ask for the reason why I would need to give out my mother's birth date. I was asking for other ways I could verify and that I shouldn't be asked to give out someone else's PII. The support person started to become defensive, sarcastically asking "you don't even know your mom's own birthday!?".
I could tell this person saw nothing wrong with the ask and thought I was being intentionally combative. I ended up conceding and giving the information. Since then, I've stopped using PayPal as a payment method.
I always thought this incident strange and have wondered about how their verification method works.
> You’ll need to answer some questions to verify your identity. These questions come from a public database dating back as far as 20 years. They may be about property, places, or people you know. We don’t save or store the questions or answers in our system.
> You’ll need to answer some questions to verify your identity. These questions come from a public database dating back as far as 20 years.
Wait, I need to verify my identity by regurgitating public information about me? However PayPal scraped up that information, an attacker could as well. This is absolutely security theater.
While I've seen these sorts of verification methods quite rarely, what's very frustrating about them is that in my experiences, the questions both make assumptions about what information is private for a person, and also come from rudimentary matching on public databases, which can easily result in questions you wouldn't be expected to the know the answer to.
In one case, while, I think, signing up for something that should not have required strong security, I think an online account for a shipper, I was asked for the birth date of a 'relative who lived with me'. Only, she didn't live with me: she was my ex-aunt, who had not spoken to any of us since her divorce when I was around 8, and who had moved out of the house, and out of the state, around two decades before we moved into it. The matching appears to have been entirely based on two people with the same last name having been recorded at the same address at some points over the course of 20 years, with no cross-referencing of other data or whether the dates were at all near each other. And given how common my last name is, it would not have been too surprising to have simply been asked the birth date of a complete stranger.
I actually called the company to find out how to get an account without answering this rather infeasible question, and they pointed out that if I just tried creating an account again, it would ask me a different set of ridiculous questions. I did, and while I don't recall what the questions were, I do recall they were such that a basic search for my name online would have immediately answered them, providing no identity verification whatsoever.
> Interesting. This would mean that they actually have the data to confirm whether it is correct.
I don’t find that surprising. I’ve hired a private investigator in the past. The amount of data US consumer reporting agencies have goes back decades. They will happily sell it to you as long as you agree not to use data older than regulatory thresholds. Credit reporting tends to have 5-7 year thresholds, so many people think that’s all they have. They keep it for much longer, and just make you agree you won’t use data older than the applicable threshold.
The reports I gotten from my PI have had biographical data going back to the late eighties. They’ve even provided SSNs and DOBs with nothing more than a name and general address match.
Is this database actually a thing ? A private company asking these questions is already worrying on its own but them already having the answer really feels like over-reaching. I'm pretty sure it's a US thing because there would be no way this would be legal in the EU but i'm tempted to do a GDPR request to PayPal
Do they even know your mom's birthdate? Can't you just give them a random date?
Also, if you bought something at a webshop, why does PayPal know who it's being sent to? They just need to know you and the webshop, don't they? Who the webshop sends it to is between you and the webshop.
Reminds me when I went to pick up my first UK passport when I gained citizenship. The passport office had no interest in looking at my foreign passport to verify my identity. Instead they asked me a series of question about my family, what profession they have, etc, that I know they couldn't have the answer to, unless they did some investigations that I think were highly unlikely given the volume of applications after the Brexit vote.
I think instead they were just checking if I looked like I was answering the question confidently or if I looked like I was trying to make things up.
That's a good point, I don't actually know. I just assumed yes because they would ask. I also didn't want to complicate the process of releasing the funds – perhaps that was naive.
I believe in this checkout flow, it kicked me over to PayPal where I could specify the shipping address there. PayPal probably relays the address back to the merchant, akin to checking out with Apple Pay where you specify a shipping address via the Wallet app.
Sometimes when a credit card payment is handled by Paypal they ask for my first name. I enter my initials, since that's what actually on my credit card and is what I always use when making payments with it, but they don't accept it. Maybe somehow they know my actual first name, but I'm not going to give it to them so I then abort the payment.
> why does PayPal know who it's being sent to? They just need to know you and the webshop, don't they? Who the webshop sends it to is between you and the webshop.
