back to article PayPal post-checkout cash slurp a FEATURE not a BUG

An apparent flaw that lets users add any amount of money onto already processed PayPal transactions is a feature, not a bug, according to the payments giant. The function was designed to allow sellers to add additional costs for services like shipping on the top of transaction totals which customers had approved through the …

  1. Anonymous Coward
    WTF?

    WTF?

    Let me get this right? So a seller can add any sum AFTER you have approved a transaction?

    How is this even legal?

    1. stu 4

      Re: WTF?

      Hows is it legal ?

      Because it's Paypal - they have an almost complete monopoly and can do whatever the fuck they want, unregulated (they are not a bank).

      don't like it ? go somewhere else.

      what's that ? there IS nowhere else ?

      sure, you can reopen your account.

      1. I ain't Spartacus Gold badge

        Re: WTF?

        I think PayPal are a bank in Europe. They have a banking license in Luxembourg. Don't know how they work in the US.

        1. llaryllama

          Re: WTF?

          My company took an issue with PayPal to the Luxembourg regulator, but all I can say is good luck with that. Even with access to French speaking staff and a pretty formidable international legal team we kept hitting a lot of brick walls. It's very different to what you would expect from the FSA, for example. I'm sure we could have got somewhere eventually but when you rely on the PayPal monopoly you really don't want your main payments provider being out of action for 2-3 years while you drag through the courts.

          Eventually what worked best was potential for bad press, they seem to be much more afraid of that than the Luxembourg regulator.

    2. g e

      Re: WTF?

      They're regulated by the FSA in the UK AFAIK

      Acronym heaven....

      But calling it a 'feature' sounds like bullshit to avoid paying the bug bounty, I can't see how any court would allow a greater amount than that authorised to be vindicated. Well maybe a Nigerian one...

      1. Anonymous Coward
        Anonymous Coward

        Re: WTF?

        I've emailed the FCA (name change) asking how this is possible,

  2. MrDamage Silver badge

    Excellent Payment Experiences...WTF?

    "After looking into the issue, we communicated this is not in fact a vulnerability. We work closely with our merchants who use Express Checkout to provide them the flexibility they need to complete their transactions in a timely manner so they can offer excellent payments experiences to their customers."

    An excellent payment experience is when you hand over the cash for something, and then find out that it's currently on special and you're getting it at a discounted rate.

    It does not mean that once you have paid for the goods, the merchant is then able to tack on extra expenses just because they can.

  3. John Robson Silver badge

    So buried in an email you ignore...

    is the fact that the merchant has taken more money than authorised.

    I see the email coming in, I ignore it because it confirms a payment I just authorised.

    a) Merchants should get the shipping charges right *before* sending you to paypal

    b) paypal should have a DIFFERENT and scarily worded "Merchant has claimed more money than agreed" email that gets sent out in these cases.

    1. Anonymous Coward
      Anonymous Coward

      Re: So buried in an email you ignore...

      There is also some onus on you to check emails. If you ignore important emails like transaction confirmations then you're asking for trouble.

      There are bugs in all sorts of banking and payment systems so unfortunately the consumer must take some responsibility for discovering these.

      1. g e

        Re: So buried in an email you ignore...

        So, you buy a fourpack of coke in the supermarket which says Four for £4 and because you don't check the POS display when paying and your card gets billed £30 you let it slide?

        Right. 'course you would.

        1. John Tserkezis

          Re: So buried in an email you ignore...

          "you don't check the POS display when paying and your card gets billed £30 you let it slide? Right. 'course you would."

          You would let it slide if it were a Justin Beiber CD. The shame would probably cost more than the few quid.

      2. heyrick Silver badge

        Re: So buried in an email you ignore...

        " There is also some onus on you to check emails. "

        And what is your recourse if somebody whacks some extras on to an amount already agreed, PayPal seems to think this is okay, and the email is notifying you that the extra has already been paid...

        1. heyrick Silver badge

          Re: So buried in an email you ignore...

          To follow up - it would be an interesting case for eBay seems to think that clicking the "buy" button is completely binding and commits you to purchase (I'm talking about a buy it now, not an auction). You are now in a situation where you are committed to buying something that the vendor could pile on some additional charges not mentioned in the price shown by the buy it now button...

  4. Terry 6 Silver badge

    Taking payment because they can

    "flexibility they need to complete their transactions in a timely manner"

    In these here parts that's called mugging, but maybe they should rename it;

  5. frank ly

    We assumed that everyone would be honest ....

    ... because that means less work for us. Wasn't that the initial principle of the internet?

  6. Anonymous Coward
    Anonymous Coward

    Paypal's business model is crookery

    Here's my experience with them:

    - so many years ago, you could pay securely through Paypal:

    1 buys something on ebay for a given amount

    2 generate an electronic VISA/Mastercard number at your bank for *that very amount only*

    3 put it on paypal and send the money to the seller

    4 Voila

    I did it a lot and no matter what phishing or paypal bugs there would be, it was safe. Then, they removed (with no explanation) the ability to do step 3. You had to put your real VISA/Mastercard number, which is basically a wide open gate to your bank account. Now your bank account security is ensured by PayPal.

    Now they're setting up the knobs to be attracting to dodgy selling practices, like hidden fees, surprise fees, whatever fees you weren't aware of when committing to a purchase. Then they are

    a lot more appealing than any VISA/Mastercard online systems. Et Voila.

    Needless to say, I stopped using them when they forbid step 3. Sorted.

