How PayPal and Apple’s Fraud Policies Punish the Honest User (lockergnome.com)
In mid-November last year, I woke up to the sound of my inbox suddenly being flooded with new messages. I have things set to alert me whenever PayPal, Wells Fargo, or iTunes emails me because I know that means that money is either being given to me or taken away. To my surprise, what I discovered that morning was incredibly concerning, and would result in what could be the most frustrating customer experience of my life.
75 comments
[ 3.0 ms ] story [ 133 ms ] threadMany credit card companies are very proactive about fraudulent purchases online, and I even had Discover call me when they noticed a series of small purchases on iTunes. It turned out it wasn't exactly fraud (my 5yo on a home computer I hadn't signed out), but I was able to cut it off and I'm sure they saved me a bundle of money.
Using a real credit card (not debit) gets you a great deal of protection and is a better option than ever using PayPal.
Really? I've spoken to humans at PayPal many times. When I call, I don't even have to navigate a phone tree or wait on hold, someone just answers. The people I talked to were helpful and knowledgeable about their service and handling problems (which is what I called about, some weird customer that sent a bunch of <10-cent payments to my account then disputed them, and more recently with a question about the new IRS 1099-K form).
It wasn't hard to find the number to call either. You log in, click on Contact Us, then Call Us. Two clicks and you have a phone number.
Apple Inc. prides itself on its customer service. When I went in for a group interview to work at the local Apple Store that was the most important concept they drilled into our heads. That said, it's one thing for a company to talk the talk; it's quite another to walk the walk.
sounds like someone did a charageback if they didn't do it one of the financial institutions did one.
1) Someone steals his PayPal account and uses it to buy a bunch of stuff on iTunes
2) He reports the fraud to PayPal, which refunds all of these payments to him
3) He reports to Wells Fargo that PayPal has engaged in fraud by taking these payments to fund his PayPal account, which is a false claim -- the transfer to PayPal was authorized as a funding source and PayPal was already handling the refunds
4) Three months later, PayPal gets hit with a bunch of disputes from Wells Fargo to take back money that's already been returned, double dipping and creating major hassles for them. Wells Fargo is, essentially, stealing from PayPal on the basis of this person's old false claim. PayPal flags the account.
So PayPal did everything right: they were available for immediate contact, were "courteous and helpful", promptly reversed the fraudulent payments to iTunes, and his account was left in good standing while he was made financially whole. What more could they have done?
PayPal was fairly good throughout the ordeal. It's the internal policies that conflict and caused further issues down the chain. I can only do what the CSR advises.
No, he didn't. In his own words:
"I told the representative there that I had reported the claim through PayPal, but wanted it noted that the charges made on my account that day were fraudulent in nature. The representative appeared to understand, and helped me make record of the incident."
The problem isn't with PayPal or his bank, as they'd eventually sort out the ping-pong notifications. The real problem is with Apple's draconian policy of taking all of a customer's purchases and data away from him if fraud reports occur on three or more occasions, regardless of why they occur (such as in this case with ping-ponging notifications between Wells Fargo and PayPal).
It's yet another reason to not trust your life to the cloud, and always procure a separate, pirated copy of your purchased software so that nobody can take it away from you.
Don't pirated copies of software usually come with all kinds of nasty spyware and trojans?
If its not the case, what is it that keeps botnets from abusing file sharing?
A user was hacked so they stop allowing him to update their software?! So that it can more easily happen again?
And they will revoke his account (and license?) that allows him to use the software he bought?! This is like a horror story written by Richard Stallman.
EDIT: On second thought, why do you even need an account to update the software? When I'm updating my Ubuntu, it's the software that's signed so that I can trust the repository. The user is not signed so that the repository can trust them, you can stay completely anonymous. Hell, even Microsoft never required me to jump through any sort of hoops to get updates. I once had to verify my key, that's it. Does Android require a Google account to use the market and get updates? Even if, you still can get an anonymous one.
Why would anyone need my name to update their own software? It happens to run on my computer but that doesn't change anything.
Hardly. Valve has been doing this with Steam for years. Microsoft does it with Xbox Live. It's the main caveat of a managed environment, sometimes the manager makes the wrong decisions.
This might be bad or distasteful, but it's not novel or unique. It's par for the course when it comes to software distributed through a central DRM system.
> Does Android require a Google account to use the market and get updates? Even if, you still can get an anonymous one.
You can do that with iOS too. Likewise, If Google decides to revoke your access to your Gmail account that all your Android purchases are associated with because you violated Gmail policy perhaps, you would be in the same boat.
Once again, not unique to Apple. Par for the DRM course.
As you point out, Steam and Xbox Live have exactly the same disturbing retroactive revocation property that Apple does; that doesn't make it any less of a horror story, just more disturbing that people put up with it. (I suspect people mostly just don't think about it, because it probably won't come up for them.)
It's true that if you use no digital services and buy almost no mobile apps, you can avoid this. That kind of blows, though.