No, it's not, because the buyer has chosen to use PayPal's services for protection, and in order for the merchant to fulfill their end of the deal and also receive PayPal's protection (against chargebacks, disputes, etc) the merchant is required to ship to the address on the order (which PayPal has a record of for verification).
If you offer PayPal as a checkout option, you are required to follow their rules for fulfillment, otherwise you risk losing a PayPal dispute if filed later on.
This sounds awful. I honestly don’t know my mom’s birthday and perhaps interestingly she doesn’t technically know it either. Papers lost (and probably made up) multiple times when her family fled her home and then country before ending up here.
And she definitely has a birthday on her driver’s license now, but I think she might have to look at it to make sure she got it right.
Sounds pretty certain that you would never be asked this question, since it is not a matter of public record (or at least, not the public records these systems tend to use)
One assumption could be that there are certain products/services that have age related regulations and Paypal needs to comply. Maybe, if your product or supplier wasn't on that list but you still got asked for a birthdate there was a misconfiguration in that regulation rule set...
One should assume that while they have your money they'll look for anything to use to keep it. Companies are literally legal devices for diffusing responsibility and hiding what the right hand knows from the left hand to remove the intent from what would be fraud.
They play all the games people here report - support reps who are nearly unreachable and who all refuse to read previous communication so everything starts from scratch, randomly just closing the case, etc.
It'd be hilarious if you could torture a paypal exec with their own company's treatment. Put a wheel lock on their car because you claim a similar looking car was stolen on the other side of the country. Refuse to take the lock off their car until they can explain the origin of the car's brandname. Relock the car immediately after unlocking it because they attempted to drive away too soon. Relock it the next time because they didn't drive away soon enough. Lock all of their cars because there's been "too much activity" on their vehicles.
Most likely all of it. It is usually laundered through startups and other types with little to lose or who put little effort into reading or complying with legal agreements. These companies then sell it to more legitimate companies who don't realize where the data comes from and it all just ends up in a bunch of big databases that sell access to whoever wants it.
Was PayPal trying to verify your identity or that you know your recipient's identity (who's coincidentally your mother)?
I'm surprised if PayPal expected you to know your recipient's birthday, but
"What's your mother's birthday?" would be a common question to verify your identity. They should have moved on to another question if you had a moral objection.
On the other hand, scammers will often ship goods to a nearby address and pick them up off the porch, so verifying that you know your recipient might actually be a fraud countermeasure.
This is what likely triggered it. People that steal PayPal credentials change the shipping address to something other than the address on the PayPal account.
Reminds me of a property management company reaching out to verify some details from one of my guys, who had applied to rent one of their properties.
Did they call and ask to verify his listed employment? Naw. They sent me an email with a scan of his whole-ass rental application, complete with SSN and everything, unredacted.
I called them out on it and they completely brushed off my complaints.
I also got yelled at when trying to get a quote on auto insurance over the phone because I didn't know my dad's birthday. (Identity verification?) The man ardently supports <anti LGBT political party> and me and half my friends are LGBT, you think I buy him gifts?
I was "banned for life" about 4-6 weeks ago. No explanation given. No sketchy transactions on my record, just sending money back and forth between friends who (AFAIK) aren't up to anything suspicious. It was embarrassing having to explain to people that we'd have to figure out another way to transact going forward because I was no longer welcome with Paypal.
A week later I tried logging in again just to see what would happen, and everything was back to normal. I could once again send and receive money as if nothing had ever happened. Needless to say, I took the opportunity to transfer every last dime out of the account.
Same except I wasn't even sending money. Made an account years ago, never used it, got banned for life when I logged back in. Tried making a new account, but obviously they're able to detect that, so it wouldn't take any of my credit cards.
I opened a business PayPal account, and it was closed within the first 2 minutes of opening. There was no reason given, and I had provided all details necessary during sign-up. I still get promotional mails until now.
Same, I got the ban email before I was even done setting up the account:
> After a review, we decided to permanently limit your account as we found potential risk associated with it.
> You'll not be able to conduct any further business using PayPal.
> Based on this decision, if applicable, you are no longer eligible for PayPal Seller Protection as per our User Agreement. You'll also be charged a High Volume Dispute fee based on your activity for all existing and future cases you receive.
> Any bank or credit card information that's linked to your PayPal account cannot be removed nor can it be added to another account. You can still log in and see your account information but you can't send or receive money.
