Slashdot Mirror

NBow I have to explain to her that 'S does not stand for Secure

Of course it stands for "secure". You can rest assured in the comfort that when you type your Paypal password in at https://www.payypall.com/ I or anyone else other than the operators of the scam site are unable to see your password.

Validation of companies was not part of getting an SSL certificate, not until 2005 anyway when the EV certificate was introduced. And it wasn't long after that browsers started displaying EV details differently which is why when I go to https://www.payypall.com/ I see a green lock, but when I go to https://www.paypal.com/ I see "Paypal Inc, [US]" written in the address bar.

Another issue is how do I pay my neighbor kid to mow my lawn with a credit card?

Paypal?

That won't work. From the PayPal TOS: "For an individual to open a U.S. PayPal account and use the PayPal services, you must be a resident of the United States or one of its territories and at least 18 years old, or the age of majority in your state of residence."

Gift cards?

But how would a child make change for an unopened $50 gift card, or even quickly verify that a particular gift card contains the balance the buyer claims it to contain?

Let's say, you entered paypal in Google and miraculously the second link leads to paypall.com

Wait.... Google lists a Fake website as Hit #2 in a search result, and people are ragging on LetsEncrypt? Clearly, the Search Engine is to blame here.

The way you safely access PayPal is DONT SEARCH FOR IT. you type http://www.paypal.com/ into your Browser address bar, AND you check the typing carefully before pressing enter.

Also, if you typo'd the website name, your browser should show an error page. And if you've ever visited www.paypal.com it should warn you that maybe you made a typo, before proceeding to access the different site.

The problem is very few people are aware of the correct URLs, and simply put "paypal" into google and follow the first result that comes up, or click the paypal link on ebay or that arrives in an email for example... They never directly enter https://www.paypal.com/ into their browser address bar.

Normal people have no idea what https://paypal.com/ is. For them https://paypal.co/ looks perfectly fine (PayPal might have bought all second level domains but I highly doubt that). Normal people have no idea what "com" means, what domains levels are, what's the meaning of dot in the domain name. What's the meaning of HTTP or HTTPS whereas the former is now hidden by all major web browsers. I'm an IT pro and I've no idea why there are these three letters "://" after the protocol name. Why not "::" or "->" or any other arbitrary combination?

Normal people may want to visit paypal for the first time ever which means no AutoFill data or any indication they've arrived at the website they can really trust.

Idiots who say you should trust a website based on its name think too much of people. The Internet was designed for geeks and remains so, no matter what geeks say. And it wasn't designed with security/privacy/encryption/simplicity in mind - to the contrary, the first major protocols had nothing to do with encryption or remote party identification.

Here's an example from real life: my ISP transparently replaces IP records for DNS queries for forbidden websites (it's a usual practice even in the USA) - how on Earth you could trust a domain name, when your ISP can reroute your traffic at will? And no! I'm not using my ISP's DNS resolver - I have a recursive DNS server on my PC - which means they transparently replace my UDP traffic. The only way to be sure that my connection attempt is not spoofed is what? VPN? No, you cannot trust it either. DNSSEC hasn't really taken off and then you cannot really trust CAs nowadays.

Sorry, I've never seen so many idiots at /. simultaneously.

I want DRM'd money to spend on DRM products.

That already exists. Credit card payments are subject to chargeback, and PayPal payments are subject to PayPal's purchase protection policy. Both give the buyer several months to report a seller who refuses to correct issues with a product that is not as described.

The chargeback penalty fee? PayPal, for example, will charge the merchant $20 per chargeback.

How would you make an urgent purchase by phone? More than once, I've purchased an airline ticket over the phone while I was literally in a cab on my way to the airport, I'd be pretty pissed if my bank would not allow that.

The problem is the same feature that enables you to buy a plane ticket over the phone with a "card not present" type of transaction, would enable absolutely any fraudster to impersonate you and empty you account / buy up to the card's limit simply by using some number printed on the face of your card that the fraudster could even have just glanced over.
(Yes, there are insurances against that, but still somebody is going to need to pay the cost. In the end this cost is passed to the customer as transaction fees and/or monthly fee).

The way I've seen "card not present" type of transaction handled here in around Europe, is out of band confirmation.

