> European banks have seen widespread unauthorised direct debits from PayPal accounts, the German Savings Banks Association (DSGV) says.
> The German newspaper Sueddeutsche Zeitung (SZ) says payments worth in the region of 10 billion euros (£8.6bn) have had to be blocked, after PayPal's fraud-checking system failed.
[0] I was impeded by cookie popups and adblock/privacy-mode blockers in another language, and neither are direct reports or superior details.
This company needs to get paid. For that it uses ads and other means, just like everyone else does. Their list of ads, tracking and other partners happens to be around 200. They tell you and you either choose to accept that, read their content for "free" (like you use other content/apps for "free") or actually choose to say "No, if "free" costs me this, then I don't want it".
And some really aren't even to "sell your data" but just their own analytics to let their dev/SRE staff see what's going on. Nothing nefarious at all.
Nobody forces you to accept this and read their content.
Heck, your online banking/brokerage probably uses a bunch of trackers you probably aren't aware of, because they don't tell you. Go open the network tab in dev tools and check.
No, the GDPR is making _them_. Gating content behind "consent" for tracking isn't allowed. They have the choice to then show content with generic trackers.
yeah, but a choice between "ad+tracking" and "no-ads,no-tracking,payment" is not GDPR compliant. It's just that a huge part of EU newspapers do not like it leading to very long outdrawn court proceedings, and other issues.
Basically GDPR says you have to make it as simple to use your site with and without "tracking".
The important part here is it says "without tracking" not "without ads", so the choice presented is intentional deceptive and misleading. There is no technical reason to not have GDPR complaint ads, it's just that web ad market is dominated by a few quasi monopolies (leading Google) and they don't like "not targeted" advertisement at all.
What they theoretically have to provide is the choice between "targeted ad, tracking", "untargeted ad, no tracking" or "no ad, no tracking, payment".
That is not a GDPR violation, no. Most German newspapers do this, and it has been tried in court - it's legal. The court only mandated that the subscription fee cannot be substantially higher than the value of the data that would have otherwise been sold.
It's basically the status quo for German websites. This seems legally settled for now unless some appellate court strikes it down, and even that won't happen any time soon.
As a user it's just odd to see German websites do this so differently from Dutch or British websites.
What should be made illegal is how all those German popups do this really grating 3D animation effect upon closing. Do you know what I mean? Not the one at heise.de, but most of these forms seem to have this built in.
Yeah it is, if courts decided otherwise then courts decided wrong, the GDPR is very clear and explicit about this:
> Consent is presumed not to be freely given if [...] the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.
> That is not a GDPR violation, no. Most German newspapers do this,
and pretty much all of them are in GDPR violation
just due to long dragged out court proceeding and a lot of lobby power or lets be honest corruption there have been no wide spread consequences
btw. a lot of them have a very hidden 3rd "no tracking, no payment" option which might display non-targeted ads based on the content viewed and is the actual legal required alternative (instead of the "pure abo") this is still not quite legal but much easier to worm yourself through the legal system with
Most website also tried to click a hundred different buttons to opt out - that wasn't legal either. Just because enforcement hasn't caught up yet doesn't mean it's not a GDPR violation.
South Park once had a good scene about just not accepting random things that pop up (in HumancentiPad). If you see something popping up on a website - maybe just delete the pop-up from the HTML. (Click on Inspect - Examine - Delete).
Heise is a bit nasty with technology, and it's a bit harder to get rid of their thing, but I can read everything without accepting anything.
Oh, valid point. I actually hate heise.de's approach to hard-require consent to ad-tracking (or payment). As my university has a subscription for heise.de, I was not shown the consent popup and forgot about that. Sorry.
If you wish to refer to the submission uniquely in the subject, as of a few years ago anyways they requested appending ` (1235676423)` to the end of it with the ?id=1235676423 of the comment/post/whatever that you're writing about. I tend to do so more in emails sent from a keyboard than from a mobile phone for UI reasons.
This article is useless. It seems like an English translation of some German blogspam (and the ads are even making it through my filter).
It says nothing other than PayPal is having some security failures and banks are blocking deposits from PayPal. What are these security failures? What is the mechanism of fraudulent activity that is being exploited?
I’m surprised this was upvoted so much… am I missing something? It seems to be a bunch of words saying basically nothing.
Arbitraging fraud has always been PayPal's game. For the mass market of small-scale sellers there's a threshold, whre the cost of onboarding, verifying, underwriting and eating fraud exposure is greater than the revenues you could ever expect to make from them at their low volume. So these segments went un-served, same with many other segments of transactions or transactors. PayPal's model has always been to accept a higher risk tolerance, then to have just-enough compensating controls and/or liability-dodging to make that work. At least just well enough to have net-revenues bps exceed their fraud-loss bps.
And when that balance is working, it kinda works, but when it doesn't...
And incidentally, it's not just PayPal with the fraud problems these days. It's everybody in the banking and payments space. AI is so far quite asymmetrically helping the bad guys more. It's bad out there.
That's a simplistic way of understanding "best interest."
The optimal amount of fraud is neither zero nor "let it all through." Their "best interest" is a balance between allowing legit transactions to get through and blocking enough fraudulent ones that fraud doesn't become too common.
I believe you’re referencing Patrick McKenzie’s takes on fraud, which I agree with — but when he (and others) talk about the optimal amount of fraud they’re usually referring to fraud from “losing money from the company to customers”. This is not PayPal’s case; because PayPal isn’t the victim of fraud on its platform but makes money off its use, their optimal amount of fraud is “as much as they can permit without losing customers or regulators getting up their ass”.
This is an important concept. More you push to zero fraud, the more inconvenience you put on your customer. You can cut bunch of fraud if you only allow shipments to the billing address but then you inconvenience people who want to buy gifts, recently moved or have a vacation home. You can block all traffic from cloud providers but you'll end up blocking outbound proxies for people on military bases or corporate proxies.
Personally I'd like to see a move away from just giving your card details to a website and having them charge it for whatever they want. Because it just ends up that stolen details go around and get used for fraud easily.
Should be moving to a system where setting up payments with a new provider has them request access to charge you, and then on the bank app you approve it. Australia has this as a fairly new system called PayTo, where you can approve and later unapprove individual merchants the ability to charge you.
Brazils pix system as a similar mechanism, where a website can generate a code for payment, that you can copy or scan a qr code into your bank app, and then approve the payment.
Individual merchants barely get any information from you this way, and have no way of even trying to charge you more later.
99% of e-commerce merchants don't have hand the credit card informations. Its all passed on the front side by payment providers like Stripe or Braintree. Shopify merchants go further with a hosted payment page. Handling card numbers bring on a lot regulations for PCI.
But fraud prevention is not free and has negative returns at some point.
I dislike it when people use "the optimal amount of fraud isnt zero", because it is wrong and makes the underlying problem harder to understand, which is that people like to overoptimize a single desirable property(fraud prevention) without considering other desirable properties(like ease of use and a low rate of false positives for legit transactions)
Maybe it's different by country, but I feel like fraud isn't a huge issue for the end user anymore. A couple times I've had random transactions on my account seemingly from database leaks / stolen card details, and every time the bank has either sent me a notification asking me to approve the suspicious transaction, or has refunded me the amount later.
As long as you don't initiate the transaction, you get your money back easily.
Card networks have the most reliable protections and guarantees, their systems and rules are designed around consumer trust in their brand and zero-liability (to consumers).
Recently I found out that one of my friends had his identity stolen, thousands and thousands drained from his bank accounts. After thorough investigation it was traced to a PayPal breach, and he had to fight hard to get them to admit it was their fault. He got everything back, eventually, but the whole process was a nightmare.
PayPal very strongly tries to make you give them your full bank info (remember that the banking system has absolutely no security as the computer world knows it - this is a feature required for checking to work - so this means anybody with access to your bank id numbers in PayPal's records can do arbitrary transactions to/from your bank account). When I last used it it was possible to avoid on the buyer end and just use a credit card, but I haven't used it for years and I think it was different on the seller end even then.
Routing and account numbers have been on every check written for decades. Banks usually aren't quite that naive to let anyone with the numbers transfer whatever they want. There's name validation they can do, but legally/contractually IIRC it's optional. So the numbers + a lot of social engineering skill can do damage.
But I kinda suspect the ROI is higher for social engineering into an online account portal to Zelle a bunch of stuff around vs waiting for ACH transfers. Breach a login vs find an ACH list and transfer stuff out of the high-value accounts without triggering any flags (imagine you had access to that Paypal list - how are you trying to exfiltrate from millions of accounts without looking suspicious?).
I got once my PayPal account blocked due to negative balance, but there was no transaction in the history and not even customer support was able to tell me why my account went to minus. They even sent me fairly threatening email and the whole process felt like a scam attempt.
Later on I found out that it was due to a bounced transaction 3 months earlier, but the fee for bounced transaction was not reported anywhere and my PayPal account balance just got changed to -5 eur. I've closed my PayPal account directly right after this incident and never used PayPal again.
German, well West European, banks are slow in creating a competitor to Paypal, called Wero. https://en.wikipedia.org/wiki/Wero_(payment) I'm not implying they block Paypal because of that. It's good to have more competition and I wished my bank would take part.
The existing giro system is the real Paypal competitor. Most Europeans had access to Paypal-style money transfers before they had email. Merchants probably want to rely on another party to maintain their integration, but there is no real need for another centralized service similar to Paypal.
(The U.S. really is an outlier among developed nations in that its giro system is not widely used, and many residents would not even know how to access it. Hence Paypal's network effect can offer value there. Europe is very different.)
> The existing giro system is the real Paypal competitor. Most Europeans had access to Paypal-style money transfers before they had email.
Not at all, not even close! In most cases, that's wrong even today.
