PayPal Hurts
by Estragon
This article is about how PayPal transaction reversals can cost recipients a lot of dough.
I'm writing from the perspective of a hacker who sees how the shortcomings of the PayPal system could be used to take money out of the pocket of someone else.
The techniques described in this article could be used against anyone with a PayPal account, in amounts from a few pennies to thousands of dollars. With a mass protest against, say, a disfavored political candidate, company, or individual, many people working together could rapidly cause trouble including plenty of money lost for their target.
My biggest concern is the Donate Now! button linking to PayPal that we see on the web sites of so many charities and open-source software development projects. I was inspired to write this article when I received a chargeback, and later a transaction reversal, from PayPal.
I run a charity that operates an open-source project, and receive donations via PayPal. Getting donations via PayPal is quite nice, and it s a major way we sustain our project.
The basic situation is that on PayPal it costs a recipient extra money when a transaction is disputed by the sender. While this isn't that different from the way banks and credit card companies operate, many individuals and small charities use PayPal because they can't afford the infrastructure, don't have the volume, or haven't got the right type of corporate structure to accept credit cards directly.
In other words, this technique can be more hurtful with PayPal against small charities or similar organizations than against bricks-and-mortar stores.
For money that was paid and received by PayPal (from one PayPal user to another), PayPal handles disputes internally. So, if funds were sent to you from someone else's PayPal account, and the transaction is disputed, PayPal has a process to evaluate the claim. You can find their resolution process online, with lots of details. It is very much geared towards the selling of goods.
Here's the rundown of an actual disputed transaction I received recently.
Someone made a $2 donation to my organization, then filed a dispute.
For a $2 purchase or donation sent via PayPal with a PayPal account, $0.38 was charged as a fee to accept the payment, then $0.38 was charged to reverse the transaction.
PayPal walked away with 38 cents (19 percent of the original transaction), and my PayPal account was 38 cents lighter as a result of the transaction. The $1.72 netted originally from the $2 donation was removed, but then an additional 38 cents were removed.
PayPal also accepts payments via credit card. If a credit card transaction is disputed, the credit card company interacts with PayPal. PayPal interacts with the PayPal account holder.
If the transaction is reversed (in this case, it's called a chargeback), a chargeback settlement fee may be charged if the credit card company charges PayPal. That is, PayPal passes the fee on to the account holder. In what became an actual chargeback, I received a donation of $100, which was disputed about 10 weeks later and subsequently reversed.
For a $100 purchase or donation sent via PayPal with a credit card, $3.20 is charged as a fee to accept the payment, then $3.20 was charged to reverse the payment, then $10 was charged as a chargeback fee.
PayPal walked away with $13.20 (13.2 percent of the original transaction), and this time my PayPal account was $13.20 lighter as a result of the chargeback. The $100 donation via credit card costs lots more than the $2 donation via PayPal account if there is a dispute and chargeback.
PayPal charges fees as a percentage of the transaction. Normally, this is 30 cents per transaction, plus 2.9% of the transaction. There are variations in different countries, for different currencies, and for different types of transactions.
Doing the math, if ten people worked together to each make a $100 donation, then made a claim against me, I would be out $132, rather than receiving $968. Below, I'll give some ideas about how such mass action could happen with relative impunity.
To sum up, the chargeback (involving someone who made a donation to my organization via PayPal) had these costs.
First, the amount of the original donation was removed from my account.
Second, PayPal collected their usual fee (described below) on the transaction amount, even though they had already removed it off the top from the donation amount.
Third, there was a chargeback fee of $10 from the credit card company.
In my research, I found that PayPal lists different chargeback fees for different countries. (They're all about $10 to $20 U.S.) Some banks list their credit card chargeback fees, which are comparable and sometimes even higher.
How can you work around losing money through disputed PayPal payments? If you're actually selling items via PayPal, follow the terms of their Seller Protection Policy. Read the fine print: protection stops for many purchases at $250.
Protection does not extend to anything other than goods. PayPal's seller protection plan states that "Only physical goods are covered by the Seller Protection Policy. Intangible goods, such as services or items delivered electronically (e.g., software, MP3s, eBooks), are not covered."
In other words, there is no seller protection plan for accepting donations, taking payment for work performed, or other non-tangibles.
There don't seem to be dollar limits for seller protection, and I have made and received payments of up to $10,000. But for buyer protection, transactions are only covered up to $2,000 under certain circumstances, $250 otherwise.
During the time of a dispute (which can take weeks or months, but is more typically just a few days), the payment amount is frozen.
PayPal has a policy that they do not reverse PayPal transactions unless they are taking money from the seller.
In other words, it's not like U.S. banks FDIC insurance. Imagine that someone scams you for $1,000 from your PayPal account, then withdraws the money from their PayPal account, leaving it empty.
PayPal will not give you your $1,000 back unless the other account has that money. This opens up a whole lot of possibilities, but it's basically all just fraud: take the money and run. There are many stories about this happening on eBay (which owns PayPal). From reading PayPal's policies, it sounds like it doesn't matter whether their "buyer protection plan" applies or not.