- A few years ago, I've got contacted by SMS by my bank asking to confirm directly to them the transaction.
(This part I haven't encountered for the last few years, so I don't know if it still exists.
Though I doubt that it is still in use, because back then the standard identification protocol was answering a couple of question that any one can quickly answer by searching modern social networks)

- Nearly every single transaction of the "card not present" type nowadays happens *on-line*. So still likely to happen over the phone, except using the "smart" part of the functionality of the phone.
A very huge proportion of online transaction I've seen use 3-D Secure system, which is basically also an out-of-band confirmation: a new intermediate page (in the purchase flow) or a new tab is opened asking you to log-in and confirm the transaction.
This confirmation is NOT served by the web merchant (or the plane company in your case) server, but by the bank's webserver. (Clearly indicated in the URL, all transaction authenticated using an up-to-date https).
Only once you confirm on the bank's website does the transaction goes through at the merchant.
(A fraudster would not only need the numbers visible on your card, but would also need to be able to log into your bank's 3dsecure page).
All the plan ticket I've bought online have gone through a 3d secure confirmation (EasyJet, StarAlliance, a few others...). Though I didn't by them while in the cab, but well in advance.

It's not that dissimilar from the way PayPal is handled by merchant: at some point the webshop redirect to page hosted on https://paypal.com/ that asks you to log-in to confirm the transaction.

And let's be serious for a minute:
you're speaking about airlines. with the present security circus, you're at least in for 60 to 90 minutes of queue in front of the security check. It's not that you're going to miss your plane if you take 5 minute more to buy the ticket before getting into the cab.
And there's still plenty of time to purchase your plane ticket at the airport using proper on-line identification while waiting on the queue.

Since I don't have a chip reader in my phone, I don't see how I'd be able to make a mobile web purchase either.

Actually, you do.

Phones' NFC, and card reader/credit card's RFID can talk to each other.

Some european bank do use as a 2-factor to authenticate your online session: stick your RFID card to your phone's NFC antena (example)

There's no *technological* limitation to your smartphone acting as a payment terminal using a simple app, though the only example I've seen use a bluetooth enabled contact-chip reader instead of directly accessing the card over NFC.
(I suspect current certifications won't allow a smartphone app to input a pin and sign a transaction)

but one day you could probably pay simply by sticking your RFID card against the phone's NFC antena.

Remember, this is the same company that excludes its users from commerce in legal but politically incorrect products & services.

https://www.paypal.com/ca/weba...

And the same company that has its regional operating headquarters in Singapore where gay sex is punishable with a prison term.

PayPal seems to have no trouble doing business there. What are Saudi Arabian bathroom policies like? How are LGBT rights doing there?

Remember, this is the same company that excludes its users from commerce in legal but politically incorrect products & services.

https://www.paypal.com/ca/weba...

... web site with information on where to direct the money ...

Encryption aside, Isn't this what the PayPal system does? The POLi payments system is also similar to what you ask.

Like this one

https://trac.ffmpeg.org/ticket...

Blue Iris Video Security Software

  Perspective Software

No indication of GPL use. Claims work as his own.

From the download package, BlueIris.exe is UPX compressed. Decompress, then investigate 22 MB file with strings.exe.

libswresample license: GPL version 2 or later

  libswscale license: GPL version 2 or later

  libavcodec license: GPL version 2 or later

  libavformat license: GPL version 2 or later

  libavutil license: GPL version 2 or later

Compile strings discovered:

--enable-gpl --cpu=i686 --prefix=/c/msys/1.0/ffmpeg/build --enable-libx264

Here's something fun to do. Tell PayPal that BlueIris is violating term 9c of the user agreement (since they take PayPal for their registration fee):

PayPal User Agreement

Note: I run a nonprofit organization and have a different perspective (+ bias!) about donations.

[1] Generally, I think it's best to begin as you already have by identifying those causes which are most important to you.

[2] Next, ask yourself if you're interested in pursuing a global / regional / local approach? The local org might focus on issues which matter to you - and it might be directly related to issues in your neighborhood. On the other hand "big" issues like constitutional rights might only be addressed at the national level.