Want to sell something online? A book you wrote, a game you made? There's no way for people to pay you via giro and automatically receiving the good on the page where the payment process was initiated.
Giro is not instant, and almost no bank will offer an API that signals that a specific customer has transferred funds successfully. It always takes hours, and the confirmation process is almost always only semi-automatic for the seller.
Visa/MasterCard/PayPal/Twint/Tikkie/Wero have and will provide actual value. Giro was nice 15 years ago, but hasn't kept up.
And even for money transfers between two private individuals, giro is the inferior system - mainly because Euro banks fail at UX/UI. I don't know a single bank that offers an "address book" in their online banking app/website. If you want to send someone money, you better remember their IBAN yourself. And because the system comes with a degree of anonymity, you can't even send people money back! Their IBAN is not part of the metadata of an incoming transfer, the only way to send money back is to contact that person and have them send their IBAN.
I'm trying to think of any bank that I've used that would not have "address book"-like functionality, and I can't think of one. All of them have this, and have had the feature for as long as I've used their online banking. Perhaps the banks you're used to aren't very modern?
SEPA transfers are (at least mine have been) max. 1h until the transfer is complete (some limit this to "banking hours"). Instantaneous transfer is common.
It seems to me like there is great variety depending on what bank you use.
API's are common, and even the same between banks now with PSD2.
Tbh, a banking barcode (or EPC QR if you prefer) displayed on the seller's webpage with unique reference + reading it with your phone and making the payment is that internet payment method via giro. The webshop uses PSD2 open banking to get notified of new transactions and knows when it is transferred.
That's also not my experience. Giro was a nightmare compared to paypal 15 years ago and the only reason it slightly improved was regulations, not because the german banks cared about the customer experience. Now in 2025 Giro is dead as banks like DKB don't even hand out those cards by default. The system in germany is a big mess despite so many fintechs in germany.
> a banking barcode (or EPC QR if you prefer) displayed on the seller's webpage with unique reference + reading it with your phone and making the payment is that internet payment method via giro. The webshop uses PSD2 open banking to get notified of new transactions and knows when it is transferred.
Yes, that's what I'm talking about. This is how services like Twint in Switzerland or PayPal in Germany have worked for the last decade+.
You're saying this is currently possible, with any arbitrary two German/European banks on either end? Your customer scans the QR code, hits a button, and the QR code is replaced by a download link, and the delay is <20 seconds?
Do you have a link for the tech stack to built this?
The user will likely take ~20 seconds to get their phone out, unlock it, log in to the bank app, confirm the transaction and set their phone down. The PSD2 API shows the transaction immediately (again, instant transfer being enabled is a prerequisite) and the seller can confirm that payment is complete.
? I open my
bank app go to new transaction scan the IBAN of the seller and send the money. I think the time I made a paypall account added to the paypal transfer time is more then 20sec. I have my banking app anyway.
dude honestly no idea what your point is. since instant and free giro transfer with more or less 3 clicks is the death pf anything else.
why the fuck should I have an extra layer to my bank? Its insecure ;)
I would like to know are you american? This thread is about europe
I'm in Switzerland, and am a customer of several Swiss and German banks. Because of that, I mainly use Twint, and I hope for the rest of us that Wero turns out as well or better than Twint did 10 years ago. The change is long overdue.
The thing Twint (and Wero and PayPal) allows is really easy, fast, cheap (not PayPal) and secure (not PayPal) online stores. Scan the QR Code on screen, 1 second later your download link replaces the QR code. Done.
Now, I'd like to know how to do that with SEPA/giro. PSD2 and open banking sounds promising. You seem knowledgeable. Why doesn't anybody use that (or do you have an example for a online store using it)? How fast is it really?
And why did it take so long? Twint is 10 years old, iDeal is 20 years old, PayPal is 25 years old.
Because once you have those capabilities, you can do a small firmware update on credit card readers with a display, and you can pay by app everywhere - no credit card, NFC or Google/Apple/Samsung pay integration neccessary.
> Giro is not instant, and almost no bank will offer an API that signals that a specific customer has transferred funds successfully.
And because of that we have leeches like Sofortüberweisung. They basically proxy the web interface of your bank and you'll give them full access to your account, so they do the transaction for you by scraping your banks web interface (and your transaction history) and report success to the vendor.
not any more: most of these Payment-Initiation-Services (PISP in EU-speach) do use the public PSD2 apis these days.
In the dark beginning days, it was scraped, yes.
What giro system are you talking about here? Do you mean the postal giro system that has existed in Europe since the 1960s and has been used for postorder shopping since before the Internet existed? That system was already obsolete in NL last century when we had the first digital invoicing systems via e-mail (and digital personal banking via dial-up), and we've had direct online payments via iDeal since 2005. Are you saying that some countries are still relying on paper-based payment instructions in 2025?
I don't know a single bank that offers an "address book" in their online banking app/website.
Conversely, I don't know a single online banking portal that does NOT offer such basic functionality. Santander, ING, and Rabobank all do.
And because the system comes with a degree of anonymity
What do you mean? Every payment in my bank's transaction history shows the account number on the other end of the transfer.
Instant transactions are a very recent development and are only starting to become common because banks are required by law to support them for free come October. Up until rather recently instant SEPA transfers were often either not supported or came with additional fees attached.
Based on the replies I've been seeing in this post, I'm starting to think that my banks (or I've somehow lucked out) have been very proactive in providing users with desirable features.
Instant transfers have been the default for quite a while, and possible (for a fee) for as long as I can remember.
Online payments with instant confirmation have been really easy for 15+ years.
> Most Europeans had access to Paypal-style money transfers before they had email.
Bank transfers were not instant though, they usually took a work day. This is changing with the introduction of instant transfers, which become mandatory to support this year, and are also not allowed to be more expensive since this year also.
The U.S. really is an outlier among developed nations in that its giro system is not widely used
I wasn't even aware such a thing existed? Or do you mean Zelle, which seems to be some sort of hybrid system... It's not quite a giro system as found in most of EU, more like "PayPal, but built by BofA and CapOne"
I don't do much banking in the U.S. system, but I'm assuming that ACH transfers get you pretty close to a giro system. Apparently, they are quite slow by SEPA's standards.
For merchants selling stuff internationally on the internet, none of those local systems are any use. You pretty much need to use Paypal or similar - or even wire transfers if you don't mind the delay and inconvenience to the customer.
German banks (and in general businesses) are amazing. They won't do anything until legally required to do so and even then will drag their feet. There has been instant bank transfers (transfers in 10 seconds) available for a while - launched in November 2017. German banks kept charging 1.5€ for this instant transfer or some didn't have them available at all. They didn't build any of these systems and yet this was their stand.
On January 9 2025, EU made it compulsory to have receipt of transfers instant and in October 2025 - sending too should be available at the same cost as the normal transfer. There's nothing stopping from implementing bot send/receive instant transfers in January 2025. Yet, some of these banks only enabled instant receipts in January and will make the sending available exactly on 8th October 2025, 1 day before the deadline. What a business mindset to have!
Have used them for a long time, never paid for them. GLS is a great bank, happy customer. The crappy ones like to keep your money in their books as long as possible.
The resistance against instant payments mostly has to do with technicalities around bank balance sheets and inter-bank settlement systems.
It's a bit complex for a comment, but the TLDR is:
* funds in transit (called "positive float") are held in the banks account, and can be used by the bank to earn interest
* liquidity management - there are a bunch of considerations here, but the longer settlement periods enable banks to do "deferred net settlements" (just paying each other the difference between all transactions in a batched way) and also helps balance sheets in other ways, making it easier to meet reserve requirements, smoothing out intra-day liquidity, etc
The delay also means systems have more time to catch fraudulent transactions, and to block them before they happen.
This comment is not towards you but there's always an excuse with the big German banks.
For example, during Covid when interest rates where negative - some major German banks like Commerzbank charged interest from customers when their balance exceeded an amount like 50000€. Now that the interest rates have gone up - they are not even close to passing on those high interest rates. The same Commerzbank now asks for 50000€ in assets otherwise they charge a 4.90€ subscription charge from their customers.
So yeah there might be technicalities but nothing stops those technicalities being addressed until the law does.
As a reluctant Commerzbank customer, there's some inaccuracies. The amount was 100k€ re: negative interest, and the subscription charge only applies if you're not moving a certain amount of money each month (which is very low, even unemployment payments would be enough to clear that hurdle).
So you're only paying for your second or third account.
Also a bank that thought it was a great idea to block all rooted Android users with a minor update to their app. Which is required to use their website. Fuck DKB.
Portugal got mbway, Austria used to have paybox, there is iDEAL, sofort.com and generally besides the local country systems with de-facto European banks you get "SEPA Instant Credit Transfer" nowadays - however IBAN is "harder" to share than lets say the phone number your friends already got.
They never really had much of a reason to create a competitor. There where already plenty of alternatives once online shopping/payments became a thing.
Here you could do "cash on delivery", credit/debit card, account transfers (yes even across banks, it not as big an issue as US banks makes it) or you could send stamps (not a popular options).
There was never a need for PayPal or PayPal style services. These days it's safe to assume that people have a debit card (or MobilePay in the case of Denmark).
The + of PayPal was in 2005 when you could use it to hide your card number from the merchant.
But now, you can generate one-time use cards, which are safer than assigning a card on your PayPal account.
The other thing, is that you can do chargebacks more easily, when you buy on eBay, but this comes at the cost of higher fees (which is basically insurance)
Other than that, it's a platform that cannot be trusted
I can't speak to how other European countries did only payments, but you never gave your credit card number to the merchant in Denmark. It was always done via a 3rd. party payment provider, initially mostly DIBS, then came WorldPay and later many more.
Charge backs was also always fairly easily done via your bank. Though you did have to call them, so yes PayPal was/is easier. I don't know, the trust in PayPal was always really really low.