True, I should have said the vast majority of popular digital services, not ones targeted towards the kind of people that would use an N900 to make a point.
> True, I should have said the vast majority of popular digital services, not ones targeted towards the kind of people that would use an N900 to make a point.
https://en.wikipedia.org/wiki/No_true_Scotsman ? :)
I don't think services offering the not-quite-purchase of data represent "the vast majority of popular digital services". Also, services like Netflix don't have this problem, since they very clearly position themselves as analogous to a rental, not a purchase. iTunes, the Android Market, Xbox Live, and Steam all very much position themselves as purchasing mechanisms, which makes the ability to retroactively revoke purchases unacceptable.
(And I don't use an N900 to make a point; I use it because it does the things I want it to do better than anything else I've tried, and that includes Android devices. I only mentioned it because you seemed to assume that since I didn't use iTunes or Android I must not use mobile apps at all.)
Ahh, makes sense.
> https://en.wikipedia.org/wiki/No_true_Scotsman
I'm looking at the truest scotsman in the world right now.
> I don't think services offering the not-quite-purchase of data represent "the vast majority of popular digital services".
I would, assuming you aren't counting rental services. Netflix isn't really the same thing. I'm referring to purchasing digital goods tied to an account.
> And I don't use an N900 to make a point; I use it because it does the things I want it to do better than anything else I've tried
Right...
> and that includes Android devices. I only mentioned it because you seemed to assume that since I didn't use iTunes or Android I must not use mobile apps at all.
Nope, I assumed you use an N900 or something similar the moment you said you didn't use an Android device. You seem like the type. I stand by my original comment, there are very few mobile apps published for MeeGo. I didn't say you utilized no mobile apps, I said a small handful. Still true. Hell, for MeeGo a handful might even be overly generous.
Either way it was a very nice gesture. Cheers.
Which is disturbing but when it regards software your livelihood depends upon, not "just" games, the story gets that additional umpf.
> Once again, not unique to Apple.
Sure, but the article is about Apple.
I like the implication that nobodies livelihood depends on a game. Of course nothing could be further from the truth. I'm sorry but to find it disturbing it kind of has to be novel, and it's not.
IMO it's pretty sad that what is supposedly a community of developers is "shocked" by something that has been going on for years now on plenty of platforms, including iOS and Android. You might still have a problem with it but it shouldn't cause an incredulous reaction like that.
> Sure, but the article is about Apple.
I'm not discussing the article, I'm discussing your incredulous reaction like this is something out of some dream. It's not, in fact there is tons of precedent for it.
From what I can tell, it seems to be largely based on having a record that you've checked the box that says you've read their legal agreements.
Cough cough Stallman was right cough cough.
I really enjoy developing for iOS but this was a sobering experience.
Since when do you have to show a passport to leave the US? All you have to do is prove that you are eligible to enter the country you are traveling to. (This is strictly a money thing: the airline doesn't want to transport you to another country where you'll be refused entry, because then they'll have to fly you back, which costs them money. So you show a passport at checkin and they save money, making your ticket cheaper.)
The EU and Japan, for instance, do have exit checks. These are done by the relevant immigration bureaus. The passport checks performed by airline personnel are completely different and bear no impact on one's ability to leave the US.
As an aside, this is the reason that most international connection at US airports require a visa. US airports (with LAX being the sole exception, AFAIK) have no way to monitor anyone leaving the secure area. Nothing would stop passengers in transit between international flights from simply leaving. Connecting in, say, Tokyo-Narita doesn't require entering Japan because everyone in the secure area has either exited Japan or is in transit in the sterile zone.
The only exception is passengers on Air New Zealand's Auckland-LAX-London run and Air France's Paris-LAX-Tahiti flight, though I may be wrong. Special arrangements have been set up for these flights.
Some airports may check your ID (and determine if it matches your boarding pass) before allowing you into the restricted, passenger only area. But others don't. In Vienna and Zurich you just automatically scan the bar code on the boarding pass and an automatic gate admits you. Some of the gates now even have automated gates where you scan your boarding pass and get admitted to the plane.
There is also no entrance check, when you arrive from a Schengen airport.
I usually don't need an id when flying within Schengen (Prague being one of the exceptions), just the boarding pass, which I usually print at home.
Please note that I don't recommend not to carry id. Even if you're usually not asked. If they do check at the gate you're quite obviously not boarding when you don't have a valid id.
Schengen is a great system. I've taken the train between Denmark and Germany and it's not much different from commuting to work in the same city :)
I miss my time in Europe. Flying around Schengen nations is so much easier than between states these days.
That's not entirely accurate. Since the arrival of the US-VISIT program, visa holders need to record their departure. At least at some locations and times, this was done with a mobile "pseudo-checkpoint" near the gate area. You weren't required to talk to them, though.
I suppose my comment should be revised to say "The US does not have exit immigration for its own citizens."
Curious, what country did you travel to that you experienced this?
Driving across the border to Canada recently I did not have to talk to or interact with anyone from US Customs.
