Slashdot Mirror
Abiword's PayPal Donation Fund Robbed
SabberFlapper writes "According to this Announcement to the developer list of Abiword the Abiword fund was robbed. Dom Lachowicz writes: 'I'm duty bound to let you all know that the AbiWord Fund/Tip Jar has
been robbed approximately three weeks ago. I'm telling you this now,
rather than sooner, since I believed that Paypal would do something
about my complaints during the interim, and that this would all be
resolved quietly. Today, 23 days later, this does not look like it will
happen. [..]
I do however, recommend doing several things:
1) Writing to Paypal, in letter, email, or fax form alerting them to
this travesty.
2) Calling Paypal on AbiWord's behalf.
3) Writing or calling your Congressman/woman, pointing out that Paypal
is acting like a bank, but not operating under formal banking laws.
4) Boycotting Paypal because of these reasons, and the fact that their
system is notoriously insecure, and encouraging others to do the same.'" Of all the groups to steal from -- AbiWord?
They actually tried to tell me that I couldn't accept a payment without bank details a couple of days ago. When I pressed the only button that didn't cancel the payment I was *then* given the option to accept without adding bank details.
PayPal is like the stock market -- don't put anything in that you can't afford to lose.
I know this is complete flame material but...
If we all know pay pal has a very bad rep for dealing with things like this... Why does anyone still use it?
The old line of fool me once shame on you.. Fool me twice shame on me comes to mind.
Frankly, I suspended my PayPal account months ago. This episode just confirms my doubts about their service. It's like your bank gets robbed and tells you sorry, your account is zero now... I think everyone who owns a Paypal account should write and eventually cancel their own account. It happened to Abiword but it could happen, and i -bet- it's happening, to anyone. They just targeted a substantial account, this time.. Ofcoures it's internet, its point and click, its insecure, bla bla bla but it's real money. People has to realize it's real money. It shouldnt make a difference if they rob my PayPal account or if they rob my house, but alas, it does. Internet has reached a critical mass of people years ago, but still when you do business there you feel like you are not in 21th century, but back in the far west...
I had a paypal account. As soon as I saw the site http://www.paypalwarning.com I deleted it. This was out of simple self preservation, everyone gets bad press, but that much, and to that degree?? I have shown everyone I know that uses paypal that site - I feel duty bound to do so. Veteran Netizens certainly have seen or heard of this site, yet AbiWord decided to use it as their merchant account. Well, you knew the risks didn't you...
Yes, it sucks. It is pretty terrible that donations where robbed. But common sence could have avoided it. You call for a boycott now - well hundreds have been saying this for some time and it was ignored... People have been attempting to get PayPal to have to live up to the same standards of a bank for a long time now. I am sure it is a shock when it is you that gets ripped off but it shouldn't shock you that much that PayPal is being less than helpful.
NR
Isn't there an address that the camera seller has? If this is inter-state fraud doesn't that bring the FBI into the picture? Why rely on PayPal to give you justice?
Now of course, PayPal SHOULD have to be a bank to do what they do and should be responsible for the money entrusted to them that they allowed to be stolen, but just because they aren't I don't see how that is the end of it.
Don't moderate flamebait as Troll. Know the difference or you will be Meta-moderated.
He says, "...their system is notoriously insecure."
It seems to me that if the system is that insecure, the perps could have found something more lucrative to rob than the Abiword tip jar. I'm sure there are power sellers on ebay that do more business in a week than the tip jar sees in a year.
Perhaps his fund password was something like "abiword" or he responded to a scam e-mail...
Reading the complete post, I see "...Their silence implies to me that they are treating this matter as if I got mugged on the street, rather than as if someone walked into their bank and withdrew my money without my consent."
So it sounds as if it was not a hole but rather an error on Dom's part. I look forward to reading more about this to find out just how this happened.
Just a thought...
You might accept payments there, but daily, weekly...often anyway...take the money out and put it in a real bank.
Paypal shouldn't be used as a bank account. They're not a bank.