It was before 2006 (enforcement of PCI DSS), at that time, a lot of merchants just created and hosted themselves a payment form and stored bank card numbers themselves, numbers that they often collected on non-HTTPS pages
Because the banks are liable to fraud in Denmark, probably also other countries, they already had really strict rules for online payments. Denmark also has it's own national payment card "Dankort", and before 2006, you needed to accept Dankork as it was the most popular debit card. The Danish banks could make their own rules, separately from PCI DSS, and those where much stricter, so no http and only specially audited software was allowed to handle the transactions. The downside was a near monopoly from DIBS.
I strongly disagree. The main advantage of Paypal and the reason for its popularity in Germany was the fact that it provided instant payments at a time when credit cards were very uncommon.
Cash on delivery was a huge pain since you had to potentially large amounts of cash ready to hand over to your postman upon delivery. That's the opposite of convenient.
Alternatively you could pay by bank wire transfer, which of course led to an additional delay of a day or two until your transfer actually arrived at the sellers bank account. Nobody wants to deal with barriers like these in ecommerce. Paypal was a godsend back then. Remember, barely anyone had a credit card in those days in Germany.
At the time PayPal rolled out, the single feature that made it popular in the USA is that it provided eBay sellers an easy/cheap way to receive credit card payments from buyers. That is all. Any person could set up a PayPal and instantly start receiving credit card payments without setting up a vendor account with a credit card company (which was not trivial at that time).
Right. But that was only relevant because US customers wanted to pay by credit card (because of some combination of credit cards being good and other payment methods being bad in the US). Which was not the case in most of Europe.
Each country had a local solution. Direct transfers, or better direct debit, was the common way in Germany. You literally just entered your bank account number and that was payment, the seller would debit it from your account. Zero authentication, and it worked - never had a fraud issue (in the background, I assume sellers checked the delivery address against some database before accepting this, as the seller would ultimately be on the hook for any fraud).
Aside from manual bank transfers (seller ships when the money arrives 1-3 business days later) there were also two systems based on direct bank transfers. One (Sofortüberweisung/Sofort) was essentially institutionalized phishing - you give a third party your banking credentials, they log into your account, snoop around a bit, wire the money to the merchant using your credentials and confirm to the merchant that your account has enough money and the wire is happening. The other was a similar service but by the banks, so you'd log in directly at your bank to authorize the transfer.
Most other European countries had other local systems that covered this need, but there was nothing global. Globally, your best bet for small amounts is unfortunately likely still PayPal unless your counterparty accepts crypto. For bigger amounts, there is Wise and similar services (note that I've had a horrible experience with Wise - KYC asking for things that didn't exist, luckily before they had my money to hold hostage). Wiring directly to accounts with Revolut also works reasonably well.
For transfers within the Euro zone, a regular SEPA bank transfer is easiest, with the only "downside" that you need to ask for the destination IBAN rather than just a phone number or similar that some of the other systems support.
Yeah, one could hope even more. E.g. MobilePay in Nordic countries take big fees because (based on my limited observation) most people just put their Visa/Mastercard in there.
The predecessor of Wero (iDeal) has been in use in The Netherlands for almost two decades. Nobody has credit cards here and everyone does online shopping with iDeal
To add, on top of iDeal (I think they're on top anyway, they're digital payment whatsits anyway) there's an age verification system using a similar protocol - where a website gets a "yes this person is >18" signal, nothing else, from the user's bank. And there's "tikkie" (payment request), allowing people to request money through a link and people's own bank account - no need for everyone to use the same apps or services like paypal or cashapp.
Wero looks very much like a bureaucratic paper tiger to me.
I do not know a single person that uses it despite the massive advertising campaign they are running.
What really replaces Paypal in my everyday life is Revolut.
Half of Europe has widely used national systems for instant payments, the other half does not. The idea behind Wero is to unify this to one single system, available across whole Europe. For reference, I use these systems for like 80% of my online payments.
Of course nobody's using Wero now because the whole thing isn't really online yet, just a pilot program on a few websites with a few banks.
WERO is an application/UI layer on top of SCT INST payment scheme, which adds some additional features like "send to email" etc. as well as other pay-specific features in the future (pay-per-request, which is also a defined way in the SEPA/EURO rulebooks and processing docs)
Poland has Blik, it's amazing and I wish it existed everywhere - you can pay someone using a phone number or you can generate a Blik number that you can give anyone else to request or send a payment - and it's instant. Most stores accept Blik payments, and I've paid using it in places where bank cards are not accepted or where there is no infrastructure to accept them - just use Blik.
Looking at the Wero page, it's not very European if 4 countries are listed. I have never heard of it here in Slovakia, and none of our banks are listed, although some belong to the groups that are there. This will be a long process if it really wants to be European.
Maybe in Slovakia there is already an established payment system which uses instant bank transfers, so there is no need for Wero. Or maybe some countries are fine with PayPal (or similar) fees.
Wait till you learn about iDeal. Basically flawless online payments for 10+ years in the Netherlands. Dominates the entire online and offline markets. No cards, no signups, just your normal bank account.
P.S. lives in Germany 5+ years and can attest its banks and online banking are generations behind its neighboring countries. A travesty.
It is worth remembering that PayPal not only handles payments but also provides a degree of assurance to receive the goods. A pure payment system does not. From a customer perspective this can provide real value as filing a claim with PayPal gets merchants definitely to listen more closely.
> It is worth remembering that PayPal not only handles payments but
It is _also_ worth remembering that PayPal not only handles payments but _also blocks acounts based on random issues_. A lot of people lost access to their Paypal accounts. /s
This is exactly why compliance frameworks exist. When your security controls fail, it doesn't just affect you - it ripples through every organization that trusts you.
German banks are right to be concerned. PayPal processes massive amounts of financial data, and if their security posture is compromised, everyone downstream is at risk.
The real test of any security program isn't whether incidents happen - it's how quickly you detect them, contain them, and communicate with affected parties.
Last week my PayPal account was "permanently disabled" this also happened to two of my friends at the same time. Is anyone else going through this right now? When I looked it up on Reddit it seemed like a widespread error that started last week. Could it be related to this? Are there any steps I should be taking to try to get my account back? Any help here would be really appreciated.
I filed a dispute with Paypal that a merchant ran off with my money… Paypal nuked my account. No idea if the support agent hit the wrong button but I’m done with Paypal, no explanation or recourse. Filed dispute with bank on the Paypal charge and immediately got my money back.
PayPal security is amazing. It randomly locks people out of their accounts and randomly closes their accounts too, but actual fraudsters and criminals are never deterred.
I never worked for PayPal, but I did for a competitor.
Dealing with fraud is a red queen game: The fraudsters can keep trying until they find what gaps are there in your system, and will sometimes communicate with each other: Part of our defense system involved infiltrating some of those spaces and seeing the guides that were being sold to try to commit fraud in our platform. Meanwhile you will still have a false positive rate, and getting it all the way to zero means crazy fraud. Most people just don't get to see how much fraud is stopped before they know it exists. This isn't just for financial institutions: You'd be surprised by how much credential stuffing is attempted at, say, any very large streaming site which charges a subscription.
Without looking in, it's hard for me to say exactly how successful their security team is, but being as big as they are, and having probably thousands of people whose only job is to do fraud on their platform, winning has to be pretty hard.
The average person has no idea how industrialized fraud has become. There are essentially entire companies with management, support staff, IT, and office buildings whose business is fraud. It is sad when you think about how many resources have been poured into it.
Per discussions on this thread, the singular reason people have tolerated their horrid service over the years they've been an effective monopoly in many locales.
> the singular reason people have tolerated their horrid service over the years they've been an effective monopoly in many locales.
This is correct. For some reason, many people (merchants surprisingly!) love PayPal and only accept payments through it, especially those outside the US and UK. Sometimes "guest payments" aren't an option, and that means you either get a PayPal account or don't purchase the product/service.
Just delete it. I used to have an account, and my experience using “guest payments” (which are usually, but not always, supported) is generally more reliable than logging in and paying.
Or you just put your regular credit card number into PayPal and tell it that you want to check out as guest. There's a little option that you need to uncheck so it doesn't try to make you an account.
They blocked me claiming suspicious activity occurred in my account (just a low traffic personal account). Ignoring me wanting to know what suspicious activity was it and if it needed, or actually already was, reported to the authorities.
Unluckily this deletion does not hold well, occasionally with weird merchants only offering PayPal payment - credit card through PayPal - the paying fails using my old email used in the purchase and was used with PayPal before. They keep forcing me to log in. But can't! It is deleted!
I did not trust their sloppy ways then, the feeling is stronger now.
Yeah. I had always thought these AML/KYC stuff were just governments/people in power expanding their arms into normal people's lives. I still think they mostly are, but after learning how much fraud is happening, I'm not sure what a better solution would look like.
Because we've seen that as soon as it exists, it quickly becomes required for ridiculous things that shouldn't require any kind of authentication, either by data-hungry companies that want to better exploit their users, or by control-hungry governments.
Until that is solved, I'd argue that the benefits are not worth the costs.
>I'm not sure what a better solution would look like
Federal government provided electronic money accounts and transfer systems, along with federal government provided identity verification APIs, where the fraud requires defrauding the government. Basically, a government utility. They do it with passports, why not with digital travel?
Obviously, this has to go hand in hand with constitutional inalienable rights to protect people's access to electronic money accounts and identity verification.
The problem isn't the fraud, the problem is that they do not pay enough staff to deal with it which leads to legitimate accounts getting closed out and people not being able to do anything about it. Money seized, etc.
Yup. My advice for using PayPal is do not unless you have no other choice. I just got my monthly account statement and, as usual, thankfully zero activity.