Also, are you looking for a large well-established nonprofit or a small up-start where your money will have a more significant impact? For example a donation of $1,000 to the Red Cross will certainly be welcomed but likely not celebrated. If instead you made that $1,000 donation to a nonprofit running on a shoestring budget of $20,000 a year then you've just increased their budget by 5% - which is definitely cause for celebration!

[3] By now you should have at least a handful of charities which meet your criteria and can begin validating their effectiveness, transparency, and legal status.

A good place to start is GuideStar ( http://guidestar.org/ ). You will get information on IRS status, financials, mission statements as well as reviews. CharityNavigator ( http://charitynavigator.org/ ) is another great resource and they provide independent ratings of charities. One important distinction though is that CharityNavigator focuses on larger nonprofits (total revenue must be > $1million in the previous fiscal year).

My nonprofit has a listing with CharityNavigator but no rating because we are (much much much) too small. On the other hand at GuideStar we have a "Gold" rating based on the amount of information which we have shared with them. So either of these are great resources but my bias is showing when I lean toward GuideStar.

If for some reason you'd rather not use either of these sites I would suggest that at a minimum that you verify that the nonprofit has a 501(c)(3) status with the IRS and that it has not been revoked. You can search for orgs by name or EIN here: http://apps.irs.gov/app/eos/

For more on charity scams here's some helpful info from the FTC: https://www.consumer.ftc.gov/a...

[4] Once you have narrowed your list down to 1 or 2 then you can decide if there's a specific funding mechanism which appeals most to you (e.g. PayPal, cash, check, bitcoin). Some donation methods can take 5% (or more!) of the donation off the top before the nonprofit gets the donation.

For example, PayPal charges nonprofits a reduced fee of 2.2% + $0.30 per transaction (details here: https://www.paypal.com/webapps...). Also, BitPay does not charge us anything for bitcoin donations through our site.

Hopefully by going through this you will wind up with at least one charity which meets all of your criteria and can then just confirm their status in the future without going through all of these steps every time. Thank you on behalf of nonprofit organizations everywhere for supporting their efforts!

Shameless Plug
Of course I have to say something about my nonprofit's work: Jennifer Ann's Group is a nonprofit charity preventing teen dating violence. Our most successful program is producing video games to help young people, parents, and educators learn more about this issue and how to seek help if needed. We have produced 20+ video games through an annual video g

Except you know they do lend.

If it was just a money transfer they might have a case they are not a bank, but even then there are regulations on money transfer systems that PayPal tried to say didn't apply to them.

https://www.paypal.com/webapps... You can have the best of both worlds. "One M-54 with 20 ton yield please, and Charge It!"

Nope, at least not with any Paypal labels I've printed.

I've shipped countless packages a day late BTW, and never, ever had one returned.

In the eBay shipping center, next to the selector for Shipping Date is a link to More Info that states:

Mailing Date

The Mailing Date you select determines the date when your postage label is valid. An electronic record is generated on that date indicating that your package has been mailed. When creating an online label, you are responsible for providing accurate information when selecting the mailing date. You will have the option to select a mailing date up to 3 days in the future. Please note that the Mailing Date is formatted in Eastern Standard Time.

This is corroborated by the USPS notice posted earlier, though from your experience the notice should say "may be returned" rather than "will be returned." You are being given a grace period by the post office that accepts your package; others report their packages being returned, so late mailing is not something that can be counted upon systemwide.

Nope, at least not with any Paypal labels I've printed.

I've shipped countless packages a day late BTW, and never, ever had one returned.

In the eBay shipping center, next to the selector for Shipping Date is a link to More Info that states:

Mailing Date

The Mailing Date you select determines the date when your postage label is valid. An electronic record is generated on that date indicating that your package has been mailed. When creating an online label, you are responsible for providing accurate information when selecting the mailing date. You will have the option to select a mailing date up to 3 days in the future. Please note that the Mailing Date is formatted in Eastern Standard Time.

This is corroborated by the USPS notice posted earlier, though from your experience the notice should say "may be returned" rather than "will be returned." You are being given a grace period by the post office that accepts your package; others report their packages being returned, so late mailing is not something that can be counted upon systemwide.

https://www.paypal.com/us/cgi-...