> If you have funds in your PayPal balance, we'll hold it for up to 180 days. After that period, we'll email you with information on how to access your funds.
> We regret any inconvenience this may cause.
No contact address, no escalation path, only vague rumors on internet forums of voodoo to get the ban lifted by the Paypal gods.
They continue to send me daily emails telling me to link my bank account. Okay!
And then a day or two later I get another email
> My name is YYYY and I work on the PayPal Business team. I am more than happy to assist you with your PayPal onboarding journey.
> So I understand the nature of your request. Could you please provide me with some additional insight to your business by answering the below questions.
And a bunch of generic business area questions (what do you sell, what's your volume, etc). Are you kidding? You open by telling a fellow to get stuffed, then talk about journeys and assisting them?
That's why I have no money in my PayPal account and the only payment method is a credit card which I get a notification for when it's charged.
I don't trust PayPal at all, but sadly, it's the least bad payment option in big parts of the european online shopping sector.
Yet another person finding out that Paypal is sh*t. What a world where you have to worry about four random letters in your messages that may just happen to coincidentally have terrorist connotations "Alep" ffs.
When I ran a company >10 years ago we swept our Paypal account daily to mitigate this risk.
This is not an option for the majority of businesses now as PayPal requires mandatory funds hold which may routinely be on the order of 90 days. So even if you sweep it daily, you still have 1-3 months of your MRR sitting in flight and at risk indefinitely.
I do all my business via PayPal, and have done so for 20 years. No mandatory funds hold. My account is cleared monthly, but I could have chosen daily (that screws with my own personally accounting). $200k/year transaction volume.
Too many people generalize specific stories or their own PP experience to all of PP.
I'm pretty sure that seizing customer funds is part of their profit model. They've been doing it for a very long time, and well beyond anything that could reasonably be explained via regulatory or card scheme requirements.
> PayPal has restricted our business account because we have invoiced a license key containing the random letter sequence “ALEP”.
This makes me wonder: what's the best way to generate "safe" license keys? Binary feels like an obvious solution (binary keys surely get through virtually all blacklists?) but at the same time: binary license keys would be very long and very atypical, so maybe fraud detection systems mark them as suspicious anyway.
Maybe just generate random alphanum license keys and run them through some open source blacklists yourself? I doubt "ALEP" is in those lists though.
> what's the best way to generate "safe" license keys?
In the library (like the kind with books) field where I work, one identifier standard was devised that intentionally has alternating letters and digits, with never more than two letters in a row. Explicitly for the intention of avoiding the possibility of any meaningful words (that might end up being offensive or just off-putting in an undesirable way.)
It does make the identifiers longer for the same entropy/byte width, compared to a more normal BASE-X with an alphabet. Which mattered to me when they were going to be used in a URL, although probably doesn't for a license key. I personally in my projects stopped using this system for a more straightforward "Ascii-85" like encoding (which can contain coincidental meaningful words), because it was more convenient.
The particular system the library community was using [https://n2t.net/e/noid.html] was, I still think, over-complicated for at least my needs, but the alternating letter/number schema seems attractive to me now and perhaps worth slightly more characters in identifiers and slightly more complex algorithm for creation than a simple base-x encoding.
It sounds good, but of course for "security" it might not be enough. 626f6d62 is alternating letters and digits, with never more than two letters in a row. And it spells "bomb" when converted from hex to ascii.
Some security scanners do check for this kind of thing.
edit: Tbh. The more I think about it, maybe it is not such a far fetched idea after all with the assumption that they keys are temporary.
**
Eh. Coming from that environment, it would not be that easy for a reason that has nothing to do with technology. The lists that financial companies use are largely known ( some published by US Treasury for everyone to use ) and you can reasonably estimate a threshold most institutions will find acceptable.
However, the issue is political and not technical. OFAC itself has grown its SDN list[1] to 6300 names and that is just one list and the tool has been already severely overutilized ( in my opinion anyway, so take that with a grain of salt ), but if the trend and current geopolitical situation is any guide, this number will only increase.
What I am saying is that you have a big and very variable base to build a key from ( edit: come to think of it - not from:P ) and there is no guarantee and old key won't suddenly become 'hot'.