Though extremely innovative (for its time), it's been a slipshod org since inception and slipshod is a property you decidedly do not want in a payments processor.
My only use case for paypal is booking an internal flight in a country I visit annually because they do not accept my credit card, but will accept paypal. Literally the only reason I reluctantly got an account. The horror stories I've heard, I wouldn't put any serious money in there. And their drama during the heydays of censorship a few years ago, literally fining people $2500 for politically incorrect speech at the time, I couldn't believe sane people at the company thought that was an acceptable idea. I'd really like to know the inside story of that decision. We forget how crazy 2021-2022 was.
> My advice for using PayPal is do not unless you have no other choice.
This is literally their business model, which is why they are able to get away with so many shady practices. Until very recently they held a practical monopoly on web based international payments.
Indeed. And it's not a recent phenomenon either. I lost my first ever paycheck to PayPal randomly freezing my account. Was never able to get it back. Never used it again
PayPal also appears to suffer data leaks more than anyone else. I use multiple email addresses for every service I sign up for. But of all all the spam email I get, 99% has my PayPal email on it, and I even have other email addresses posted publicly.
It's worse than you think. I've closed PayPal accounts and opened new ones with a different email address and PayPal updates the merchants who've been spamming me with the new email address. There's no legitimate technical reason PayPal can't use a mail relay with transaction specific email addresses to control spam.
Happened to me with Moneybookers a few years ago. Started getting spam from various casinos at a unique email address. I contacted support and spent a few weeks explaining that, nobody could have gotten this email address unless they were hacked or willingly sold my address. After sending full dumps of the emails and a minor threat to go public with the information, suddenly the spam stopped.
The article is about $10 billion dollars in fraudulent transactions that PayPal has allowed that the banks had to catch themselves. Given that, it's hard to say the OP is speaking in hyperbole.
The Nordic countries all have bank-backed apps for instant transfers from a checking account indexed by phone numbers. It basically replaces every peer to peer transaction that would be cash in other countries (paying back a friend, buying something at a flea market, chipping in for a gift at the office...)
> It randomly locks people out of their accounts and randomly closes their accounts too,
yup, my paypal got locked after using it for over 20 years. Customer service refused to help and wouldn't even tell me why it was locked. I still get messages from paypal that they "couldn't get process subscription for X." won't delete my data either.
Thank you for the reminder to move money out of Paypal, I get some money every month through Patreon to pay for server costs but keep forgetting about it.
What, you don't remember random details from all this time ago? I got locked out of mine as well and the questions to restore were ridiculous. How the hell would I know what transactions I did 15 years ago? And other stupid things like that.
Gave up on it after a while and now try to avoid it as much as I can. Good riddance.
A few years ago when they suddenly switched on flawed mandatory TFA in my country, it took them nine months before they started to man phone support so people could get in. At about the same time they also implemented a policy to charge for having money left in your balance — when you couldn't access it! Add to that that hey had started with cryptocurrency. I cancelled my account (17 years) as soon as I could.
I'm a victim of such a fraud. It started gently on LinkedIn and ended up on http://fiverr.com that exploits PayPal to extract money from unsuspecting clients. I paid for CV editing service that was never provided. 60 euros gone and PayPal just accepts sellers side of the story.
http://fiverr.com is a scam. Don't use it.
PayPal's support is a joke.
PayPal is the most important online payment service in the German market, with nearly 30% of online purchases made using the platform.
The sheer volume of PayPal and direct debit transactions in Germany magnified the impact of the outage compared to other markets.
With millions of potentially fraudulent debit requests appearing simultaneously, German banks chose to freeze all incoming PayPal direct debit payments. This was a necessary step to protect their customers from what appeared to be a massive, systemic fraud event.
Also protect themselves (or rather, PayPal's bank). These were almost certainly SEPA debits. Consumers could reverse unauthorized transactions (think "chargeback" but on steroids - customer says to revert, it gets reverted, no discussion) and their bank would then have to try to get the money from PayPal's bank, which would then have to get it back from PayPal.
Yes, I may not have described it well. The "try" only refers to "if the other bank is bankrupt, they get stuck with the loss" - they don't have to argue with the other bank. So unless PayPal's bank fails, it's a very simple process for the customer's bank.
In general, the bank of the entity initiating the debit will only let someone initiate debits to the extent to which they'd be willing to give them a loan.
Germany seems to actively resist to modernize on all electronic fronts. Banks still charge you for transactions and they take 24hrs plus while in other countries they are free for private accounts and within seconds.
This lack on the market has made unregulated services such as PayPal big.
I've been doing online banking with German banks since at least 2002, and never payed a single cent in fees for transfers.
Funnily enough when I spent some time in Scotland in 2007 I opened a local bank account there, and OMG:
* they charged a fee for receiving a SEPA transfer from Germany
* they didn't give me a debit card or credit card, all I could do was withdraw money at the ATM or pay with paper-based cheques (!)
* when I asked them how to transfer money to my university, they looked at me quiet shocked and said "but their account is at a different bank!". The bank teller there didn't even know if they supported cross-bank money transfers, and had to ask a colleague. Turns out they did, but at exorbitant fees (25 GPB, iirc)
German banks aren't as modern as I'd want them to be, but transaction fees aren't a practical problem for most of us.
I'm not sure which bank you're using, but even Sparkasse and Commerzbank have long supported free SEPA ICT (and it's becoming mandatory at the end of the year).
Thank you. I'm not in Germany but could not withdraw to any (UK) banks for days. From Paypal that is. It is now restored but no entry in the list would show like it normally does.
Makes sense Germany would be particularly impacted, seems like the UK to agree was as well. It is restored now though.
Because what is the alternative, with the same level of convenience and support by (online) shops? Genuine question, because I do not know any and would be happy to.
Wero is not supported by most shops (yet), Credit / Debit Cards often charge fees if the payment goes to a foreign country, direct transactions cannot be undone.
Theoretically the alternative is whatever collection of local mobile payments EMPSA[1] manage to shackle together, but they’re taking an exceedingly long time to do it.
Wow this headline is quite striking. I wonder what happened all of a sudden for their fraud checks to fail. This is exactly the kind of issues where we could use insight from some insider. I am somehow not super optimistic that PayPal will publicly respond to it
> If you have MFA turned on then you’re safe enough right?
Many of these payments (or would-be payments) are automated, so MFA doesn't play a role. i had automated payments get blocked yesterday for the first time ever and thought it was just my problem until seeing this thread.
Yes. Im European. Everytime I'm out in a group and someone pays for everyone, they always ask for money via paypal, and I'm always the only one who doesn't have an account.
paypal is trash, if you have issues, they can hold your payments or does whatever they want to you and you have very little recourse. They make up all the rules as "regulations". A lot of times there is no choice but to use them.
In this case I think it's justified [0] to offer an alternate reporting: https://www.bbc.com/news/articles/cj6y42jggdyo
> European banks have seen widespread unauthorised direct debits from PayPal accounts, the German Savings Banks Association (DSGV) says.
> The German newspaper Sueddeutsche Zeitung (SZ) says payments worth in the region of 10 billion euros (£8.6bn) have had to be blocked, after PayPal's fraud-checking system failed.
[0] I was impeded by cookie popups and adblock/privacy-mode blockers in another language, and neither are direct reports or superior details.
Better link: https://www.heise.de/en/news/Paypal-German-banks-apparently-...
Maybe it’s a better link, but I can only read the content if I accept their sharing my data with 180 partners.
Which is the same as many if not most of the other sites we regularly link to on HN. You just aren't told about it.
If I have to accept it I think that's even worse than doing typical tracking behind my back.
Also requiring acceptance from EU users would be a GDPR violation, I think? But it didn't ask me at all so I can't evaluate it well.
I think it is great that they are forced to show whats going one. Otherwise we wouldnt even discuss, just no one would care.
Forced to show is better than going behind my back.
But making me click an "accept" button is just dirty. I hate that.
Nobody is making you. You are given a choice.
This company needs to get paid. For that it uses ads and other means, just like everyone else does. Their list of ads, tracking and other partners happens to be around 200. They tell you and you either choose to accept that, read their content for "free" (like you use other content/apps for "free") or actually choose to say "No, if "free" costs me this, then I don't want it".
And some really aren't even to "sell your data" but just their own analytics to let their dev/SRE staff see what's going on. Nothing nefarious at all.
Nobody forces you to accept this and read their content.
Heck, your online banking/brokerage probably uses a bunch of trackers you probably aren't aware of, because they don't tell you. Go open the network tab in dev tools and check.
No, the GDPR is making _them_. Gating content behind "consent" for tracking isn't allowed. They have the choice to then show content with generic trackers.
Yeah I know I could leave. But if the site won't let me say no, then it shouldn't pretend to give me an option.
If they're acting like the GDPR applies, these choices are invalid. If they're not extending that courtesy, then I'd rather be left alone about it.
And they're allowed to have ads without getting consent. It's the tracking that's a problem.
And there's no chance in hell that data isn't being sold when there are hundreds of partners.
You are not required to accept the tracking. You can pay to remove tracking with their "Pur-Abo".
yeah, but a choice between "ad+tracking" and "no-ads,no-tracking,payment" is not GDPR compliant. It's just that a huge part of EU newspapers do not like it leading to very long outdrawn court proceedings, and other issues.
Basically GDPR says you have to make it as simple to use your site with and without "tracking".
The important part here is it says "without tracking" not "without ads", so the choice presented is intentional deceptive and misleading. There is no technical reason to not have GDPR complaint ads, it's just that web ad market is dominated by a few quasi monopolies (leading Google) and they don't like "not targeted" advertisement at all.
What they theoretically have to provide is the choice between "targeted ad, tracking", "untargeted ad, no tracking" or "no ad, no tracking, payment".
