Slashdot Mirror
Abiword's PayPal Donation Fund Robbed
SabberFlapper writes "According to this Announcement to the developer list of Abiword the Abiword fund was robbed. Dom Lachowicz writes: 'I'm duty bound to let you all know that the AbiWord Fund/Tip Jar has
been robbed approximately three weeks ago. I'm telling you this now,
rather than sooner, since I believed that Paypal would do something
about my complaints during the interim, and that this would all be
resolved quietly. Today, 23 days later, this does not look like it will
happen. [..]
I do however, recommend doing several things:
1) Writing to Paypal, in letter, email, or fax form alerting them to
this travesty.
2) Calling Paypal on AbiWord's behalf.
3) Writing or calling your Congressman/woman, pointing out that Paypal
is acting like a bank, but not operating under formal banking laws.
4) Boycotting Paypal because of these reasons, and the fact that their
system is notoriously insecure, and encouraging others to do the same.'" Of all the groups to steal from -- AbiWord?
Can somebody explain how this theft occurred. It's not clear to me from the post.
is that any business which faces any regulatory liability would not stand by their customers, esp. under a threat of letter writing campagns to congressmen who have the potential to do some real damage via congressional inquiries....
LedgerSMB: Open source Accounting/ERP
For my part, I will personally write Paypal and tell them that I no longer feel that their service is secure enough for me and that their treatment of victims robbed through their service is rotten.
The question is, what other services are there in Internet space that does the same thing they do? Any banks trying to offer secure payment over the Internet?
Reminder: find a new sig
I hate to jump to "lawsuit!", but this is an instance where a sternly-worded letter from a lawyer might at the very least get their attention. Unfortunately, you'll end up spending more than the stolen funds to pay said lawyer.
Any lawyers out there willing to help out AbiWord pro bono?
Due to the lack of details given about the fund being 'robbed', I'm going to guess that the password was compromised, as opposed to some sort of hack on paypal's servers. So... isn't it this guy's fault (at least as opposed to paypal's)? Paypal didn't do anything wrong.. sure maybe they could be a bit more helpful in trying to track down who did it, but they certainly aren't obligated to do so.
I remember viewing the eBay purchase of PayPal with some trepidation. Thinking, this just can't be in my (the consumer's) best interest. And while I'm sure there were problems before, the sort of heightened injustice in the light of a move that was supposed to benefit the defacto public online auction place, just fries me.
So, what are my choices (that's what we love to jump up and down about having)? Are there other online aucctions that even have a chance of being as large as eBay? Or other payment methods? I see the whole PayPal-as-part-of-Ebay, so much like the Microsoft having become the defacto desktop and then pushing it's web browser and subsequent internet policies on everyone.
One man's pink plane is another man's blue plane.
Comment removed based on user account deletion
Of course, isn't the purpetrator's name tagged to the transaction? You have to have a valid bank account to move funds out of your PayPal account.. wouldn't it just make it that much harder to hide from the authorities if you broke in to someone's account and moved stuff over?
This reminds me of when lowendmac got hit last month (earlier this month.. something like that). It's unfortunate PayPal has "critical mass" or whathaveyou. You'd think that someone big would care, but they can't even be bothered to work with all banks.
mrg
Just from the bit posted here (too sleepy now to go read much more) the Abi folks aren't claiming that PayPal is ducking their responsibilities, right? Just that they complained to PayPal and hadn't gotten a positive response. For all we know, PayPal isn't obligated (by contract) to do anything if your account is hacked. After all, if the "hack" is "I left my password out in the open and someone took it", then that's not PayPal's fault, now is it? I'm sure they've spelled out the conditions, if any, under which they'd cover theft and it isn't clear (from what I've seen here) that PayPal owes the Abi folks a dime.
Suppose the weakness in the security here is that one of the Abi people used a weak password or left it out for someone else to see? Or that a vindictive former Abi team member decided to wreak havoc on his former colleagues? Suppose (against all hope) that it really isn't that PayPal has some latent insecurity in their system that was exploited. Then it's just tough cookies for the Abi people.