Here, the answer is to the problem is actually political. Affected businesses have to start really complaining, if they are affected by the requirements. I have no evidence suggesting that is the case ( based on what I saw maybe 20% of transactions face that kind of scrutiny and even smaller percentage is questioned the way the OP is ). Naturally, it does not help that this process is not standardized so every single financial institution does their own thing..
I am almost certain they violated their own policies for telling you which word triggered their filters.
Regular KYC procedure usually involves using a blacklist of disallowed words, and then if anyone triggers the filter, you block them, and ask them to submit any and all documentation they have for all recent transactions (but importantly, you dont tell them the transaction or word that triggered the check). Someone then reviews the documentation, and unless it explains the blacklisted word, the account ban stands.
And in the US that should be unconstitutional if we had a court system that actually upheld the constitution
If the Government is creating a list of no-no words (which in itself is violative of the constitution) it should be required to publish them as "Secret Laws" are defacto unconstitutional,
Further the government having a list of words I am not allowed to use, AND not allowed to know I am not allowed to use should be abhorrent to anyone the values freedom
The government hasn't created a list of no-no words, they've created a list of entities with whom US Persons cannot conduct financial transactions. I don't know what "ALEP" is but you can be sure it refers to some organization designated by the Office of Foreign Asset Control. PayPal's crappy system is PayPal's crappy system; their implementation wasn't directed by USG.
Wait a moment. While I agree that the government should be transparent generally about its law enforcement, you can't suggest that there are absolutely no secrets that should be kept confidential to enable reasonable law enforcement to occur?
If the government or some agency published all the indicators of fraud that it used to check that people were filing their taxes legitimately (and catch crooks), how would you ever conduct anti-fraud operations? Every criminal would have the manual on how to circumvent the detection mechanisms and move to techniques that the IRS doesn't know how to detect.
Should the government equally publish its root passwords because that's within your right to be able to know how the government operates also? That would be ridiculous.
That's interesting. Venmo (ik still PayPal-owned but somehow not trash (edit: yet)) seems to protect you from this by rejecting your payments early if they contain bad words. I found this out when trying to pay for a Cuban sandwich.
Interesting, on Venmo I go out of my way to put obscene and offensive descriptions since I am viscerally opposed to their stupid social network feed insanity, and I have never had a payment rejected.
>Proven to be scalable to visor applications, the laser protective filter in the Gentex spectacles utilize the latest, most advanced laser eye protection materials developed for and tested by both the NAVAIR and USAF/AFRL advanced technology development and demonstrator programs.
Quite. OP seems to have done nothing wrong but whoever at PayPal sent that message about ‘ALEP’ is skating on exceptionally thin ice with respect to sanctions laws and tipping off.
Regulatory supervisors I’ve worked with would have outright said this was a criminal offence, and I’d expect their German counterparts would take a similar view.
This is an asinine policy. Put yourself in the position of the counterparty, how is anyone supposed to resolve a disagreement using such a kafkaesque approach?
When my wife sent me a message saying, "pick up some sea weed," T-Mobile was blocking it. Fortunately, we transitioned to using iMessages, which resolved that problem.
However, I continue to receive various spam and scam messages
- but T-Mobile is not blocking them.
I was surprised the first time that I visited the States as an adult - I picked up a SIM for the week I was there, and discovered that I couldn't visit Oglaf on mobile data.
It's quite fascinating, because I come from a country with an actual official government censor's office. But I've never been blocked from accessing a smutty joke comic here. Yet in the US a major mobile provider takes it upon themselves to do so!
I'm pretty sure the reason "verification code" is blocked is because people will buy a bunch of retail prepaid unlimited plan sim cards and use them to send A2P messages like verification codes instead of paying Twilio or someone like that. Carriers don't like this because they charge more for A2P SMS than P2P.
So if I send a message like "did you finish the essay about weed use?" or "what about going to Amsterdam next month so we can smoke weed" (which are perfectly legal) they will block it?
Good that no one uses those crappy SMS services and feed those crap carriers more data.
SMS is federally regulated, so while it might be legal where you live, there are a ton of roadblocks on the SMS side. Had to deal with this via Twilio in the past - and you can't get a list of the banned terms, just notices that messages were sent using them (including CBD which happens to also stand for Central Business District for some people). But yeah, you can have this issue on any SMS message sent in the US.