That is definitely a GDPR violation (for users in the EU).
And heise.de has already gotten in trouble for this before.
That is not a GDPR violation, no. Most German newspapers do this, and it has been tried in court - it's legal. The court only mandated that the subscription fee cannot be substantially higher than the value of the data that would have otherwise been sold.
It's basically the status quo for German websites. This seems legally settled for now unless some appellate court strikes it down, and even that won't happen any time soon.
As a user it's just odd to see German websites do this so differently from Dutch or British websites.
What should be made illegal is how all those German popups do this really grating 3D animation effect upon closing. Do you know what I mean? Not the one at heise.de, but most of these forms seem to have this built in.
Yeah it is, if courts decided otherwise then courts decided wrong, the GDPR is very clear and explicit about this:
> Consent is presumed not to be freely given if [...] the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.
exactly IMHO this whole thing being dragged out/tolerated for this many year needs to criminal investigation into corruption and bribes
> That is not a GDPR violation, no. Most German newspapers do this,
and pretty much all of them are in GDPR violation
just due to long dragged out court proceeding and a lot of lobby power or lets be honest corruption there have been no wide spread consequences
btw. a lot of them have a very hidden 3rd "no tracking, no payment" option which might display non-targeted ads based on the content viewed and is the actual legal required alternative (instead of the "pure abo") this is still not quite legal but much easier to worm yourself through the legal system with
Even under that idea, I very strongly doubt the subscription fee is in that range.
Most website also tried to click a hundred different buttons to opt out - that wasn't legal either. Just because enforcement hasn't caught up yet doesn't mean it's not a GDPR violation.
https://archive.is/6h2TN
South Park once had a good scene about just not accepting random things that pop up (in HumancentiPad). If you see something popping up on a website - maybe just delete the pop-up from the HTML. (Click on Inspect - Examine - Delete).
Heise is a bit nasty with technology, and it's a bit harder to get rid of their thing, but I can read everything without accepting anything.
I default to the Reader mode (Safari/Firefox) such a blessing to stop any/all videos, sounds, ads, and popups.
Putting the "text" back into HTTP, hyper text transfer protocol.
Oh, valid point. I actually hate heise.de's approach to hard-require consent to ad-tracking (or payment). As my university has a subscription for heise.de, I was not shown the consent popup and forgot about that. Sorry.
Yes, I agree. At the time this was the only English link I found. The BBC is much better, and it's a European issue. I cannot edit the link or title.
You can email the mods and ask them to do so. Footer contact link and mention “FP #x” somewhere in the subject.
What’s "FP" for?
False Positive of course. Why type of a full word with no ambiguity when you can confuse everyone with some obscure abbreviation ?
Functional Programming
Floating point?
Furry Platform
Fix Pls
front page?
Maybe, but it seems odd that someone would refer to a submission by a numeric ranking that changes constantly.
If you wish to refer to the submission uniquely in the subject, as of a few years ago anyways they requested appending ` (1235676423)` to the end of it with the ?id=1235676423 of the comment/post/whatever that you're writing about. I tend to do so more in emails sent from a keyboard than from a mobile phone for UI reasons.
Hey I’ve seen people use email addresses as unique, immutable identifiers so who knows what crazy thing people will do.
Okay, I guess. Half of that is a far more understandable mistake, and the other half makes things easier for everyone.
This article is useless. It seems like an English translation of some German blogspam (and the ads are even making it through my filter).
It says nothing other than PayPal is having some security failures and banks are blocking deposits from PayPal. What are these security failures? What is the mechanism of fraudulent activity that is being exploited?
I’m surprised this was upvoted so much… am I missing something? It seems to be a bunch of words saying basically nothing.
https://www.bbc.com/news/articles/cj6y42jggdyo
Arbitraging fraud has always been PayPal's game. For the mass market of small-scale sellers there's a threshold, whre the cost of onboarding, verifying, underwriting and eating fraud exposure is greater than the revenues you could ever expect to make from them at their low volume. So these segments went un-served, same with many other segments of transactions or transactors. PayPal's model has always been to accept a higher risk tolerance, then to have just-enough compensating controls and/or liability-dodging to make that work. At least just well enough to have net-revenues bps exceed their fraud-loss bps.
And when that balance is working, it kinda works, but when it doesn't...
And incidentally, it's not just PayPal with the fraud problems these days. It's everybody in the banking and payments space. AI is so far quite asymmetrically helping the bad guys more. It's bad out there.
Ebay and Paypal are full of scam. Simply it is thei best interest to keep this up because it generates revenue for them.
That's a simplistic way of understanding "best interest."
The optimal amount of fraud is neither zero nor "let it all through." Their "best interest" is a balance between allowing legit transactions to get through and blocking enough fraudulent ones that fraud doesn't become too common.
I believe you’re referencing Patrick McKenzie’s takes on fraud, which I agree with — but when he (and others) talk about the optimal amount of fraud they’re usually referring to fraud from “losing money from the company to customers”. This is not PayPal’s case; because PayPal isn’t the victim of fraud on its platform but makes money off its use, their optimal amount of fraud is “as much as they can permit without losing customers or regulators getting up their ass”.
>usually referring to fraud from “losing money from the company to customers”.
Conversely this can affect customers by the vendor or payment platform blocking transactions that are not fraud.
This is an important concept. More you push to zero fraud, the more inconvenience you put on your customer. You can cut bunch of fraud if you only allow shipments to the billing address but then you inconvenience people who want to buy gifts, recently moved or have a vacation home. You can block all traffic from cloud providers but you'll end up blocking outbound proxies for people on military bases or corporate proxies.
Personally I'd like to see a move away from just giving your card details to a website and having them charge it for whatever they want. Because it just ends up that stolen details go around and get used for fraud easily.
Should be moving to a system where setting up payments with a new provider has them request access to charge you, and then on the bank app you approve it. Australia has this as a fairly new system called PayTo, where you can approve and later unapprove individual merchants the ability to charge you.
Brazils pix system as a similar mechanism, where a website can generate a code for payment, that you can copy or scan a qr code into your bank app, and then approve the payment.
Individual merchants barely get any information from you this way, and have no way of even trying to charge you more later.
99% of e-commerce merchants don't have hand the credit card informations. Its all passed on the front side by payment providers like Stripe or Braintree. Shopify merchants go further with a hosted payment page. Handling card numbers bring on a lot regulations for PCI.
Verifying they arent capturing input is difficult even if they use a processor.
The optimal amount of fraud is zero.
But fraud prevention is not free and has negative returns at some point.
I dislike it when people use "the optimal amount of fraud isnt zero", because it is wrong and makes the underlying problem harder to understand, which is that people like to overoptimize a single desirable property(fraud prevention) without considering other desirable properties(like ease of use and a low rate of false positives for legit transactions)
and of course, confiscating the fraudster's money without refunding it
eBay is full of fraud? What are you buying?
Maybe it's different by country, but I feel like fraud isn't a huge issue for the end user anymore. A couple times I've had random transactions on my account seemingly from database leaks / stolen card details, and every time the bank has either sent me a notification asking me to approve the suspicious transaction, or has refunded me the amount later.
As long as you don't initiate the transaction, you get your money back easily.
Card networks have the most reliable protections and guarantees, their systems and rules are designed around consumer trust in their brand and zero-liability (to consumers).
Last week the Dutch bank Bunq was also victim of unauthorised PayPal withdrawals: https://tweakers.net/nieuws/238190/bunq-neemt-maatregelen-te....
Recently I found out that one of my friends had his identity stolen, thousands and thousands drained from his bank accounts. After thorough investigation it was traced to a PayPal breach, and he had to fight hard to get them to admit it was their fault. He got everything back, eventually, but the whole process was a nightmare.
Do you know how this exactly went down? How can a PayPal breach result in money being stolen from a bank account? Genuinely interested to understand
PayPal very strongly tries to make you give them your full bank info (remember that the banking system has absolutely no security as the computer world knows it - this is a feature required for checking to work - so this means anybody with access to your bank id numbers in PayPal's records can do arbitrary transactions to/from your bank account). When I last used it it was possible to avoid on the buyer end and just use a credit card, but I haven't used it for years and I think it was different on the seller end even then.
Routing and account numbers have been on every check written for decades. Banks usually aren't quite that naive to let anyone with the numbers transfer whatever they want. There's name validation they can do, but legally/contractually IIRC it's optional. So the numbers + a lot of social engineering skill can do damage.
But I kinda suspect the ROI is higher for social engineering into an online account portal to Zelle a bunch of stuff around vs waiting for ACH transfers. Breach a login vs find an ACH list and transfer stuff out of the high-value accounts without triggering any flags (imagine you had access to that Paypal list - how are you trying to exfiltrate from millions of accounts without looking suspicious?).
I'll have to ask him for the details
I got once my PayPal account blocked due to negative balance, but there was no transaction in the history and not even customer support was able to tell me why my account went to minus. They even sent me fairly threatening email and the whole process felt like a scam attempt.
Later on I found out that it was due to a bounced transaction 3 months earlier, but the fee for bounced transaction was not reported anywhere and my PayPal account balance just got changed to -5 eur. I've closed my PayPal account directly right after this incident and never used PayPal again.
German, well West European, banks are slow in creating a competitor to Paypal, called Wero. https://en.wikipedia.org/wiki/Wero_(payment) I'm not implying they block Paypal because of that. It's good to have more competition and I wished my bank would take part.
The existing giro system is the real Paypal competitor. Most Europeans had access to Paypal-style money transfers before they had email. Merchants probably want to rely on another party to maintain their integration, but there is no real need for another centralized service similar to Paypal.
(The U.S. really is an outlier among developed nations in that its giro system is not widely used, and many residents would not even know how to access it. Hence Paypal's network effect can offer value there. Europe is very different.)