Anyhow, constructively, you want to escalate to paper on both your bank and Apple (maybe Paypal as well, your call). Start getting an evidence trail together with certified mail, return receipt requested. Apple will kvetch a bit but they (and virtually every other large company) understand the difference between that and a phone call, which you should stop doing immediately, because the contents of them are known to be totally opaque to judges.
You probably won't have to sue anyone, but the demonstrable capability of suing will cause them to escalate this issue internally very, very rapidly.
Not even slightly true. They don't care. The cost of the occasional lawsuit is baked into the system cost already.
The cost of an "Apple can disable your computer" (true, or not) headline may be substantial and more convincing.
Add the two dozen letters I had to send for myself and I have personal knowledge that this definitively resolved the issue in 40+ cases, in many cases jumping over "our policy is to never...", "you can't do that", and collections at fairly advanced stages.
It is entirely possible that Apple is a tougher nut to crack than BoA or Capital One, but that is not the way that I would bet.
Edit: By the way, this is a catchphrase for me: bureaucracies are stage machines which take paper as input and return outcomes you want. Hackers should be comfortable with paper. Consider it an opportunity to demonstrate your ability to hack non-technical systems.
I would love to hear more about this. Do you have a blog post or other online posting that describes what happened in this case?
The brief sketch: credit reporting agencies have Seriously Hard Problems (TM) in determining which identity to associate with an incoming piece of data. For example, suppose you have a file on a Patrick J. McKenzie who once lived in Chicago. You get a report from a hospital that a P.J. MacKenzie in an unspecified town in Illinois (not the actual guy) stiffed them on a $250 medical collection. They sold the debt to a debt collector who, having run a skip trace, determined that I am probably him, and they've reported the debt against my information directly. Do you merge those two identities? By the way, he's also delinquent on $100,000 in other debts.
This sort of thing happens all the time in credit reporting. See my blog post regarding "names are hard."
The cost of run-of-the-mill settlements is baked in, but if they do not quickly and decisively handle every claim, then a person who claims $10M will automatically win. So large companies usually have staff whose job is to clean up disputes with some degree of competence.
2. Keep a written journal of conversations on the telephone. A paper journal. Dates, times, phone numbers called, full name of person spoken to and their title, matters discussed.
When two parties turn up, it's frequently the case that any admissible written evidence trumps verbal recollection.
(Of course, IANAL and TINLA).
Agreed. Writing with two signatures trumps writing by one party which trumps verbal memories of either parties.
I refer readers to the pre-eminent scholar of such matters vis-a-vis minutes, Sir Appleby:
It is characteristic of all committee discussions and decisions that every member has a vivid recollection of them and that every member's recollection of them differs violently from every other member's recollection. Consequently we accept the convention that the official decisions are those and only those which have been officially recorded in the minutes by the officials, from which it emerges, with an elegant inevitability, that any decision which has been officially reached will have been officially recorded in the minutes by the officials and any decision which is not recorded in the minutes has not been officially reached even if one or more members believe they can recollect it, so in this particular case if the decision had been officially reached it would have been officially recorded in the minutes by the officials. And it isn't so it wasn't.
- Get a hold of those minutes. I have to correct the record.
- We can do that?
- Yes, we can. Those minutes are an aide-mémoire for us. They should not be a reductive record of what happened to have been said, but they should be more a full record of what was intended to have been said.
In The Loop — http://www.script-o-rama.com/movie_scripts/i/in-the-loop-scr...
The worst case we had was when one customer made a payment to us, and we got an email saying the payment was on hold whilst Paypal authorises and investigates this payment.
A day or two later we got an email from Paypal saying their investigation is complete, and we can ship the item. We sent our software license off to the buyer and within a couple of hours they disputed it and won all their money back the next day.
Paypal each time make us feel like there's nothing we can do, there's no dialogue, there's no acknowledgements, it's extremely frustrating sometimes.
http://i.imgur.com/GEY70.png
http://i.imgur.com/IQlA9.png
http://i.imgur.com/vHAsP.png
...etc. More transparency and human interaction would be nice, but I don't think PayPal could do much better from a policy standpoint. They provide a platform to self-mediate disputes, and they provide a system to resolve some easy disputes over physical goods under policies that protect both sides. But beyond that, what could they do? There's no simple way for them to decide whether you scammed that buyer or they scammed you. If they don't give you the money, they take themselves out of the equation and it's up to you to resolve the dispute in small claims court, where it belongs -- in front of a judge, not a 3rd party's customer service team.
That's because Mac support lines are the iTunes support line. He obviously figured this one out, yet he keeps claiming there's no number to call for iTunes-related issues.
Wouldn't it make sense then to use a separate PayPal account for your self-employed business/income from what you use for personal purchases?
If you use commercial DRMed software you are asking for this. It is hard to feel sympathetic with this part of the story.
But he makes no mention of this in an article that speaks largely about the customer service of Apple and PayPal.
I find this pretty disingenuous, and regardless of whether his story was factual or not, it takes the wind out of anything he's saying.