    They basically sneakily moved from a convenience relay (that needn't be regulated) to a full payment (that must be) and no-one noticed. Time for regulators to wake up.

    1. Pirate Dave Silver badge
      Pirate

      Re: Paypal's business model is crookery

      PayPal wasn't so bad back when eBay would let sellers request/accept money orders or checks from buyers. Back then, you could totally avoid the shitpit that was PayPal. But now they are pretty much the only method that eBay will let us occasional sellers use. And they still suck.

    2. Anonymous Coward
      Anonymous Coward

      Re: Paypal's business model is crookery

      Putting it on your Visa/Mastercard is fine, if you're using a credit card and not debit card. If you get screwed, you dispute the charge and don't have to pay it because it is settled well before you have to make the payment. While the same is technically true for a debit card, in the US at least, the money is already out of your account until the dispute is found in your favor, which could be a real problem depending on what your balance normally is and how much money was taken.

      What pisses me off is step 2 is pretty much gone in the US. You would think credit card companies would like virtual account numbers since using them fraudulently is impossible, but maybe they like fraudulent charges overall because probably a lot of people don't watch their statements closely and don't notice small fraudulent charges.

      1. Anonymous Coward
        Anonymous Coward

        Re: Paypal's business model is crookery

        "Putting it on your Visa/Mastercard is fine, if you're using a credit card and not debit card. If you get screwed, you dispute the charge and don't have to pay it because it is settled well before you have to make the payment. "

        I think the law is possibly the same here (France) but even then, setting up an open gate to my account is not OK to me. Crookery business model: you screw someone, if he complains, then thing are back to balance and no impact on you, if he doesn't notice, you win. So in the long term, the crook wins. Paypal is in this business model.

        "What pisses me off is step 2 is pretty much gone in the US. You would think credit card companies would like virtual account numbers since using them fraudulently is impossible, but maybe they like fraudulent charges overall because probably a lot of people don't watch their statements closely and don't notice small fraudulent charges."

        No-one except you and me watch their bank statements. That's why if regulation doesn't put pressure on banks to make transactions secure, people will get screwed without knowing.

        Things are getting OKish here in the land of Napoleon but probably elsewhere, people may have to pressure the local MP.

  7. Anonymous Coward
    Anonymous Coward

    Just saw on an other website that PayPal just signed up thousands of Nigerian customers. Should I be worried?

    1. MrDamage Silver badge

      Nigerian Customers

      Only if the are Princes, or former Prime Ministers.

      1. John Tserkezis

        Re: Nigerian Customers

        "Only if the are Princes, or former Prime Ministers."

        Or dead rich uncles.

  8. Shane McCarrick

    Paypal is regulated as a Bank by Luxembourg, and regulated for code of Business rules by the FSAI of the Irish Central Bank (its European headquarters are domiciled in Ireland).

  9. You have not yet created a handle

    but how much was the authorisation for?

    As a merchant we do use this feature from time to time to collect more funds that have been authorised at checkout, BUT only after contacting the customer first for approval and also to get that approval via email - this is just good practice we feel to prevent chargebacks.

    Paypal merchants (and I don't believe this is restricted to just PayPal, but Sage, Worldpay etc are the same) are able to capture 15% more than the authorisation on Credit Card payments and 10% more on PayPal payments up to a maximum of $75 but we have never been able to go above this and we have needed to try previously - but it gets denied in which case we have to get the customer to get payment details again.

    This is documented here: https://developer.paypal.com/docs/classic/paypal-payments-standard/integration-guide/authcapture/

    If the additional 200 euros in this article is true then I would say this was a bug as it's above the $75 threshold.

  10. Andus McCoatover

    Works fine for me...

    As I won't give my CC details to paypal, I just simply add up my purchases, and transfer to PayPal that amount. From Finnish banks, at least, I can credit PP within 1 hour - free of bank charges.

    Only card I have authorised through PP is my Visa Electron card (for transferring back when I felt flushed some time ago, and stuck €50/mo. in there. I don't do that anymore).

    Not a problem.

  11. Anonymous Coward
    Anonymous Coward

    Paypal..

    Die, die, die.. already!!!

  12. Anonymous Coward
    Anonymous Coward

    The masses are braindead

    If you have an agreement with a seller to add costs for shipping or other extras then that is what they can legally add to the approved charges. It's highly unlikely any reputable seller is going to add more than what has been approved. Being able to add shipping or other charges is NOT a bug in the software as alleged, it truly is a feature. Anyone that is unscrupulous and adds more than agreed to by the buyer should be prosecuted for fraud just like if a brick and mortar operation overcharged for delivery. As usual this story is a bunch of nonsense by people trying to make a software feature into a bug when it is not. There will always be people with an ax to grind...

  13. Anonymous Coward
    Anonymous Coward

    Adding shipping charges

    A couple times I bought buy it now items off Ebay that listed a range for shipping costs, and the total amount ended up being in the range so I didn't think much about it. There should be some way that Paypal can have the buyer authorize a maximum amount and no way for the merchant to go over it. If you're buying something with the understanding that price/shipping is fixed that there's no range, that's the only amount that should be authorized.

    If this isn't a bug, it is really shady, but being shady is nothing new to Paypal. There's a reason why only morons would link their bank account (either directly or via their debit card) to Paypal. If you're a seller and someone disputes, they can pull money out of your account and you have no recourse. With a credit card, that's not possible. If you're a buyer only I would have guessed using a debit card is OK (but I still would never do it, credit cards are better protected by US law) but I guess this shows that is not true.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like