You say
Maybe if paypal acted good-hearted, and at least put up some easy contact info so you could get some help tracking down the scammers they wouldn't have such a hard time.
This is like putting your stuff in public storage, having the garage broken into, all your stuff stolen, only to find out they've replaced the attendant with an automated box and have chosen to leave you no way to contact a person.
It's despicable, and it stinks of fraud.
If you could be told what you can see or read, then it follows that you could be told what to say or think - BoC
...but I just closed my Paypal account and sent them an email expressing my disgust. I urge others to do the same.
Comment removed based on user account deletion
...just as soon as someone explains how the theft occured and why it is PayPal's fault. If the theft occured by someone hacking PayPal, then it is indeed their fault and I will cancel. But if the theft occured because Abiword had a simple to guess password, 47 people knew the password, or some other idiocy like that, then I have no sympathy...and I will continue to be a happy PayPal customer who has conducted thousands of dollars worth of transactions (both directions) and had no problems what so ever.
I do notice that the referenced note is long on inuendo and short on facts, and that in itself makes me suspicious.
I want a new quote. One that won't spill. One that don't cost too much. Or come in a pill.
Being hard to contact isn't fraudulent, but I believe it is a good indication of possible fraudulent behaviour. Sort of like when a store quits answering the phone all of a sudden for weeks on end... you get this feeling that something isn't right there. And, strangely enough, it's never failed for me.
And if paypal wants to be an internet only company, fine. They should act like it, though, and get the asses moving on the emails. An internet only company should have given him an answer in under 24 hours. If any internet only company takes more than 48 hours to get something done for me, I get antsy.
This guys been waiting weeks! I've seen letters cross the atlantic and pacific oceans faster than they respond to problems.
Saying "Don't like it? Take your business elsewhere." is a cop-out. I'm soon going to be running a computer company, and if it were broken into and a customers machine stolen, I wouldn't tell them "too bad, and don't bother talking to me again". I'd probably go to jail.
So, if I can't cop-out, why can PayPal? Because everyone "knows" they're a bunch of crooks? That's a pathetic excuse.
[ And yes, I do do my business elsewhere. I'd rather give the crack addict my money to look after than PayPal. At least I'd know where it ends up. ]
If you could be told what you can see or read, then it follows that you could be told what to say or think - BoC
How much money should someone be allowing to accumulate in a Paypal "donation" account? I ask because I think that anyone who lets the account grow too much (like beyond $100 or one transaction, whichever is greater) is begging for trouble. I know that there are transaction fees when you take money out of the account, so were the Abiword people being cheap by not withdrawing earlier?
For example, if there is a 2.9%+$0.30 charge to receive $100 from the account (see Paypal for details), that would be a charge of $3.20 leaving $96.80 in the check I assume they would send out. Even at $50, you're looking at $2.25 with $47.75 of actual money coming at you.
Clearly, were I running the deal I wouldn't be leaving money in this "fund" and I think that Mr. Lachowicz was a damned fool to do so, whether Paypal is generally believed to be a security risk or not.
Frankly, I have more sympathy for someone who loses $30 or $40 from their Paypal account because of this kind of fraud than I do in this case. Someone who loses such a small amount of money could have had some valid reason to have the money in their. Someone who leaves $800 sitting around, doing nothing (savings account interest rates are small, but Paypal interest rates, well, are nonexistant), probably needs a lesson taught to them.
Blaming Paypal alone would be a mistake.
So was the early subscriptions system a lure to get as many Slashdot fellow readers as possible into using PayPal ?
That really stinks. I wish Dom the best of luck getting his money back.
But, I'm not going to cancel my PayPal account over this just yet. I've had the account since the service began (remember when it was for Palm Pilots?). Never had a problem. I treat PayPal with kid gloves because they are not regulated the same way banks are (and they shouldn't be: they are a payment service, not a full-service bank), and they are a huge hacker's target.
Here what I do with my PayPal account (I use it quite a bit on eBay for buying and selling):
1) Set up a separate bank account for PayPal. I have a money market fund whose sole purpose in life is to transfer money between paypal and my regular savings account. I transfer the money out at least once a month or so.