> The existing giro system is the real Paypal competitor. Most Europeans had access to Paypal-style money transfers before they had email.
Not at all, not even close! In most cases, that's wrong even today.
Want to sell something online? A book you wrote, a game you made? There's no way for people to pay you via giro and automatically receiving the good on the page where the payment process was initiated.
Giro is not instant, and almost no bank will offer an API that signals that a specific customer has transferred funds successfully. It always takes hours, and the confirmation process is almost always only semi-automatic for the seller.
Visa/MasterCard/PayPal/Twint/Tikkie/Wero have and will provide actual value. Giro was nice 15 years ago, but hasn't kept up.
And even for money transfers between two private individuals, giro is the inferior system - mainly because Euro banks fail at UX/UI. I don't know a single bank that offers an "address book" in their online banking app/website. If you want to send someone money, you better remember their IBAN yourself. And because the system comes with a degree of anonymity, you can't even send people money back! Their IBAN is not part of the metadata of an incoming transfer, the only way to send money back is to contact that person and have them send their IBAN.
I'm trying to think of any bank that I've used that would not have "address book"-like functionality, and I can't think of one. All of them have this, and have had the feature for as long as I've used their online banking. Perhaps the banks you're used to aren't very modern?
SEPA transfers are (at least mine have been) max. 1h until the transfer is complete (some limit this to "banking hours"). Instantaneous transfer is common.
It seems to me like there is great variety depending on what bank you use.
API's are common, and even the same between banks now with PSD2.
Tbh, a banking barcode (or EPC QR if you prefer) displayed on the seller's webpage with unique reference + reading it with your phone and making the payment is that internet payment method via giro. The webshop uses PSD2 open banking to get notified of new transactions and knows when it is transferred.
That's also not my experience. Giro was a nightmare compared to paypal 15 years ago and the only reason it slightly improved was regulations, not because the german banks cared about the customer experience. Now in 2025 Giro is dead as banks like DKB don't even hand out those cards by default. The system in germany is a big mess despite so many fintechs in germany.
> Now in 2025 Giro is dead as banks like DKB don't even hand out those cards by default.
Mastercard has started to punish banks that support Girocard by default, demanding that banks drop support.
This is not an issue with Giro or Girocard, but with the existing payment monopolies.
> a banking barcode (or EPC QR if you prefer) displayed on the seller's webpage with unique reference + reading it with your phone and making the payment is that internet payment method via giro. The webshop uses PSD2 open banking to get notified of new transactions and knows when it is transferred.
Yes, that's what I'm talking about. This is how services like Twint in Switzerland or PayPal in Germany have worked for the last decade+.
You're saying this is currently possible, with any arbitrary two German/European banks on either end? Your customer scans the QR code, hits a button, and the QR code is replaced by a download link, and the delay is <20 seconds?
Do you have a link for the tech stack to built this?
Should be, yes. As long as instant transfers are enabled (which, reading this thread seems to not be as common as I thought).
I don't have a complete solution but this is all public information.
Barcode to read with your bank app (guide is in Finnish) https://www.finanssiala.fi/wp-content/uploads/2021/03/Pankki...
Example Bank API: https://op-developer.fi/p/psd2-info
The user will likely take ~20 seconds to get their phone out, unlock it, log in to the bank app, confirm the transaction and set their phone down. The PSD2 API shows the transaction immediately (again, instant transfer being enabled is a prerequisite) and the seller can confirm that payment is complete.
? I open my bank app go to new transaction scan the IBAN of the seller and send the money. I think the time I made a paypall account added to the paypal transfer time is more then 20sec. I have my banking app anyway.
dude honestly no idea what your point is. since instant and free giro transfer with more or less 3 clicks is the death pf anything else.
why the fuck should I have an extra layer to my bank? Its insecure ;)
I would like to know are you american? This thread is about europe
I'm in Switzerland, and am a customer of several Swiss and German banks. Because of that, I mainly use Twint, and I hope for the rest of us that Wero turns out as well or better than Twint did 10 years ago. The change is long overdue.
The thing Twint (and Wero and PayPal) allows is really easy, fast, cheap (not PayPal) and secure (not PayPal) online stores. Scan the QR Code on screen, 1 second later your download link replaces the QR code. Done.
Now, I'd like to know how to do that with SEPA/giro. PSD2 and open banking sounds promising. You seem knowledgeable. Why doesn't anybody use that (or do you have an example for a online store using it)? How fast is it really?
And why did it take so long? Twint is 10 years old, iDeal is 20 years old, PayPal is 25 years old.
Because once you have those capabilities, you can do a small firmware update on credit card readers with a display, and you can pay by app everywhere - no credit card, NFC or Google/Apple/Samsung pay integration neccessary.
> Giro is not instant, and almost no bank will offer an API that signals that a specific customer has transferred funds successfully.
And because of that we have leeches like Sofortüberweisung. They basically proxy the web interface of your bank and you'll give them full access to your account, so they do the transaction for you by scraping your banks web interface (and your transaction history) and report success to the vendor.
> Sofortüberweisung
A reminder that Sofort is made by Klarna, the company that mandated usage of AI and fired 700 employees because of AI.
not any more: most of these Payment-Initiation-Services (PISP in EU-speach) do use the public PSD2 apis these days. In the dark beginning days, it was scraped, yes.
Giro was nice 15 years ago
What giro system are you talking about here? Do you mean the postal giro system that has existed in Europe since the 1960s and has been used for postorder shopping since before the Internet existed? That system was already obsolete in NL last century when we had the first digital invoicing systems via e-mail (and digital personal banking via dial-up), and we've had direct online payments via iDeal since 2005. Are you saying that some countries are still relying on paper-based payment instructions in 2025?
I don't know a single bank that offers an "address book" in their online banking app/website.
Conversely, I don't know a single online banking portal that does NOT offer such basic functionality. Santander, ING, and Rabobank all do.
And because the system comes with a degree of anonymity
What do you mean? Every payment in my bank's transaction history shows the account number on the other end of the transfer.
SEPA Instant Credit Transfer allows instant sepa transfers, and soon all transactions will be required to be ict if possible.
Banks have APIs you can integrate with, which e.g. KDE's money app used to support in the past.
The actual underlying transaction system is extremely well designed and reliable, it's just missing the nice APIs that other payment systems have.
Not quite exactly:
There was a earlier competitor much better than PayPal, called Giro-Pay: https://de.wikipedia.org/wiki/Giropay
It had all the stuff PayPal had at launch, also some of the feature made it into the eventually-died "Paydirekt" (which also died)
The main reason could be the high fragmentatin across the EU market.
Though, WERO, now we have a new appraoch, this time with support von ECB :-D
Austria has the state-run EPS system. It's very ubiquitous here, I use it for most online payments.
? IBAN transactions are instant and free.
All three of my banking apps offer adresse books.
why couldnt i sent money back? I see the sender and the IBAN
I can even in some cases cancell payments
where are you at?
me france germany italy and switzerland.
Are you from the states or canada? The parent talked about europe.
> ? IBAN transactions are instant and free.
Instant transactions are a very recent development and are only starting to become common because banks are required by law to support them for free come October. Up until rather recently instant SEPA transfers were often either not supported or came with additional fees attached.
Based on the replies I've been seeing in this post, I'm starting to think that my banks (or I've somehow lucked out) have been very proactive in providing users with desirable features.
Instant transfers have been the default for quite a while, and possible (for a fee) for as long as I can remember.
Online payments with instant confirmation have been really easy for 15+ years.
ideal will handle that. But it’s only in NL.
ideal is being shut down, and merged with German GiroGo/PayDirekt and Danish Dankort into Wero, which is what this entire subthread is about.
> Most Europeans had access to Paypal-style money transfers before they had email.
Bank transfers were not instant though, they usually took a work day. This is changing with the introduction of instant transfers, which become mandatory to support this year, and are also not allowed to be more expensive since this year also.
But the merchant got a signal that the money is on the way, so it was quick enough for them to sent out the package.
The U.S. really is an outlier among developed nations in that its giro system is not widely used
I wasn't even aware such a thing existed? Or do you mean Zelle, which seems to be some sort of hybrid system... It's not quite a giro system as found in most of EU, more like "PayPal, but built by BofA and CapOne"
I don't do much banking in the U.S. system, but I'm assuming that ACH transfers get you pretty close to a giro system. Apparently, they are quite slow by SEPA's standards.
Very slow. And not something consumers use to pay each other.
If I need to pay a friend, it’s Venmo or PayPal in the US. In theory Zelle too, but I don’t know anybody who uses it.
Wero is actually built to sunset Giro in the EU. Its built on top of Giro as to leverage the well working network but gives more convenience.
This is the first time I hear of „sunset“. Afaik it just is a layer on top and that’s it.
For merchants selling stuff internationally on the internet, none of those local systems are any use. You pretty much need to use Paypal or similar - or even wire transfers if you don't mind the delay and inconvenience to the customer.
German banks (and in general businesses) are amazing. They won't do anything until legally required to do so and even then will drag their feet. There has been instant bank transfers (transfers in 10 seconds) available for a while - launched in November 2017. German banks kept charging 1.5€ for this instant transfer or some didn't have them available at all. They didn't build any of these systems and yet this was their stand.
On January 9 2025, EU made it compulsory to have receipt of transfers instant and in October 2025 - sending too should be available at the same cost as the normal transfer. There's nothing stopping from implementing bot send/receive instant transfers in January 2025. Yet, some of these banks only enabled instant receipts in January and will make the sending available exactly on 8th October 2025, 1 day before the deadline. What a business mindset to have!
Have used them for a long time, never paid for them. GLS is a great bank, happy customer. The crappy ones like to keep your money in their books as long as possible.
The resistance against instant payments mostly has to do with technicalities around bank balance sheets and inter-bank settlement systems.