Facebook also blocks private chat messages with links to some cannabis-related websites (and presumably other things; it doesn't really explain what happens, you just suddenly get an error message).
My wife likes seaweed. I texted her the same text you used. She got the message no issues on her phone. SMS is not a guaranteed delivery service. Perhaps the message simply didn't go through? I see later in the comments you paraphrase something you said you were told by a T-Mobile representative. Perhaps the representative didn't even know if something was blocked but felt they were on the defensive?
At least they were given the reason and a chance to respond. I'm just an infrequent, individual user and one day I got an email from Paypal that I was banned for life with my account closed and the same would happen if I tried opening any new accounts. It also banned my Zelle account for life.
Thank god I never left any money in there or it would have been stolen. And to this day I still get emails from them as if my account isn't banned, but logging in just takes me straight to the ban notice and I can't actually close it or opt-out of emails.
If you can't unsubscribe and they're marketing emails take them to small claims in violation of the CAN-SPAM Act [0] if you're in the US. Liabilities are over $50k so you can easily max out the $10k limit in court with no representation. In this way it forces them to come to you and they will almost surely lose or settle before the court date.
It is because it's in their T&C's. And they fought tooth and nail for years to avoid being classified as a bank so the normal bank regulations and customer protections don't apply to them.
It is typical for large corporations to have a bunch of legal fine print. This effectively allows them to do just about anything, as long as they have a "reason".
They nominally don't do just anything (like take your money), because they want people to use their service, and if they cheated everyone all the time, you'd hope that people would catch on and stop using their service.
Having said all that, dealing with illegal transactions, fraud and scammers is tough. The corporations will, honestly, make mistakes, and having enough customer service to deal with it all properly is expensive. Hence automated bans. Often there is no recourse except moving towards a lawsuit, which may be unreasonably expensive for most cases, as compared to the money that has been lost.
> And to this day I still get emails from them as if my account isn't banned
Marketing people please take note of this. It is particularly galling to be continually pestered to buy things from a company that has refused to do business with you. An Intuit company tried to sell me a home mortgage, and I applied, only to be refused because my home was manufactured off-site. OK, I moved on. But they continued to plaster me with offers for that same product almost daily for years, and now my relationship with all Intuit products is as distant as I can manage.
Is it possible your account was compromised and they closed it after someone abused it? I mean I don't know about you, but my password security wasn't exactly up to standards when I opened up my paypal account...
Companies are allowed to keep data necessary for their other statutory obligations, like taxes or KYC. Otherwise it'd be a get out of jail free card for fraudsters and sanction evaders.
Yeah mess with your email provider by sending false reports, I'm sure they'll appreciate that (sometimes I wonder if spam is such a big issue in part because users report anything they don't want in their inbox, like a newsletter they previously signed up for, as spam or similar)
Either you're at a small ISP and paypal doesn't care about a handful of customers that need to dig an email out of the spam folder, or you're at a large one and it won't have an effect because nobody else is reporting it
This doesn't hurt paypal but might annoy a small email hoster that might have to clean up your mess.
People use Paypal because they can't get around it. If you want to hurt them, help reduce their market share. Complain to the support of the service where you needed paypal, asking for better payment options (cite articles like this or whatever). That's what I do anyway, and doubly so when I know the owner. That they need to also offer paypal to get more customers, sure that's their risk (I make sure they're aware of it), but at least offer legit payment options as well
Horribly applied logic. While mistakes will happen, PayPal for individuals and businesses are apples and oranges because that’s how the banks work. This is a business account. This comment adds nothing to the convo. Little Snitch is amazing btw
> Thank god I never left any money in there or it would have been stolen.
That's not true. They banned my account when I was below 18 because it's forbidden to have an account for minors, but there was absolutely no problem retrieving the $1000+ that I had.
Even if the account is banned they let you link a bank account and withdraw.
Readit News
I called their support (finding a human to talk to was difficult) to ask for the reason why I would need to give out my mother's birth date. I was asking for other ways I could verify and that I shouldn't be asked to give out someone else's PII. The support person started to become defensive, sarcastically asking "you don't even know your mom's own birthday!?".
I could tell this person saw nothing wrong with the ask and thought I was being intentionally combative. I ended up conceding and giving the information. Since then, I've stopped using PayPal as a payment method.