2) never give PayPal any more information than they need. Give them one credit card (preferably exclusive to PayPal with a PO box billing address). Don't sign up for the piss-ant Money Market fund that requires giving them your Social Security Number. No extra emails, phone numbers, or mailing addresses. Change password often.
3) NEVER UNDER ANY CIRCUMSTANCES leave a balance in your PayPal account. Because it's PayPal's money, not yours, until you take it out (remember, it's not a bank). Withdraw immediately. Even if you need to pay for an auction later, use your bank/credit card to pay for it. (I use a Citibank card that gives a cash back bonus, so I actually get a small benefit from doing this.)
4) If they send you a free Debit card, cancel it. Don't sign up for the credit card either.
You have to keep in mind also, PayPal can freeze your money at any time. All that has to happen is someone file a complaint against you. They can lock your account. They can do various silly things.
I don't want to "blame the victim", but if your money is not in the PayPal account, it can't be stolen. And if there's a fraudulent charge on your credit card, it can be taken care of with a signed affidavit, or maybe just a letter, like any problem with your card. Your card has consumer protection laws associated with it, your PayPal account doesn't.
I did have one of my other cards stolen once and used on PayPal (had nothing to do with my paypal account, the perp opened his own). I wrote them and received a response and an affidavit to fill out, the next day. In fact, all my PayPal customer service mails have been answered the next day. (I have a "premier" / "merchant rate" account, which gets better treatment, ymmv).
By this point, with all the horror stories out there, I'm surprised anyone would keep a balance in their PayPal account.
"...system is notoriously insecure"
Bullshit. How about "I had an insecure password", or "I responded to one of those emails from a scammer that claimed to be PayPal", or "Another system I use was compromised and I stupidly use the same password everywhere" instead?
I'm gonna guess one of those scenarios is more likely than any security failing on PayPal's part. Certainly if there was a security hole in PayPal itself, there are much bigger fish to go after -- any of eBay's Power Sellers, for instance, probably have much more than $500 or so in their accounts at any given moment.
NO CARRIER
No, see, YOU put the locks on your place. The landlord made you put a lock on there, but you chose the lock. You decided if it was a stainless-steel master lock, or one of those crappy cord-looking bike locks that could be cut through with a pair of grade-school safety scissors. Paypal doesn't set your password, YOU DO.
In all seriousness, isn't the security of a password still sacred? I mean, you can log in to any server, anywhere, with nothing more than an absconded password; do you really expect Paypal to do more than that?
All of that is well and good, but PayPal at least knows where the money went. That would be a good enough lead for law enforcement to start an examination into it.
-- This space for lease, low setup fee, inquire within!
There isn't enough information in the announcement to tell if that's what happened here, but if PayPal failed to do their job (e.g., they didn't take reasonable security precautions in proportion to their responsibility), a lawsuit is exactly the right thing. In most (i.e., libertarian rather than anarchist) conceptions of the free market, it's part of the gummint's job to enforce contracts, and there's clearly a contract here, even if some parts are just implied by the nature of the relationship: "in exchange for a cut, we will hold onto your money for you" => "if we fuck up and cause you to lose your money, we'll pony up".
Yes, YOU. I put that in all caps, did that help? YOU selected how to pay.
If YOU want paypal to hold your hand like a bank, Paypal will have to charge us much higher fees to pay for the insurance.
I like not paying fees. 1. Don't leave a balance in your Paypal account. 2. Always pay with credit card.
Those two steps will remove any chance of damages. Yet, YOU would rather have us all pay tons of fees. How hard are those two simple things? Take some responsibility for yourself, don't make us all pay to have Paypal do it for you.
Comment removed based on user account deletion
It doesn't make sense to me how this could happen. Someone took money out of AbiWords account to buy a digital camera. That camera has to be delivered to the person who hacked into Abiwords account. Find out that adress, go over then and beat the crap out of the guy!
Comment removed based on user account deletion
"There is no excuse for not having live telephone-answering customer service. Imagine if your local bookstore quit answering the phone because they do all their business in the store and none on the phone."