Clear form, quick payment w/o entering lots of credit card details, every non-international USPS option, no need to mess with the weird postal service website.

If you log in here: https://www.paypal.com/cgi-bin... (Make sure you check it's https://www.paypal.com/ !! ) Does it work? The eBay account that is used in the 'exploit' does NOT have to be associated with the Paypal account. Any eBay account can be used. You can even create a new one, with a completly random email.

If you log in here: https://www.paypal.com/cgi-bin... (Make sure you check it's https://www.paypal.com/ !! ) Does it work? The eBay account that is used in the 'exploit' does NOT have to be associated with the Paypal account. Any eBay account can be used. You can even create a new one, with a completly random email.

https://www.paypal.com/us/cgi-...

Thank you.

https://www.paypal.com/us/cgi-...

Paypal is a bank... but actually, according to their website, don't qualify for deposit protection anyway,

The link says:
Since the service provided by PayPal Europe is limited to E-money, which does not qualify as a deposit or an investment service in the sense of the Law, customers of PayPal Europe are not protected by the Luxembourg deposit guarantee schemes

What is "e-money"? My employer does a wire transfer to deposit my salary on my account in the bank. Is that not e-money?

It sounds like you don't want regulation of Bitcoin per se, but instead regulation of exchanges. Or, more generally, you want regulation of anybody to which you give money with the expectation of getting it back. I'd expect that legislation to exist already, because the concept of "a company which holds on to your money for a bit" is one that's existed for a long time before Bitcoin.

As an aside: as far as I'm aware, Paypal does not come with this protection in the US. They can take your money, and there's sod all you can do about it. In Europe, Paypal is a bank... but actually, according to their website, don't qualify for deposit protection anyway, so they can happily go bust and your deposits won't be covered.

It's notable that people still use Paypal.

Doesn't service provider like PayPal take care of these/tax related issues with Finnish Central Bank?
https://www.paypal.com/us/weba...

The market that's more curious to me is the "card not present" market...payment processors for websites. Stripe seems to be the darling of the Slashdot crowd, but their pricing is horrible. They offer 2.9% + $0.30 per transaction, and won't offer to discount it until you're doing $1M+ per year. Contrast with Paypal's Payment Pro which drops down first to 2.5%+$0.30 once you hit $3k/month, then down to 2.2%+$0.30 once you hit $10k/month. Stripe has a few features that PPP doesn't, but they would need to be real important to you to pay that much more.

But wait, there's more! An actual bank will probably charge you 2.0%+$0.30 for virtually zero volume (I'm on 2.2%+$0.50 NZD so about $0.40 USD but we're known for being more expensive). Plus, an actual bank will offer you the benefit of the 3DS liability shift (which PayPal/Stripe will not).

So why does anyone use these services again?

This shouldn't be a big surprise...the flat rate plan was clearly a loss-leader meant to gain marketshare.

Most of the fee you pay to companies like Square doesn't go to them. It goes towards the "Interchange Fee" charged by Visa, MasterCard, and AMEX. These interchange fees vary based on card type (for example, fees are higher on "reward cards"...that's what funds the "reward"), and transaction type ("card not present", for example, has a higher rate). Check over the interchange fees for Visa and MasterCard, and you'll see that Square doesn't have a lot of room to move below 2.75% and still make money.

The three big players in this "mobile payments" space are Paypal Here (2.7%), Intuit's GoPayment (2.75% flat, or $12.95/M + 1.75%) or, the aforementioned Square (2.75%). At the moment, if you're swiping more than $1295/M, Intuit's $12.95+1.75% would be the best choice...unclear though, how long that plan will be around since it's a loss-leader as well.

The market that's more curious to me is the "card not present" market...payment processors for websites. Stripe seems to be the darling of the Slashdot crowd, but their pricing is horrible. They offer 2.9% + $0.30 per transaction, and won't offer to discount it until you're doing $1M+ per year. Contrast with Paypal's Payment Pro which drops down first to 2.5%+$0.30 once you hit $3k/month, then down to 2.2%+$0.30 once you hit $10k/month. Stripe has a few features that PPP doesn't, but they would need to be real important to you to pay that much more.