I always thought this incident strange and have wondered about how their verification method works.
> You’ll need to answer some questions to verify your identity. These questions come from a public database dating back as far as 20 years. They may be about property, places, or people you know. We don’t save or store the questions or answers in our system.
https://www.paypal.com/us/cshelp/article/why-do-i-have-to-co...
Interesting. This would mean that they actually have the data to confirm whether it is correct.
Wait, I need to verify my identity by regurgitating public information about me? However PayPal scraped up that information, an attacker could as well. This is absolutely security theater.
In one case, while, I think, signing up for something that should not have required strong security, I think an online account for a shipper, I was asked for the birth date of a 'relative who lived with me'. Only, she didn't live with me: she was my ex-aunt, who had not spoken to any of us since her divorce when I was around 8, and who had moved out of the house, and out of the state, around two decades before we moved into it. The matching appears to have been entirely based on two people with the same last name having been recorded at the same address at some points over the course of 20 years, with no cross-referencing of other data or whether the dates were at all near each other. And given how common my last name is, it would not have been too surprising to have simply been asked the birth date of a complete stranger.
I actually called the company to find out how to get an account without answering this rather infeasible question, and they pointed out that if I just tried creating an account again, it would ask me a different set of ridiculous questions. I did, and while I don't recall what the questions were, I do recall they were such that a basic search for my name online would have immediately answered them, providing no identity verification whatsoever.
I don’t find that surprising. I’ve hired a private investigator in the past. The amount of data US consumer reporting agencies have goes back decades. They will happily sell it to you as long as you agree not to use data older than regulatory thresholds. Credit reporting tends to have 5-7 year thresholds, so many people think that’s all they have. They keep it for much longer, and just make you agree you won’t use data older than the applicable threshold.
The reports I gotten from my PI have had biographical data going back to the late eighties. They’ve even provided SSNs and DOBs with nothing more than a name and general address match.
Also, if you bought something at a webshop, why does PayPal know who it's being sent to? They just need to know you and the webshop, don't they? Who the webshop sends it to is between you and the webshop.
I think instead they were just checking if I looked like I was answering the question confidently or if I looked like I was trying to make things up.
I believe in this checkout flow, it kicked me over to PayPal where I could specify the shipping address there. PayPal probably relays the address back to the merchant, akin to checking out with Apple Pay where you specify a shipping address via the Wallet app.
No, it's not, because the buyer has chosen to use PayPal's services for protection, and in order for the merchant to fulfill their end of the deal and also receive PayPal's protection (against chargebacks, disputes, etc) the merchant is required to ship to the address on the order (which PayPal has a record of for verification).
If you offer PayPal as a checkout option, you are required to follow their rules for fulfillment, otherwise you risk losing a PayPal dispute if filed later on.
And she definitely has a birthday on her driver’s license now, but I think she might have to look at it to make sure she got it right.
They play all the games people here report - support reps who are nearly unreachable and who all refuse to read previous communication so everything starts from scratch, randomly just closing the case, etc.
It'd be hilarious if you could torture a paypal exec with their own company's treatment. Put a wheel lock on their car because you claim a similar looking car was stolen on the other side of the country. Refuse to take the lock off their car until they can explain the origin of the car's brandname. Relock the car immediately after unlocking it because they attempted to drive away too soon. Relock it the next time because they didn't drive away soon enough. Lock all of their cars because there's been "too much activity" on their vehicles.
I'm surprised if PayPal expected you to know your recipient's birthday, but "What's your mother's birthday?" would be a common question to verify your identity. They should have moved on to another question if you had a moral objection.
On the other hand, scammers will often ship goods to a nearby address and pick them up off the porch, so verifying that you know your recipient might actually be a fraud countermeasure.
This is what likely triggered it. People that steal PayPal credentials change the shipping address to something other than the address on the PayPal account.
They ask about information related to your identity.
In this case "someone else's" PII is on your birth certificate.
Did they call and ask to verify his listed employment? Naw. They sent me an email with a scan of his whole-ass rental application, complete with SSN and everything, unredacted.
I called them out on it and they completely brushed off my complaints.
A week later I tried logging in again just to see what would happen, and everything was back to normal. I could once again send and receive money as if nothing had ever happened. Needless to say, I took the opportunity to transfer every last dime out of the account.
