Paypal Merchant DoS issues

1 view
Skip to first unread message

ad...@reviews.wox.org

unread,
Feb 10, 2021, 9:27:32 PM2/10/21
to 2600-australia

This falls under the ROFL category.

So someone I know recently got a paypal account suspension.  Out of curiosity I looked into what seems to be behind them.   The results are a major ROFL moment.

The great and powerful Paypal apparently has vulnerabilities relating to their /automated/ trust and anti-fraud system.  To make matters worse this same system has the power to suspend or terminate any paypal account without notice, and in some case with little to no possibility of appeal, or oversight.     In some cases the asian call centres working on their behalf have no capability to reverse such suspensions even should you contact them, and they discover that it should not have occured to begin with.

Since it is virtually impossible to contact them about such things - and they would just direct you to a generic policy page if you did - I guess embarrasing them to fix it seems to be the way to go here.

Basically it all comes down to this.  Their suspension bot system seems to be cheap nasty and lazy.    It does little more than compare IPs, strings in text, and looks for keywords from a naughty list.  This is made worse, with this loose canon of an effort - the same primitive script can also insta-ban accounts with no human interaction.  Basically they are using the "hello world" of fraud detection it seems - and the same system /appears/ to be tied into the appeals process.    "ban trigged on word.."    appeal,  "bot checks account, yup the word is still there, ban upheld"

This is rather ironic, since their other buyer protection systems, actually are quite well made.   I can only assume this "hello world" bot is a legacy from their early days and nobody has got around to improving it yet.

Here is some more detailed examples I have found looking over people reporting issues with paypal bans- some of these are speculative, and some issues may have been resolved - some points are ones i've seen myself - but there is still a lot of people reporting stupid bans recently.   Reader take the following with a grain of salt.

=======================
Paypay merchant DoS issues:

=======================

#1  Their "automatic" anti fraud bot apparently isn't very intelligent.    It simply compares the text in the transaction description, types or notes from buyers against a list of naughty words.         If it finds any naughty words it does one of three things -  

  1.  Suspends the account and freezes funds, pending communication from the account holder (typically requesting tax entity status, or other identification) in this case paypal staff have the power to re-instate the account within a week. To cause this to happen simply pay any paypal seller any amount of money and use the word "donation, "charity" etc in the text.  Or if you want to really be fancy use the paypal button creator tool to create a "donation" button but substitute the victims merchant email address - then use the button to pay them.  This really kills their account fast.  This address can be obtained by buying anything from the seller in the past and checking the transaction details.    The merchant will then need to supply charity status paperwork if they are based in the USA, or similar paperwork or an explanation for the payment.  ("uh to allow generous players to help pay for the hosting costs of my game server i let them use for free?")   annoyingly even where an explanation is given - every subsequent attempt to donate will randomly have the chance to re-freeze the account unless you supply corporate not-for-profit or charity documents, requiring manual confirmation by paypal staff each time.     Ironically doing exactly the same thing but tagging the transaction as a "tip" will go through with no problem at all.  It literally came down to using the word "tip" or "donation"
  2. Terminates the account and freezes funds for 180 days.  You can still log in, but the account is basically closed now.  This is where things get interesting.  To use the example at 1. Because you triggered the "donation"  and not the merchant - who actually had no legitimate reason to be accepting donations - it is possible they will have no acceptible explanation, paypal will assume scammer,  and the account will now be perminently suspended- and any money in it frozen for 180 days.  On top of this they will be banned from ever creating another account using their financial details again.  The person who sent the money however will have no issue with their account!  Also paypal will not allow them to remove their financial details from the killed account.  Oops.   keywords like "investment" "crypto" etc can also likely trigger this under the right conditions as part of their "anti-ponzi" filter.   Crypto is an intersting edge case as this is a legacy of paypals near-failed crypto currency payment platform "braintree" back in feb 2014 paypal began banning merchants trading in crypto currency (such as webuydoge dot com) because paypal were launching an overpriced nightmare platform "braintree" which they only wanted people to use for bitcoin type transactions (can you say anti-trust?)  Initially it was promising allowing support for any valid crypto - but like most exchanges at the time - soon devolved into a "top 10" system that meant you could trade btc, ltc, and the supernetcoins like eth or xmr but excluded anyone using anything else.    To rub salt in the wound they classified anyone not using braintree in the same anti-fraud category as the ponzi protection, so the bans were usually not possible to appeal. "how dare you buy crypto without using us" bans.  "we dont care it was a crypto we dont support - all coins but ours are clearly scamcoins!" Sucky.
  3. Terminates the account and /perminently/ freezes all the funds.  In this case you may or may not be able to still log in, and all appeals will fail automatically.  Your money is now paypals.  In some edge cases the refund button may still function however.  To trigger something like this keywords as simple as  "gun" "weapon" "drug" "cocaine" "crime" "heroin" "pills" "trump support" (that one is a joke btw just making sure you are paying attention - although i would not be surprised if that worked too)  etc.     the paypal system can be stupid enough the phrase "druggery" or "shogun" or "to purchase the cocaine cd single by eric clapton" or "true crime book"  can sometimes accidentally trigger such a ban - although presumably this particular scenario you would think has already been addressed - plus the staff probably have a "false positive" button.. assuming you can login to contact them - Sadly many staff are usually asian/indian with a limited grasp of english, and they likely get pay penalties if they hit this button and it might not be a false positive - so they usually wont. Hard to confirm this one way or the other, they are under NDA's and their conversations are logged so they wont talk about it.