This shouldn't be a big surprise...the flat rate plan was clearly a loss-leader meant to gain marketshare.

Most of the fee you pay to companies like Square doesn't go to them. It goes towards the "Interchange Fee" charged by Visa, MasterCard, and AMEX. These interchange fees vary based on card type (for example, fees are higher on "reward cards"...that's what funds the "reward"), and transaction type ("card not present", for example, has a higher rate). Check over the interchange fees for Visa and MasterCard, and you'll see that Square doesn't have a lot of room to move below 2.75% and still make money.

The three big players in this "mobile payments" space are Paypal Here (2.7%), Intuit's GoPayment (2.75% flat, or $12.95/M + 1.75%) or, the aforementioned Square (2.75%). At the moment, if you're swiping more than $1295/M, Intuit's $12.95+1.75% would be the best choice...unclear though, how long that plan will be around since it's a loss-leader as well.

The market that's more curious to me is the "card not present" market...payment processors for websites. Stripe seems to be the darling of the Slashdot crowd, but their pricing is horrible. They offer 2.9% + $0.30 per transaction, and won't offer to discount it until you're doing $1M+ per year. Contrast with Paypal's Payment Pro which drops down first to 2.5%+$0.30 once you hit $3k/month, then down to 2.2%+$0.30 once you hit $10k/month. Stripe has a few features that PPP doesn't, but they would need to be real important to you to pay that much more.

https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=7BCR4A5W9PNN4

Care, no...

Actually I do. I could care less about the project, who gives a fuck. Another bleeding heart FOSS is your friend bullshit waste of time and money.

But clearly since PayPal provides a crowdfunding platform they have a right to ask for LEGITIMATE reason to continue to fund a project if there is some question to how the money is being used, or no real information about the progress of a project.

I am tired of people rising to the defense of open source and crowdfunded projects without thinking. There is no reason to assume that you can be handed thousands of investor's money and then have no real business strategy, budget, or timeframe to deliver on your goals. If your investor asks for progress, you fucking provide it. If your investor is calling you out, you better cover your ass with legitimate paperwork.

So suck it up MailPile. You thought you could create some crowdfunded bullshit project, take the money from tens of thousands of people that will just throw anything at FOSS out of some vapid belief it matters and then provide what; a reskin of some existing open source mail program and call it a day?

Hey, if MailPile is legitimate and well organized that information should be trivial and readily obtained so feed it to PayPal and tell them to shut the fuck up. But if its a bunch of stoners thinking they got away with ripping off a bunch of retards through PayPal, they should guess again.

I think PayPal is clearly in the right here to ask for some information about how the money is being spent considering they offered the opportunity to have this project funded through their organization.

Bam

https://developer.paypal.com/webapps/developer/docs/classic/lifecycle/crowdfunding/

Time to RTF-Guidlines

Probably something in those terms of service people don't read.

Does paying a minor, even for such a voluntary action, require parental approval?

According to the terms of the program, yes.

"Payment is paid out through a verified PayPal account, once the bug is fixed."

A minor can't have a PayPal account. As well, there's a "Terms for participation" which implies a contract to submit the bug. If a minor can't enter a contract, they can't agree to the terms.

At first, I didn't feel sorry at all. Usually, the guidelines specifically point out you must be 18+, and you agree to this upon submission. But then, I couldn't find anything about age restrictions. However, it does say "The bug bounty program is subject to change or to cancellation at any point without notice." and a bunch of other "Hey, we can screw you over if we want, and you agree to this upon submission." Therefore, I feel a little sorry for the guy because there is NO indication of an age restriction, but it's clear that Paypal can screw you over if they want (just like any legal Terms and Conditions that we all agree to everyday). If you don't want to be screwed over, just don't submit bugs. Submit bug reports for FOSS projects instead... or, call up Paypal and scream, "Show me the money!"

No, but generally speaking you cannot enter a contract with a minor, which is probably the legal issue. Age of majority is variable, but in California that is 18 ys old.

They should find a way around it, but they can't just give it to him.

I am not a lawyer, but my understanding is that simply paying someone a reward is not entering into a contract.