The Abi folks might be victims of a crime, but until someone makes clear that PayPal has broken a contractual agreement with the Abi people, I can't fault them.
Curmudgeon Gamer: Not happy
Even if they do outsource their support to India, I'd bet they keep some sort of stats about emails and the issues covered...maybe if enough people complain and cancel their accounts someone will listen...unlikely but it's worth a hope.
-tcp
unless you consider trusting paypal.
I havent read the details yet, but I am a little curious as to how the money was stolen. If the password was "abiword", for example, I would not think less of PayPal if they laughed.
On the other hand, if a server was hacked or a rep socially engineered, PayPal should fire whoever didn't follow the security policy and give the money back no questions asked. Perhaps even slip in a little more money so that the robbed will keep quiet.
Like most people, I think governments should do something to keep PayPal in check (assuming this whole ordeal is their fault).
So, about a year ago I broke into 10+ accounts at paypal, and moved a couple of bucks (12k or so) around, didnt TAKE anything, just moved back and forth from accounts. After a good amount of time after that, I contacted paypal and told them how I was able to do it, and how EASY it was. I got in touch with someone, who, I presume is one of, if not the only security guy at PayPal. According to him, its not worth there time to impliment more security features as it makes it harder for the user to gain their access to the account. Plus, its not PayPals loss if they get hacked... so why pay money and lose users to not gain anything?
Bill
-Bill
My wife opened a Paypal account for me, and one for herself, then transferred $6,000 from my account to hers. We didn't see that money again for three months, as they pretended to be "investigating" the transaction for possible fraud. Never mind that we talked to them many times on the telephone, and send proof of our ownership of the accounts several times, and pleaded with them to resolve this, as we needed the money.
The delay was beyond any point of being able to pretend that they actually made any effort to resolve the situation. It was in fact more than 10 days after we first contacted them before they would even open what they call an "investigation". They claim that their procedures are set up to combat fraud, but it's just a way of establishing deniability. That is, they pretend that they have no intention whatever of stringing me along as long as they can, while they collect interest on my money. (And no, they never did offer any compensation for the lost interest, let alone the many hours we were forced to spend pursuing them, to get our money back.)
You think mine is an isolated case? It is by no means. Just do a web search for paypal+complaint. See all the distressed people. See the lawsuits.
It's a transparent scam: by locking up the money of only a certain percentage of their customers, and treating the rest reasonably well, the people who claim that Pay Pal engages in a pattern of sleazy misconduct will never be believed, because they will always be outnumbered by customers who have never had a problem.
That doesn't make it right.
Life's a bitch but somebody's gotta do it.
sign the petition RIGHT NOW
sign the petition RIGHT NOW
sign the petition RIGHT NOW
sign the petition RIGHT NOW
The FBI doesn't care unless there's over something like 25k involved. 600 dollars in a donation fund isn't even going to get them to bat an eye, unfortunately.
I do not read or respond to AC's. If you want a discussion, log in. Otherwise, don't waste your time.
If you get your money back the seller will lose! The chargeback will be taken from his account, and he's out a camera.
There was a dual failure here. Your account was compromised, either through PayPal hacking or your poor password (I suspect the password's at fault). The second failure is one by the seller. He probably accepted the transaction even though the ship-to address didn't match the "verified" address of the account owner.
My point here is that unless you can prove that your password was compromised even though it was secure, PayPal DOES have adequate security procedures in this instance.
If you indeed had a bad password or failed to protect it properly, you should accept blame for this and take the loss. Otherwise, the seller of this item will end up at the short end of this deal. True, he made a mistake by disregarding PayPal's non-verified address warning (and he was warned), but this was likely all your fault to begin with.
At least this is going to make me change MY password to be more secure...