I dont see that'd be a problem. I live in area with sidewalk merchants. Are they dastardly because they dont have phone numbers? No. Of course not.
Make your choices, and have fun. But I think its stupid. If you perform 99% of all transactions with a company online, why should you switch to phone for that last 1%? It doesn't make sense.
The whole point of the Internet is that Its Not Phone.
Where are you coming from? It sounds like you are arguing that fraudulent business conduct should be condoned; you'd prefer we all just wink and look the other way. What, you don't think Pay Pal really does anything wrong? You'd do well to stop spouting and start doing your research.
Read here. I can personally assure you that this is highly accurate, as it has in fact happened to me.
Or if you prefer, read court documents. Yes, there are plenty of those to read.
Life's a bitch but somebody's gotta do it.
My thoughts is more along the lines of: find out who it is, track them down, and have them charged with wire fraud.
Chances are that the cost to paypal of dealing with the court order, etc. would be more than the cost of them dealing with this in a more sane manner... but what the hell!
And I really do think that the cretin that did this deserves to get a criminal record for this anyways... Chances are that this isn't the only account that (s)he's robbed.
OS Software is like love: The best way to make it grow is to give it away.
I use PayPal, I've heard the stories. It's just too convenient not to.
I never leave a balance in my account, almost always pay via credit card, and am critical of those I send money to.
They do, however, have bank information for one of my main accounts. Opening a separate "PayPal" account is too much trouble.
Have there been any cases of PayPal actually going and taking money from your *bank account* without specific prior authorization? Do I have legal recourse (via my bank) if they do this?
I've kind of wondered about this in general -- what protections are there with ACH transactions? The routing/account number combo is at least as dangerous as a credit card, if not more so.
If that bad 1% costs you half the income from the other 99%, when what's the value of doing the work to begin with?? You might as well walk away from the process and save yourself the trouble of doing all that work for the benefit of some crook.
OS Software is like love: The best way to make it grow is to give it away.
I don't think PayPal should "eat" any costs for these fradulent transactions. They do not provide insurance on transfers. But I think they have an absolute obligation to investigate complaints of fraud, including publication of detailed contact information and tracking of illicit purchases such as this. Paypal could easily work with the merchant involved in that transaction and get the order stopped and the individual found through shipping information, etc. The could go to the FBI or some other authority with this data. But they refuse to do so because they do not want to employ even enough staff to do minimal protection of their customers.
It *is* a problem with their security because they don't have any security other than a password. A password will not magically protect you from all evildoers and is even a rather weak form of authentication when they could be using e.g. some sort of downloadable client with a private key signature scheme. This is necessary IMHO for these sorts of high risk environments like the one Paypal serves. And authentication alone is not enough - they must take steps to investigate claims of fraud and punish those who perpetrate it.
It is well known and has been for a long time among criminal elements online that Paypal is an easy target for fraud and that little investigation is done. This attracts more of this tyoe of person to Paypal.
I know I made the right decision when I closed my account with them a long time ago, when their abuses first began to surface. If they are handling people's money, security should be their foremost concern, and I didn't trust them with the security of my money. Not to mention that they are probably stealing people's money directly themselves.
I'd like to know why you seem to support this behavior as strongly as seem to based on your comment history. Do you have some interest in promoting Paypal?
The money belongs to PAYPAL! So the theft was from PAYPAL, not ABIWORD. So it's PAYPAL that should be calling up the FBI. Why haven't they? Because maybe they'd end up being investigated for their shoddy business practices.
now we need to go OSS in diesel cars
And the moderation of your post is yet another example.
Sigh... why do all these petulant children think that they will ever get any respect for their little hobby? On one hand the hairy, unwashed RMS spews forth completely irrational demands for this or that to be made "Free", in a manner and in terms reminiscent of Karl Marx. On the other hand reasonable discussion is actively squashed by a bunch of defensive pouting wannabes who instinctively squash dissent with a single mindedness more suited to J.Edgar Hoover than people who supposedly believe in "Freedom".