Compare this to credit card protection, where you will get your money back regardless of whether the credit card company got their money back, or whether any goods involved were returned.
Your mileage may vary, and things might be different outside of the U.S. My few experiences with credit card fraud were that the credit card companies just didn't care: they would hold a transaction during "investigation" and do essentially nothing.
At the end, if the merchant fights, the customer loses. But if the customer wins, the credit card company will return the money.
On the two occasions where my credit card was stolen (once physically, once electronically), I provided proof (a police report number) and the charges were reversed. The legitimate stores that were stolen from (with my credit card) were not given their money for the transactions, and did not get their goods back. One of them was assessed a chargeback fee by the credit card company, indicating that the PayPal technique described here can be effective with credit cards, too.
By the way, if this hasn't convinced you to never use your debit card for these types of purchases, you need to read your debit card agreement. Most banks offer very little protection for debit card transactions, even if the debit card holds a major credit card seal.
Let's work through some exploits.
First, imagine a hypothetical candidate running for national office. The candidate accepts PayPal as a method of donation on his or her web site. If ten people each make donations of $1,000 to the candidate, using their credit card, the candidate will have $10,000 minus PayPal fees of $293.
If those ten people then call their ten different credit card companies, saying the charge was unauthorized ("My teenager borrowed my card," "I think the Starbucks store I go to every day might have copied my card number," etc.), the candidate will lose the $10,000, plus another $293, plus another $100. Ten people together cost the candidate about $393 from his or her own account.
Would the credit card companies catch on? Probably not, for two reasons: the excuses given are not big enough to warrant serious investigation, and there is not a lot of sharing and reporting of credit card fraud. Will PayPal catch on that the ten people are working together? Maybe, but what if they all had a common excuse like, "We all go to that Starbucks?"
Second, let's look at a larger scale with smaller donations. What if a fraudster has hundreds or thousands of stolen credit card numbers, and a vendetta against a particular open-source software project's charity? Assuming the criminal had plenty of time on his or her hands (since it's intentionally hard to automate payments and account creation on PayPal), she could run a few transactions of less than $10 per day to the targeted charity. Then, let the legitimate credit card holder dispute the transaction.
At $10 per chargeback plus fees, any donation of under about $11 is a net loss for the targeted charity of the chargeback fee, in addition to the cost of the reversed transaction.
Finally, let's think of an even larger-scale scam. How about an urban legend sent via tons of spam? Message one: "This charity is doing wonderful work, but is about to have its charitable organization status reversed by the IRS. In order to meet the IRS requirements [insert valid hyperlink here], they need to receive several hundred small donations ($2 to $10). By donating with your PayPal account or credit card, the charity will be able to provide clear proof to the IRS that the charity is legitimate."
Link to the real organization and its real PayPal link. Wait for people to donate. Assume a very small (less than 0.1%) response on the spam but a large campaign of millions of spams. There are clearly a lot of idiots who respond to spam, and you only need a small proportion.
Then, a week or two later send spam message #2, "You might have heard recently about a charity that made a plea to maintain its status with the IRS. If you donated any money, be informed that you are a victim of fraud. The charity's IRS status is not up for renewal, and there is no effort to remove its 501(c)(3) status under IRS regulations [insert another valid hyperlink here]. If you donated with PayPal, protest your donation and reverse it, follow this link [link to PayPal dispute center]. If you donated with your credit card, be sure to file a dispute claim with your bank."
Would your spam campaign bring in more money to the target than was reversed later? Again, let's do some math. Assume 200 donations are made with an average of $5 each, and 50 percent of donations are made via PayPal accounts, while the others are made using PayPal with a credit card.
The net gain is 200 x $5, minus 45 cents per transaction for PayPal's fees: $911.
If 100 out of 200 donors file a successful claim with PayPal or their credit card company, and half used their credit card, $500 would be removed from the charity via PayPal. Chargeback fees would net a further $500 ($10 each for 50 credit cards).
Further PayPal fees of $48.50 would be assessed as the $500 were removed. Total removed is: 500 + 500 + 48.50 = 1,048.50
The charity would get to keep the proceeds from the 100 donors who didn't protest, about $455.50 (half of $911).
Net loss to the charity is 455.50 - 548.50 or $93.10, plus lots of aggravation.
PayPal does have a lot of protections in place, but far fewer when no goods are being sold, and far fewer at larger dollar amounts. Just a few reversed transactions can make a charity or other recipient have a bad day.
In this article, I have laid out some of the basics, and also worked through some hypothetical scenarios where a larger number of reversed transactions can be truly damaging.
Lots of people have worked on anonymous payment systems, non-repudiation of payments, and escrow systems for delivering goods.
For examples, read some articles on e-gold. PayPal does not implement the hard parts of such a system, which require a trusted intermediary (not one who profits from every type of transaction, including illegitimate ones, as PayPal does), and strong cryptographic methods of ensuring identity while maintaining anonymity.
PayPal is ubiquitous, but has flaws. Let the buyer, and the seller, beware.