If Paypal requires that the person who finds the bug enters into a non-disclosure and/or marketing agreement (i.e. to be able to publish their name as the bug finder) prior to receiving the reward then I would agree that this may be the issue. However, there are tons of child actors in Hollywood, so their must be a way that a minor can enter into an agreement. I'm guessing that it would require the legal guardian(s) signature.

Contract was my first thought as well; the terms and conditions of the bounty program require entering into a licensing contract which includes publishing rights, a contract that warrants that the work is theirs, contracts for a waiver of additional claims, In addition, they reserve the right to change the rules at any time they feel like it, including after submission and prior to acceptance/payment of the bounty:

"The bug bounty program is subject to change or to cancellation at any point without notice."

See here for full details; the Terms and Conditions spelling out the contractual obligations on the submitter are at the bottom (as usual):

https://www.paypal.com/us/webapps/mpp/security/reporting-security-issues

IMO, there are probably places you could sell information about such exploits that would be more likely to guarantee payment. On the plus side, since they've used the age of majority as a gate in this particular case, he can now pursue sales through those other venues.

Really? Google, my bank, and PayPal all send me an SMS code to verify me (i.e. I log in with username/password, it either immediately texts me a code or has a button for texting me a code, then I receive an SMS with the code to type in to complete the authentication process). My bank and PayPal do it on every login. Google does it the first time I use a device (used to be every 30 days as well, but they seem to have stopped that).

I don't have an Android or iOS phone, but I do have an unlimited texting plan (hard to get a data plan without one), so that works great for me.

For the same reason I wouldn't take Euros, Pounds or any other currency and then immediately convert it to USD (my local currency), it's extra work and trouble for me to do.

Well if you are accepting credit cards you are already doing this. No credit card transaction is free, and it's not the customer that is paying for the transaction fees (other than through inflated prices for the goods).

Presumably the process would be automated so that conversion rates, and conversion to USD would be automatic. There shouldn't be any extra work beyond initial development time. Also if you are dealing with people from other countries that do use other currencies every transaction in BTC would cost you considerably less to get their money. Take PayPal as an example: https://www.paypal.com/cgi-bin/marketingweb?cmd=_display-xborder-fees-outside&countries= Even domestic transactions cost 2.9% + $0.30 from PayPal https://www.paypal.com/us/webapps/mpp/merchant-fees

So that's costing YOU 3+% + $0.30 for every transaction to someone outside of the US let alone what your customers credit cards are charging them to convert to USD. Compare that to BitPay's 1% flat rate. https://bitpay.com/pricing BitPay also appears to have immediate USD payouts as part of their service as well.

So in the end by accepting BTC you will save yourself, and your customer money, while opening yourself up to more customers that will be looking for services available in BTC form. Unless all of your customers can pay in person, with cash you will only make more money accepting BTC.

People just don't commonly price things in two different currencies and want to deal with exchange rates all day long.

I live within an hour of the Canadian border, and almost all of the gas stations/businesses around here accept Canadian currency. They certainly don't price everything in the store with two prices, they simply post whatever the store is currently charging for a conversion rate somewhere and expect the customer to figure out the prices for themselves until they get to the checkout. The best part is the store can charge whatever conversion rate they want. If the bank/market is at 102% go ahead and charge them at 95% and pocket the difference. The customer can either go and convert it themselves or eat the difference for the convenience.

For the same reason I wouldn't take Euros, Pounds or any other currency and then immediately convert it to USD (my local currency), it's extra work and trouble for me to do.

Well if you are accepting credit cards you are already doing this. No credit card transaction is free, and it's not the customer that is paying for the transaction fees (other than through inflated prices for the goods).

Presumably the process would be automated so that conversion rates, and conversion to USD would be automatic. There shouldn't be any extra work beyond initial development time. Also if you are dealing with people from other countries that do use other currencies every transaction in BTC would cost you considerably less to get their money. Take PayPal as an example: https://www.paypal.com/cgi-bin/marketingweb?cmd=_display-xborder-fees-outside&countries= Even domestic transactions cost 2.9% + $0.30 from PayPal https://www.paypal.com/us/webapps/mpp/merchant-fees

So that's costing YOU 3+% + $0.30 for every transaction to someone outside of the US let alone what your customers credit cards are charging them to convert to USD. Compare that to BitPay's 1% flat rate. https://bitpay.com/pricing BitPay also appears to have immediate USD payouts as part of their service as well.