It's a bit complex for a comment, but the TLDR is:
* funds in transit (called "positive float") are held in the banks account, and can be used by the bank to earn interest
* liquidity management - there are a bunch of considerations here, but the longer settlement periods enable banks to do "deferred net settlements" (just paying each other the difference between all transactions in a batched way) and also helps balance sheets in other ways, making it easier to meet reserve requirements, smoothing out intra-day liquidity, etc
The delay also means systems have more time to catch fraudulent transactions, and to block them before they happen.
This comment is not towards you but there's always an excuse with the big German banks.
For example, during Covid when interest rates where negative - some major German banks like Commerzbank charged interest from customers when their balance exceeded an amount like 50000€. Now that the interest rates have gone up - they are not even close to passing on those high interest rates. The same Commerzbank now asks for 50000€ in assets otherwise they charge a 4.90€ subscription charge from their customers.
So yeah there might be technicalities but nothing stops those technicalities being addressed until the law does.
As a reluctant Commerzbank customer, there's some inaccuracies. The amount was 100k€ re: negative interest, and the subscription charge only applies if you're not moving a certain amount of money each month (which is very low, even unemployment payments would be enough to clear that hurdle).
So you're only paying for your second or third account.
> the subscription charge only applies if you're not moving a certain amount of money
This has changed since May 2025. Talk about inaccuracies ;)
Btw, as much as I appreciate the “correction” it doesn’t change overall direction of the comment.
> This has changed since May 2025. Talk about inaccuracies ;)
It has? I've never paid a subscription charge, and I've never been above that amount.
To be clear: I didn't mean they have to drag their feet. They just do it because they will lose some income.
> The delay also means systems have more time to catch fraudulent transactions, and to block them before they happen.
Which is complete nonsense as the transaction is actually forward-payed, and guaranteed by the central European bank, exactly for that reason.
So, in fact, the only reason why certain banks delay payments is so that they can keep the funds "in transit" to earn interests.
Plenty of banks don't play that game, so if your bank does, they are taking the piss and it's time to change.
Care to name those banks?
One prominent example is DKB (easily in the top 10 consumer banks by size)
Also a bank that thought it was a great idea to block all rooted Android users with a minor update to their app. Which is required to use their website. Fuck DKB.
There is also https://en.wikipedia.org/wiki/Digital_euro in the making. I think that would then also supersede Wero?
Portugal got mbway, Austria used to have paybox, there is iDEAL, sofort.com and generally besides the local country systems with de-facto European banks you get "SEPA Instant Credit Transfer" nowadays - however IBAN is "harder" to share than lets say the phone number your friends already got.
Wero is getting traction quite quickly in France (source: https://www.banque-france.fr/fr/a-votre-service/particuliers... + people around me).
Also: https://wero-wallet.eu/fr/utilisateurs
They never really had much of a reason to create a competitor. There where already plenty of alternatives once online shopping/payments became a thing.
Here you could do "cash on delivery", credit/debit card, account transfers (yes even across banks, it not as big an issue as US banks makes it) or you could send stamps (not a popular options).
There was never a need for PayPal or PayPal style services. These days it's safe to assume that people have a debit card (or MobilePay in the case of Denmark).
The + of PayPal was in 2005 when you could use it to hide your card number from the merchant.
But now, you can generate one-time use cards, which are safer than assigning a card on your PayPal account.
The other thing, is that you can do chargebacks more easily, when you buy on eBay, but this comes at the cost of higher fees (which is basically insurance)
Other than that, it's a platform that cannot be trusted
I can't speak to how other European countries did only payments, but you never gave your credit card number to the merchant in Denmark. It was always done via a 3rd. party payment provider, initially mostly DIBS, then came WorldPay and later many more.
Charge backs was also always fairly easily done via your bank. Though you did have to call them, so yes PayPal was/is easier. I don't know, the trust in PayPal was always really really low.
It was before 2006 (enforcement of PCI DSS), at that time, a lot of merchants just created and hosted themselves a payment form and stored bank card numbers themselves, numbers that they often collected on non-HTTPS pages
Because the banks are liable to fraud in Denmark, probably also other countries, they already had really strict rules for online payments. Denmark also has it's own national payment card "Dankort", and before 2006, you needed to accept Dankork as it was the most popular debit card. The Danish banks could make their own rules, separately from PCI DSS, and those where much stricter, so no http and only specially audited software was allowed to handle the transactions. The downside was a near monopoly from DIBS.
I strongly disagree. The main advantage of Paypal and the reason for its popularity in Germany was the fact that it provided instant payments at a time when credit cards were very uncommon.
Cash on delivery was a huge pain since you had to potentially large amounts of cash ready to hand over to your postman upon delivery. That's the opposite of convenient.
Alternatively you could pay by bank wire transfer, which of course led to an additional delay of a day or two until your transfer actually arrived at the sellers bank account. Nobody wants to deal with barriers like these in ecommerce. Paypal was a godsend back then. Remember, barely anyone had a credit card in those days in Germany.
At the time PayPal rolled out, the single feature that made it popular in the USA is that it provided eBay sellers an easy/cheap way to receive credit card payments from buyers. That is all. Any person could set up a PayPal and instantly start receiving credit card payments without setting up a vendor account with a credit card company (which was not trivial at that time).
Right. But that was only relevant because US customers wanted to pay by credit card (because of some combination of credit cards being good and other payment methods being bad in the US). Which was not the case in most of Europe.
> There where already plenty of alternatives once online shopping/payments became a thing.
Let’s say direct bank transfers are not counted. What alternatives are not based on Visa/Mastercard on global scale?
The "global" is the problem here.
Each country had a local solution. Direct transfers, or better direct debit, was the common way in Germany. You literally just entered your bank account number and that was payment, the seller would debit it from your account. Zero authentication, and it worked - never had a fraud issue (in the background, I assume sellers checked the delivery address against some database before accepting this, as the seller would ultimately be on the hook for any fraud).
Aside from manual bank transfers (seller ships when the money arrives 1-3 business days later) there were also two systems based on direct bank transfers. One (Sofortüberweisung/Sofort) was essentially institutionalized phishing - you give a third party your banking credentials, they log into your account, snoop around a bit, wire the money to the merchant using your credentials and confirm to the merchant that your account has enough money and the wire is happening. The other was a similar service but by the banks, so you'd log in directly at your bank to authorize the transfer.
Most other European countries had other local systems that covered this need, but there was nothing global. Globally, your best bet for small amounts is unfortunately likely still PayPal unless your counterparty accepts crypto. For bigger amounts, there is Wise and similar services (note that I've had a horrible experience with Wise - KYC asking for things that didn't exist, luckily before they had my money to hold hostage). Wiring directly to accounts with Revolut also works reasonably well.
For transfers within the Euro zone, a regular SEPA bank transfer is easiest, with the only "downside" that you need to ask for the destination IBAN rather than just a phone number or similar that some of the other systems support.
Global scale is different indeed.
EU scale there are tons of solutions: iDeal (expanding to EU from NL), Klarna, sofort..
Yeah, one could hope even more. E.g. MobilePay in Nordic countries take big fees because (based on my limited observation) most people just put their Visa/Mastercard in there.
You're probably referring to historically, but if not, it's worth noting that Klarna bought Sofortüberweisung
Mostly German.
The predecessor of Wero (iDeal) has been in use in The Netherlands for almost two decades. Nobody has credit cards here and everyone does online shopping with iDeal
To add, on top of iDeal (I think they're on top anyway, they're digital payment whatsits anyway) there's an age verification system using a similar protocol - where a website gets a "yes this person is >18" signal, nothing else, from the user's bank. And there's "tikkie" (payment request), allowing people to request money through a link and people's own bank account - no need for everyone to use the same apps or services like paypal or cashapp.
> where a website gets a "yes this person is >18" signal, nothing else, from the user's bank.
I am amazed on how this practical solution can't be implemented for age verification instead of all those ID uploads etc.
Because legislators don't understand how the internet works. Thats like the biggest problem. IMHO.
Wero looks very much like a bureaucratic paper tiger to me. I do not know a single person that uses it despite the massive advertising campaign they are running.
What really replaces Paypal in my everyday life is Revolut.
Half of Europe has widely used national systems for instant payments, the other half does not. The idea behind Wero is to unify this to one single system, available across whole Europe. For reference, I use these systems for like 80% of my online payments.
Of course nobody's using Wero now because the whole thing isn't really online yet, just a pilot program on a few websites with a few banks.
> As of November 2024, the service counts 14 million users and 8 million transactions were made
https://en.wikipedia.org/wiki/Wero_(payment)
8 million transactions in only a few months (mostly in France), I wouldn't say "nobody's using Wero"
mainly wrong:
WERO is an application/UI layer on top of SCT INST payment scheme, which adds some additional features like "send to email" etc. as well as other pay-specific features in the future (pay-per-request, which is also a defined way in the SEPA/EURO rulebooks and processing docs)
The product features sound nice. I'm all for anything that replaces Giropay.
Its alread built into my Banking app (Sparkasse). So if your Bank is a partner it takes like 2 minutes to setup.
Finland has MobilePay, it links bank accounts to phone numbers, very easy to use.
Poland has Blik, it's amazing and I wish it existed everywhere - you can pay someone using a phone number or you can generate a Blik number that you can give anyone else to request or send a payment - and it's instant. Most stores accept Blik payments, and I've paid using it in places where bank cards are not accepted or where there is no infrastructure to accept them - just use Blik.
It's like their 5th attempt and the naming gets worse every time.
Wero seems to be a more European solution, while previous attempts like GiroPay were national.
Looking at the Wero page, it's not very European if 4 countries are listed. I have never heard of it here in Slovakia, and none of our banks are listed, although some belong to the groups that are there. This will be a long process if it really wants to be European.