Please play nice children.
It seems paypal equates to a warehouse with lots of lockboxes full of money. Money comes in or moves from lockbox to lockbox, and then goes out. However, there's no attendant, so the only thing between your money and a thief is just a key (bare with me on the bank info part, it just makes things more complicated) and a lockbox number. When a thief breaks into a lockbox, in a warehouse, normally we would call the police. But this warehouse is electronic, the lockboxes are electronic, the money, well, you get the idea.
Hell, I would probably feel safer giving my money to a backwoods county fair carney. Least I can try to kick his ass if he loses it, and would have some knowlege of who stole it from him, if he were robbed.
| - | - |
Don't even bother with Paypal customer service, they have been stonewalling everyone for years. Try talking to Ebay customer service,... and try to talkyou way up to amore senior Manager or someone else who has the authority to call up the Paypal losers and demand "whats going on here?" Hopefully Ebay doesn't want to risk its reputation going gown the tubes as quickly as Paypal's did a few years back.
Comment removed based on user account deletion
Comment removed based on user account deletion
[...]going to the link [...] you could very easily determine whether or not your 'theory' was true.
You, Sir, are a troll.
Either you haven't read that mail as well, or you are intentionally lying. The mail at the link does not contain any information how this fraud was possible.
Comment removed based on user account deletion
It's the same question that affects the banks: who pays who?
The bank offers the service of holding your money in a safe location so that you don't have to worry about losing it. The bank also provides money services that require a certain amount of trust - chequing, lines of credit, etc. You pay the bank for these services.
On the other hand, you are providing the bank a service too. You allow them to use your money (for many reasons) and, in exchange, the bank pays you for this service in interest (although, not very well).
A bank requires trust not only from those who bank with them but also with those third parties who interact with customers of the bank. A cheque (and credit cards, too) only works if everyone trusts that the bank system works (sure, you can overdraft on a cheque, but the bank will report that).
PayPal _is_ a bank by definition. They can skirt around the issue as much as they want to, but they are a bank. More importantly, they are a (or should be a) trust. That is, everyone _trusts_ that PayPal is honest to the core - that you can trust them to hold your money and provide the services that they offer in a legitatmite and honest way.
They are not a savings bank, however, and should not be required to fall under the same laws as a savings bank. They are not (should not) be required to provide insurance on deposits and they should be allowed to verify all transfers and 'money movement' at their discretion.
The abiword theft doesn't make sense - did this person steal a password or something? Did (s)he compromise the PayPal system in some way? If the former is true, PayPal would not, necessarily, be liable - the person who stole the password would be. If, however, there was a security compromise, then PayPal should be accountable for the money - they should put the money back and sue the thief.
--
I want to touch on something that I've read alot on sites like paypalsucks - the issue of PayPal "double-dipping" and taking funds without permission to settle accounts.
IF YOU ARE STUPID ENOUGH TO AUTHORIZE ANY COMPANY TO DIRECTLY WITHDRAWL / DEBIT MONEY FROM ANY OF YOUR ACCOUNTS THEN YOU GET WHAT YOU DESERVE.
Don't be so fucking stupid and ignorant as to give _ANY_ company the keys to your accounts. So what if you have to enter your credit card # on each transaction? Or send a cheque instead of allowing them to directly withdrawl from any bank account. Don't get me wrong, if PayPal takes your money without authorization then it's still wrong on their part - you just helped it along. By not authorizing them to save your information you catch them in a much tighter corner.
In the end, it's all about trust. If enough people stop trusting them then they will either fold up or mandate themselves under the same laws that control the banks.
Price, Quality, Time. Pick none. What, you thought you had a choice?
Yup - And I've got one word for you:
Overdraft.
It doesn't matter if there is no money in the account - if paypal thinks that they have authorization to make the transaction, and they attempt to do so, your bank will most likely give them the money, give you a negative account balance, and stick you with overdraft fees.
I hate to be the bearer of bad news, but your solution is not really optimal. It still leaves you exposed to greater risk than a credit card only solution.
Jerry