So in the end by accepting BTC you will save yourself, and your customer money, while opening yourself up to more customers that will be looking for services available in BTC form. Unless all of your customers can pay in person, with cash you will only make more money accepting BTC.

People just don't commonly price things in two different currencies and want to deal with exchange rates all day long.

I live within an hour of the Canadian border, and almost all of the gas stations/businesses around here accept Canadian currency. They certainly don't price everything in the store with two prices, they simply post whatever the store is currently charging for a conversion rate somewhere and expect the customer to figure out the prices for themselves until they get to the checkout. The best part is the store can charge whatever conversion rate they want. If the bank/market is at 102% go ahead and charge them at 95% and pocket the difference. The customer can either go and convert it themselves or eat the difference for the convenience.

Oh, and what product(s)? PayPal is a payment processor for online merchants. That's the only product anyone's aware of that they make.

Three that you're unaware of:
Debit card
Mobile card processing
In-store payment by phone or PayPal payment card at 14 merchants (and counting)

Oh, and what product(s)? PayPal is a payment processor for online merchants. That's the only product anyone's aware of that they make.

Three that you're unaware of:
Debit card
Mobile card processing
In-store payment by phone or PayPal payment card at 14 merchants (and counting)

Oh, and what product(s)? PayPal is a payment processor for online merchants. That's the only product anyone's aware of that they make.

Three that you're unaware of:
Debit card
Mobile card processing
In-store payment by phone or PayPal payment card at 14 merchants (and counting)

Just walk into any store and buy a prepaid visa with cash. Use prepaid visa to buy bitcoins. Done and done.

Have you actually tried to do that? The approach doesn't work.

Yes, you can buy an anonymous prepaid Visa with cash, but it's effectively worthless for purchasing bitcoins. As I said before, services don't take credit/debit card payments for bitcoins because those payments are reversible and bitcoin transfers are irreversible. Furthermore, PayPal will not let you setup a payment using these cards (it's automatically detected based on card number and the payment blocked)—not that many sellers take PayPal for bitcoins anyway because it's likely against the PayPal AUP (cf. "currency exchanges").

I have seen a few individual seller offers to take preloaded value cards such as MoneyPak or Visa gift cards for bitcoins, but they require you to either physically mail the card to the seller and/or wait until the value is drained from the card before they will transfer the bitcoins. Some individual sellers might take MoneyPak with a scanned image of the receipt (which can then be used to immediately load the seller's PayPal account), but sellers get nervous about this due to fraud, chargebacks, etc.

In synopsis, you might find individual sellers who take these kinds of payments, but it's just as slow, inefficient, and insecure as paying with literal cash, except with the added overhead of the prepaid card fees. Furthermore, the approach definitely doesn't work for any bitcoin exchange service (at least not while preserving anonymity).

(basically preventing a normal consumer from every suing you for fault since they could never recover enough to make it worth while

You've never actually read one of these arbitration clauses, have you?

Here's PayPal's
https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=ua/upcoming_policies_full

We will pay the initial filing fee to commence arbitration and any arbitration hearing that you attend shall take place in the federal judicial district of your residence.

Here's Amazon's
http://www.amazon.com/gp/help/customer/display.html/?nodeId=508088

We will reimburse those fees for claims totaling less than $10,000 unless the arbitrator determines the claims are frivolous. Likewise, Amazon will not seek attorneys' fees and costs in arbitration unless the arbitrator determines the claims are frivolous. You may choose to have the arbitration conducted by telephone, based on written submissions, or in person in the county where you live or at another mutually agreed location.

In business contracts, the arbitration clause has been standard for years (decade+)... and it usually says something equivalent to: loser pays all arbitration costs and attorney's fees.

So if you have a legitimate claim, then you can file for arbitration, and the corporation will not only have to pay your claim, but all of the money you spent to bring the suit. This is more than you would get in court (where there is no "loser pays" clause).

Privacy law requires a specific purpose, it is not legal to say that "we share your personal data with third parties" in a contract: the parties must be specified. This is especially the case for terms and conditions documents*.