Comment removed based on user account deletion
I run a small website offering adult digital content. A few weeks ago I recieved a letter stating that i had to pay paypal a total of $1500 setup fees plus $750 a year for paypal to continue processing my VIsa and Mastercard transactions. they classified me as high risk even though we have never had one customer complaint or refund request. The more questions I asked to paypal the ruder their responces became. After a week of research I finally have found that visa is charging these "high-risk" fees. Other companies I've talked to have heard nothing about mastercards fees though. I have looked around and found several other oreder processing sites that will do the job. I wonder how much profit paypal will make off these extra charges. HAs anyone else recieved this letter? Encluded is the letter in full for your readign pleasure. Notice it doesn't have paypal's protect your password sig.
-----Original Message-----
From: Setup@PayPal.com [mailto:Setup@paypal.com]
Sent: Wednesday, October 16, 2002 5:25 PM
Subject: Important message from PayPal
Dear Merchant,
We would like to update you on new Visa & MasterCard regulations that affect the way Internet Payment Service Providers (IPSPs) such as PayPal conduct business. Both Visa & MasterCard require high-risk merchants to complete a registration form, pay an initial registration fee, and pay renewal fees on an annual basis (details below).
We value our Merchants and are dedicated to providing you with the high quality service to which you are accustomed. Please note that these fees are imposed by Visa and MasterCard, not by PayPal. In keeping with PayPal's core policy of not charging set-up costs and/or annual fees to our Merchants, PayPal (in contrast with many IPSPs) will not add any additional or hidden costs to these Visa & MasterCard fees.
PayPal, like all other IPSPs, must comply with the regulations. In order to assure your continued access to PayPal's transaction platform, we need you to provide the requested information by November 1st. If we do not hear from you by the close of business on November 1st, PayPal will be unable to process your transactions until all such information has been submitted.
While some IPSPs have announced that they will cease processing for non-US merchants, that is not the case with PayPal. PayPal will continue to process transactions for high-risk merchants in the United States, Canada and Europe through our existing banking arrangements in these areas. In addition, we will continue working to expand our banking relationships worldwide.
Below is a summary of the requirements for both Visa and MasterCard:
VISA:
* Visa will require an initial registration fee of $500
* Visa will require an annual renewal fee of $250
* Paypal must provide Visa with monthly sales, chargebacks and refund information on each Adult merchant.
MasterCard:
* MasterCard will require an initial registration fee of $1,000
* MasterCard will require an annual renewal fee of $500
We will be sending another email out shortly requesting the specific information we will need to bring your business into compliance with the new regulations. We will also provide instructions on fee collection.
Should you have any questions, please send an email to setup@paypal.com. We will endeavor to respond in a timely manner.
Very truly yours,
The PayPal Team
Here is the mail I sent them from the web-form email contacting option in their Help section. Feel free to use it as a template for your comments to them:
I was going to sign up for a PayPal account, but have just been informed that AbiWord has had their donation PayPal account robbed, highlighting the lack of security and customer protection within your service. The coercion to give bank account information upon payment receipt is unacceptable, and your use of debit functions rather than credit on cards that support both shows great disregard for your customers' protection offered by VISA and other credit services. Until you rethink your service with the thought of protecting your customers' transactions, and working for them to make PayPal as convenient, customer-friendly and
secure as possible, I will keep using my credit card and checks through snailmail for all online transactions.
"I like systems, their application excepted", George Sand (French)
This is why I don't give PayPal my banking details no matter how much they try to bluff them out of me.
Schwab has deposit-only account/routing numbers for all their accounts (they're the ones given out for direct deposit, currently under Account -> Transfers & Payments -> Direct Deposit). If money is attempted to be removed using the same numbers, an "account not found" error is given (saving the fees from both ends associated with the "account overdrawn" error). This works with PayPal, because they verify your account by depositing small amounts of money into it (which will work).
Granted, you have to have quite a bit of dough for it to make sense to use Schwab for checking, but it would be interesting to know if any other banks provide this kind of service. Of course, it would be more useful if one could pressure all banks to provide this. Then again, I guess the ultimate solution would be to have the same consumer protections that apply to credit cards also apply to one's account/routing numbers.
moto411.com