#2 Automated "event" bans.   If a particular account finds itself paying money between the same two accounts, and both accounts have details in common, name, address, last logged in IP etc.    This can trigger a type 2 ban above on one of the accounts.  This ban i guess makes sence in spirit, paypal would prefer you not to have two accounts - but it means I could make an account pretending to be someone else with their details, and have a 50/50 chance in the coin flip they decide to kill the legitimate account.  Likewise potentially in a large household more than one member may have their own account. Same address - same BSB - clearly it must be an alias - ban.

#3 Automation "similarity" check screw ups.   If someone sends an email or payment to an unregistered email address and a paypal user claims that payment, by making another paypal account or trying to link to their current (its easier to create a new one sadly) or where the sender or reply to addresses or name string seems to look similar they assume there is some sort of fraud involved.  This can trigger a type 2 or 3 ban.      Not as easy to trigger this on purpose but if you use make the name in your email  the same name as the merchant and this email entered the paypal system as part of a transaction somehow it would flag.   Or if you pay someone using an alt email you know they own but dont actually have linked to their paypal.  Potentially if you add the email address of the victims paypal as a "secondary authorised user" to a bogus paypal account you created and then try to send funds to the real merchant this can trigger a type 2 ban on the merchant and probably your bogus account.  This issue is not as serious - name discrepancies almost always are fraud. But the pure stupid random chance of it triggering seems a little unfair.   People can legitimately screw up and use the wrong address or set their mailbox up incorrectly.  Also with ISP grade NAT this and event bans become more and more likely as multiple paypal users could be logging in from the same public IP address with similar behaviour; some with similar sounding email addresses, but using different ebay accounts etc.  Which is logical as they are different people - and probably do live in the same area.

#4 thought police bans.    If you sell items/pay money relating to traditional remedies, comfort devices,  investment advise, medical consulting, traditional medicine books,  payments to "deplatformed" groups or organisations, fortune telling items or services, non-politically correct topic, nazi artifacts etc, a type 2 ban can occur entirely at the random discretion of paypal. The randomness of this blows my mind. I can confirm this scenario - In my case I once bought a small bag of old roman coins someone dug up in a field together and after i cleaned them all up, noticed one was actually a WW2 era nazi coin, and contacted the seller suggesting the roman coins might have been something hidden by soldiers maybe looted during WW2 - their ebay and paypal account was suspended within days.  Scary.

#5 cant be f*cked with poor people bans.     If you get a payment from overseas, or a large payment in general - but this is not a regular thing, and you do not have a business grade account (higher fees generally sucky)  and only a personal account and the payment is received as  a "goods and service" type, paypal can at their own discretion decide to randomly give you a type 1 or 2 ban after a few transactions without telling you or offering any explanation.   Sometimes these can be reversed by talking to paypal - if you even manage to get through in which case it is a type 1, in other cases they will simply ignore you, not give any explanation, and just send you an email saying something in the general spirit of "we reviewed your account activity and deemed you not worth bothering with cause you dont make us enough money - too bad you didnt have a business account - ha ha ha" 

#6 cant be f*cked looking into this bans.  If one of more keywords are triggered, or you get payment from another paypal user who may have in the past paid another merchant that was deemed fraudulent  (yes if a legitimate user who was themself legitimately scammed in the past, pays you, a non scammer)  particularly in the case of international payments,  this can also erroniously trigger a type 2 or 3 ban on you.  Even if the other user had been flagged and cleared in the past, the stain remains on their transactions, and you the poor person getting paid by them becomes guilty by association. Likewise if someone makes a complaint or challenges a transaction related to your account, OR to the account of someone YOU paid, your account can also be flagged  as some sort of f*cked up anti-fraud anti-laundering misfire.

How can a system be this randomly bad?

Pretty f*cking poor paypal. Sounds like the type of sh*t apple pulls with their rubbush pin/icloud/itunes login association for devices. 

  (ie. oh you dont remember the itunes account you created 5 years ago when you got the device, but never needed again, and you no longer have access to your old ISP email address?  Clearly we must flag this device stolen, you are a dirty dirty criminal or a poor person (the same thing to apple) - I will just delete all your data, lock the device forever,  not give you any way to contact us, and point out you are free to buy a new one kthanx  *smile smile smile* )


-- 
New and improved 2600... well..  ..we drew on some flames and polished it a bit..
--
Google - making sure, life is no more, than 1984...
--
Bill Gates: 640k is more than enough for anybody
PC guy down the road: You will never fill that 10mb Hard disk mate
Abbott/Turnbull: 25Mbps is "more than enough" for the average Australian household.
Turnbull: Actually 10MBs is enough for the average household really.
Abbott/Turnbull: It is cheaper to put in FTTN, you get up to 24mbs/down and 256k up..  we can upgrade it more later...
--
Reply all
Reply to author
Forward
0 new messages