You mean like... Skype's

.
Our primary purpose in collecting information is to provide you with a safe, smooth, efficient, and customized experience. Skype collects and uses, or has third party service providers acting on Skype’s behalf collecting and using, personal data relating to you, as permitted or necessary to:
--snip--protect your and Skype’s interests, including in particular to enforce our Terms of Service and prevent and fight against fraud, (together, the Purposes). ...
Skype may disclose personal information to respond to legal requirements, exercise our legal rights or defend against legal claims, to protect Skype’s interests, fight against fraud and to enforce our policies or to protect anyone's rights, property, or safety

And like Paypal's...

How we share personal information with other parties... Service providers under contract who help with our business operations such as fraud prevention, bill collection, marketing and technology services. Our contracts dictate that these service providers only use your information in connection with the services they perform for us and not for their own benefit.

PayPal security team will determine the bounty amount and all decisions are final.

Would you trust Paypal to reward you fairly?

First off, I couldn't agree with you more on just about every point you make.

I got a notification from both eBay a while back, and PayPal twelve days ago by email, so you might check what email your account(s) use and their associated spam buckets. And as you say, email seems to be an acceptable channel for this sort of communication, but apparently only one way. Ironic in the traditional sense, yes. I could rant all day about this, but I think everything that can be said has been by now.

Perhaps, you didn't get the notice because for reasons you've stated the change may not be enforceable in your country (NB, this is a wild-ass guess on my part). A US Supreme Court ruling last year cleared the way for this sort of crap here. If you're curious, here's the text of the PayPal email I received:

Notice of Policy Updates

Dear So-and-So

PayPal recently posted a new Policy Update which includes changes to the PayPal User Agreement. The update to the User Agreement is effective November 1, 2012 and contains several changes, including changes that affect how claims you and PayPal have against each other are resolved. You will, with limited exception, be required to submit claims you have against PayPal to binding and final arbitration, unless you opt out of the Agreement to Arbitrate (Section 14.3) by December 1, 2012. Unless you opt out: (1) you will only be permitted to pursue claims against PayPal on an individual basis, not as a plaintiff or class member in any class or representative action or proceeding and (2) you will only be permitted to seek relief (including monetary, injunctive, and declaratory relief) on an individual basis.

You can view this Policy Update by logging in to your PayPal account. To log in to your account, go to https://www.paypal.com/ and enter your member log in information. Once you are logged in, look at the Notifications section on the top right side of the page for the latest Policy Updates. We encourage you to review the Policy Update to familiarize yourself with all of the changes that have been made.

If you need help logging in, go to our Help Center by clicking the Help link located in the upper right-hand corner of any PayPal page.

Sincerely,

PayPal

Notice of Policy Updates Dear xxx xxxx, PayPal recently posted a new Policy Update which includes changes to the PayPal User Agreement. The update to the User Agreement is effective November 1, 2012 and contains several changes, including changes that affect how claims you and PayPal have against each other are resolved. You will, with limited exception, be required to submit claims you have against PayPal to binding and final arbitration, unless you opt out of the Agreement to Arbitrate (Section 14.3) by December 1, 2012. Unless you opt out: (1) you will only be permitted to pursue claims against PayPal on an individual basis, not as a plaintiff or class member in any class or representative action or proceeding and (2) you will only be permitted to seek relief (including monetary, injunctive, and declaratory relief) on an individual basis. You can view this Policy Update by logging in to your PayPal account. To log in to your account, go to https://www.paypal.com/ and enter your member log in information. Once you are logged in, look at the Notifications section on the top right side of the page for the latest Policy Updates. We encourage you to review the Policy Update to familiarize yourself with all of the changes that have been made.

Not that I am defending it.

https://cms.paypal.com/ar/cgi-bin/?cmd=_render-content&content_ID=ua/AR_20120909_Amendment_to_UA_print&fli=true&locale.x=en_US

Paypal disagrees...

30% cut to handle payment services for your customers, including card processing and verification, refunds, fees to banks and credit card companies, gift cards, customer service, helpdesk etc? Yes please. That alone is worth the 30% cut

On the contrary, 30% for payment processing is a huge markup - contrast with PayPal's Merchant Fees. As a developer, which would you rather pay?