I don't get how people use this thing.
> After a review, we decided to permanently limit your account as we found potential risk associated with it.
> You'll not be able to conduct any further business using PayPal.
> Based on this decision, if applicable, you are no longer eligible for PayPal Seller Protection as per our User Agreement. You'll also be charged a High Volume Dispute fee based on your activity for all existing and future cases you receive.
> Any bank or credit card information that's linked to your PayPal account cannot be removed nor can it be added to another account. You can still log in and see your account information but you can't send or receive money.
> If you have funds in your PayPal balance, we'll hold it for up to 180 days. After that period, we'll email you with information on how to access your funds.
> We regret any inconvenience this may cause.
No contact address, no escalation path, only vague rumors on internet forums of voodoo to get the ban lifted by the Paypal gods.
They continue to send me daily emails telling me to link my bank account. Okay!
And then a day or two later I get another email
> My name is YYYY and I work on the PayPal Business team. I am more than happy to assist you with your PayPal onboarding journey.
> So I understand the nature of your request. Could you please provide me with some additional insight to your business by answering the below questions.
And a bunch of generic business area questions (what do you sell, what's your volume, etc). Are you kidding? You open by telling a fellow to get stuffed, then talk about journeys and assisting them?
Just forward them to phishing@paypal.com
Too many people generalize specific stories or their own PP experience to all of PP.
...so, is there a list of forbidden character combinations one should scan for somewhere? That sounds like a super useful thing to have.
This makes me wonder: what's the best way to generate "safe" license keys? Binary feels like an obvious solution (binary keys surely get through virtually all blacklists?) but at the same time: binary license keys would be very long and very atypical, so maybe fraud detection systems mark them as suspicious anyway.
Maybe just generate random alphanum license keys and run them through some open source blacklists yourself? I doubt "ALEP" is in those lists though.
In the library (like the kind with books) field where I work, one identifier standard was devised that intentionally has alternating letters and digits, with never more than two letters in a row. Explicitly for the intention of avoiding the possibility of any meaningful words (that might end up being offensive or just off-putting in an undesirable way.)
It does make the identifiers longer for the same entropy/byte width, compared to a more normal BASE-X with an alphabet. Which mattered to me when they were going to be used in a URL, although probably doesn't for a license key. I personally in my projects stopped using this system for a more straightforward "Ascii-85" like encoding (which can contain coincidental meaningful words), because it was more convenient.
The particular system the library community was using [https://n2t.net/e/noid.html] was, I still think, over-complicated for at least my needs, but the alternating letter/number schema seems attractive to me now and perhaps worth slightly more characters in identifiers and slightly more complex algorithm for creation than a simple base-x encoding.
Some security scanners do check for this kind of thing.
I know you should never underestimate human stupidity but even taking that into account this still feels like security theatre on the part of PayPal.
**
Eh. Coming from that environment, it would not be that easy for a reason that has nothing to do with technology. The lists that financial companies use are largely known ( some published by US Treasury for everyone to use ) and you can reasonably estimate a threshold most institutions will find acceptable.
However, the issue is political and not technical. OFAC itself has grown its SDN list[1] to 6300 names and that is just one list and the tool has been already severely overutilized ( in my opinion anyway, so take that with a grain of salt ), but if the trend and current geopolitical situation is any guide, this number will only increase.
What I am saying is that you have a big and very variable base to build a key from ( edit: come to think of it - not from:P ) and there is no guarantee and old key won't suddenly become 'hot'.
Here, the answer is to the problem is actually political. Affected businesses have to start really complaining, if they are affected by the requirements. I have no evidence suggesting that is the case ( based on what I saw maybe 20% of transactions face that kind of scrutiny and even smaller percentage is questioned the way the OP is ). Naturally, it does not help that this process is not standardized so every single financial institution does their own thing..
[1]https://home.treasury.gov/policy-issues/financial-sanctions/...
Deleted Comment
Regular KYC procedure usually involves using a blacklist of disallowed words, and then if anyone triggers the filter, you block them, and ask them to submit any and all documentation they have for all recent transactions (but importantly, you dont tell them the transaction or word that triggered the check). Someone then reviews the documentation, and unless it explains the blacklisted word, the account ban stands.
If the Government is creating a list of no-no words (which in itself is violative of the constitution) it should be required to publish them as "Secret Laws" are defacto unconstitutional,
Further the government having a list of words I am not allowed to use, AND not allowed to know I am not allowed to use should be abhorrent to anyone the values freedom
If the government or some agency published all the indicators of fraud that it used to check that people were filing their taxes legitimately (and catch crooks), how would you ever conduct anti-fraud operations? Every criminal would have the manual on how to circumvent the detection mechanisms and move to techniques that the IRS doesn't know how to detect.
Should the government equally publish its root passwords because that's within your right to be able to know how the government operates also? That would be ridiculous.
Dead Comment
>Proven to be scalable to visor applications, the laser protective filter in the Gentex spectacles utilize the latest, most advanced laser eye protection materials developed for and tested by both the NAVAIR and USAF/AFRL advanced technology development and demonstrator programs.
When my wife sent me a message saying, "pick up some sea weed," T-Mobile was blocking it. Fortunately, we transitioned to using iMessages, which resolved that problem.
However, I continue to receive various spam and scam messages - but T-Mobile is not blocking them.
[0] https://www.reddit.com/r/tmobile/comments/h8cotr/tmobile_sil...
[1] https://www.reddit.com/r/tmobile/comments/i1fk1z/tmobile_are...
It's quite fascinating, because I come from a country with an actual official government censor's office. But I've never been blocked from accessing a smutty joke comic here. Yet in the US a major mobile provider takes it upon themselves to do so!
Good that no one uses those crappy SMS services and feed those crap carriers more data.
More info from Twilio: https://support.twilio.com/hc/en-us/articles/360045004974-Fo...
Thank god I never left any money in there or it would have been stolen. And to this day I still get emails from them as if my account isn't banned, but logging in just takes me straight to the ban notice and I can't actually close it or opt-out of emails.
[0] https://www.ftc.gov/business-guidance/resources/can-spam-act...
They nominally don't do just anything (like take your money), because they want people to use their service, and if they cheated everyone all the time, you'd hope that people would catch on and stop using their service.
Having said all that, dealing with illegal transactions, fraud and scammers is tough. The corporations will, honestly, make mistakes, and having enough customer service to deal with it all properly is expensive. Hence automated bans. Often there is no recourse except moving towards a lawsuit, which may be unreasonably expensive for most cases, as compared to the money that has been lost.
Marketing people please take note of this. It is particularly galling to be continually pestered to buy things from a company that has refused to do business with you. An Intuit company tried to sell me a home mortgage, and I applied, only to be refused because my home was manufactured off-site. OK, I moved on. But they continued to plaster me with offers for that same product almost daily for years, and now my relationship with all Intuit products is as distant as I can manage.
Considering that Zelle is focused on traditional bank-to-bank transfers, probably something pretty sketchy to be banned.
If they fail, you get paid the fine (not the state)
Source for this?
In my experience, there is actually quite a barrier to this, meaning most situations where you see a GDPR violation are not easy to escalate.
Either you're at a small ISP and paypal doesn't care about a handful of customers that need to dig an email out of the spam folder, or you're at a large one and it won't have an effect because nobody else is reporting it
This doesn't hurt paypal but might annoy a small email hoster that might have to clean up your mess.
People use Paypal because they can't get around it. If you want to hurt them, help reduce their market share. Complain to the support of the service where you needed paypal, asking for better payment options (cite articles like this or whatever). That's what I do anyway, and doubly so when I know the owner. That they need to also offer paypal to get more customers, sure that's their risk (I make sure they're aware of it), but at least offer legit payment options as well
Deleted Comment
Deleted Comment
That's not true. They banned my account when I was below 18 because it's forbidden to have an account for minors, but there was absolutely no problem retrieving the $1000+ that I had.
Even if the account is banned they let you link a bank account and withdraw.
https://alep-ev.de/
A registered association:
" ALEP e. V. works in the field of youth welfare, especially with disadvantaged, at-risk children, young people and their families."
So maybe PayPal should adjust their block lists.
Do it for the children.
Can an accidental space get you banned for "pago por anal isis"?
https://en.m.wikipedia.org/wiki/Royal_Air_Force
https://en.m.wikipedia.org/wiki/Red_Army_Faction
Deleted Comment