Maybe in Slovakia there is already an established payment system which uses instant bank transfers, so there is no need for Wero. Or maybe some countries are fine with PayPal (or similar) fees.
There isn't, people mostly pay by card or cash/card on delivery. Instant transfers started being an option but I don't think it's widely used.
Wait till you learn about iDeal. Basically flawless online payments for 10+ years in the Netherlands. Dominates the entire online and offline markets. No cards, no signups, just your normal bank account.
P.S. lives in Germany 5+ years and can attest its banks and online banking are generations behind its neighboring countries. A travesty.
It is worth remembering that PayPal not only handles payments but also provides a degree of assurance to receive the goods. A pure payment system does not. From a customer perspective this can provide real value as filing a claim with PayPal gets merchants definitely to listen more closely.
you could integrate such a function easy in any other payment product flow
> It is worth remembering that PayPal not only handles payments but
It is _also_ worth remembering that PayPal not only handles payments but _also blocks acounts based on random issues_. A lot of people lost access to their Paypal accounts. /s
Handle with care.
GP was talking about the assurance for buyers. The issues sellers face does not change what makes PP attractive to buyers.
This is exactly why compliance frameworks exist. When your security controls fail, it doesn't just affect you - it ripples through every organization that trusts you. German banks are right to be concerned. PayPal processes massive amounts of financial data, and if their security posture is compromised, everyone downstream is at risk. The real test of any security program isn't whether incidents happen - it's how quickly you detect them, contain them, and communicate with affected parties.
Last week my PayPal account was "permanently disabled" this also happened to two of my friends at the same time. Is anyone else going through this right now? When I looked it up on Reddit it seemed like a widespread error that started last week. Could it be related to this? Are there any steps I should be taking to try to get my account back? Any help here would be really appreciated.
I filed a dispute with Paypal that a merchant ran off with my money… Paypal nuked my account. No idea if the support agent hit the wrong button but I’m done with Paypal, no explanation or recourse. Filed dispute with bank on the Paypal charge and immediately got my money back.
PayPal security is amazing. It randomly locks people out of their accounts and randomly closes their accounts too, but actual fraudsters and criminals are never deterred.
I never worked for PayPal, but I did for a competitor.
Dealing with fraud is a red queen game: The fraudsters can keep trying until they find what gaps are there in your system, and will sometimes communicate with each other: Part of our defense system involved infiltrating some of those spaces and seeing the guides that were being sold to try to commit fraud in our platform. Meanwhile you will still have a false positive rate, and getting it all the way to zero means crazy fraud. Most people just don't get to see how much fraud is stopped before they know it exists. This isn't just for financial institutions: You'd be surprised by how much credential stuffing is attempted at, say, any very large streaming site which charges a subscription.
Without looking in, it's hard for me to say exactly how successful their security team is, but being as big as they are, and having probably thousands of people whose only job is to do fraud on their platform, winning has to be pretty hard.
The average person has no idea how industrialized fraud has become. There are essentially entire companies with management, support staff, IT, and office buildings whose business is fraud. It is sad when you think about how many resources have been poured into it.
My issue with PayPal is they've always been that way. I've come close to deleting my account on 4 separate occasions.
I've had one since shortly after their merger from the old X.com https://en.wikipedia.org/wiki/X.com_(bank) .
Per discussions on this thread, the singular reason people have tolerated their horrid service over the years they've been an effective monopoly in many locales.
> the singular reason people have tolerated their horrid service over the years they've been an effective monopoly in many locales.
This is correct. For some reason, many people (merchants surprisingly!) love PayPal and only accept payments through it, especially those outside the US and UK. Sometimes "guest payments" aren't an option, and that means you either get a PayPal account or don't purchase the product/service.
Just delete it. I used to have an account, and my experience using “guest payments” (which are usually, but not always, supported) is generally more reliable than logging in and paying.
This requires a bank that will issue one time use card numbers. PayPal is less friction for the benefit of proxying your credentials.
Or you just put your regular credit card number into PayPal and tell it that you want to check out as guest. There's a little option that you need to uncheck so it doesn't try to make you an account.
I did delete many years ago.
They blocked me claiming suspicious activity occurred in my account (just a low traffic personal account). Ignoring me wanting to know what suspicious activity was it and if it needed, or actually already was, reported to the authorities.
Unluckily this deletion does not hold well, occasionally with weird merchants only offering PayPal payment - credit card through PayPal - the paying fails using my old email used in the purchase and was used with PayPal before. They keep forcing me to log in. But can't! It is deleted!
I did not trust their sloppy ways then, the feeling is stronger now.
Yeah. I had always thought these AML/KYC stuff were just governments/people in power expanding their arms into normal people's lives. I still think they mostly are, but after learning how much fraud is happening, I'm not sure what a better solution would look like.
Strong digital credentialing—something the web has been surprisingly allergic to.
Because we've seen that as soon as it exists, it quickly becomes required for ridiculous things that shouldn't require any kind of authentication, either by data-hungry companies that want to better exploit their users, or by control-hungry governments.
Until that is solved, I'd argue that the benefits are not worth the costs.
If you actually stop and consider the culture and ethos surrounding the advent and spreading of the Internet, it's not surprising at all.
And if you stop and consider how corporations have been abusing that sort of thing every chance they got it is even less surprising.
Can't wait for them to abuse a non-anonymized internet.
I think I'll pass on that one. It is bad enough as it is.
Uh... it existed in South Korea at some point. And what happened next was exactly what everyone predicted: mass privacy data breach.
KYC is just box ticking by the bank, so they can claim to the government that they did try to stop money laundering.
>I'm not sure what a better solution would look like
Federal government provided electronic money accounts and transfer systems, along with federal government provided identity verification APIs, where the fraud requires defrauding the government. Basically, a government utility. They do it with passports, why not with digital travel?
Obviously, this has to go hand in hand with constitutional inalienable rights to protect people's access to electronic money accounts and identity verification.
It's fine to have a non-zero false-positive rate, when you then have an effective way to appeal decisions based on these false positives.
The lack of effective appeal seems to be the real problem with paypal.
The problem isn't the fraud, the problem is that they do not pay enough staff to deal with it which leads to legitimate accounts getting closed out and people not being able to do anything about it. Money seized, etc.
Amen.
Yup. My advice for using PayPal is do not unless you have no other choice. I just got my monthly account statement and, as usual, thankfully zero activity.
Though extremely innovative (for its time), it's been a slipshod org since inception and slipshod is a property you decidedly do not want in a payments processor.
My only use case for paypal is booking an internal flight in a country I visit annually because they do not accept my credit card, but will accept paypal. Literally the only reason I reluctantly got an account. The horror stories I've heard, I wouldn't put any serious money in there. And their drama during the heydays of censorship a few years ago, literally fining people $2500 for politically incorrect speech at the time, I couldn't believe sane people at the company thought that was an acceptable idea. I'd really like to know the inside story of that decision. We forget how crazy 2021-2022 was.
> My advice for using PayPal is do not unless you have no other choice.
This is literally their business model, which is why they are able to get away with so many shady practices. Until very recently they held a practical monopoly on web based international payments.
I concur. Thankfully, that's changing and changing very rapidly. I really hope to delete my PayPal account sooner rather than later.
Indeed. And it's not a recent phenomenon either. I lost my first ever paycheck to PayPal randomly freezing my account. Was never able to get it back. Never used it again
PayPal also appears to suffer data leaks more than anyone else. I use multiple email addresses for every service I sign up for. But of all all the spam email I get, 99% has my PayPal email on it, and I even have other email addresses posted publicly.
It's worse than you think. I've closed PayPal accounts and opened new ones with a different email address and PayPal updates the merchants who've been spamming me with the new email address. There's no legitimate technical reason PayPal can't use a mail relay with transaction specific email addresses to control spam.
Perhaps those are not leaks, but outright data sales
Happened to me with Moneybookers a few years ago. Started getting spam from various casinos at a unique email address. I contacted support and spent a few weeks explaining that, nobody could have gotten this email address unless they were hacked or willingly sold my address. After sending full dumps of the emails and a minor threat to go public with the information, suddenly the spam stopped.
Exactly. They're not leaks, they're sales
Didn't PayPal transmit the email to the merchant for every transaction?
Merchants are definitely selling email lists.
> but actual fraudsters and criminals are never deterred.
When my argument is kinda weak I love throwing in some hyperbole to spice it up.
The article is about $10 billion dollars in fraudulent transactions that PayPal has allowed that the banks had to catch themselves. Given that, it's hard to say the OP is speaking in hyperbole.
I would imagine that fraudsters are deterred sometimes.
How do you know they aren't one of the actual fraudsters or criminals?
Venmos's security is also A++. I made an account, sent some money, then my account was immediately flagged and closed for fraud. Nice.
Off topic: Venmo does not exist (?) in Europe land. What’s its appeal compared to PayPal or regular credit cards or even debit?
The Nordic countries all have bank-backed apps for instant transfers from a checking account indexed by phone numbers. It basically replaces every peer to peer transaction that would be cash in other countries (paying back a friend, buying something at a flea market, chipping in for a gift at the office...)
> It randomly locks people out of their accounts and randomly closes their accounts too,
yup, my paypal got locked after using it for over 20 years. Customer service refused to help and wouldn't even tell me why it was locked. I still get messages from paypal that they "couldn't get process subscription for X." won't delete my data either.
Scummy behavior from them on multiple levels.
Thank you for the reminder to move money out of Paypal, I get some money every month through Patreon to pay for server costs but keep forgetting about it.
What, you don't remember random details from all this time ago? I got locked out of mine as well and the questions to restore were ridiculous. How the hell would I know what transactions I did 15 years ago? And other stupid things like that.
Gave up on it after a while and now try to avoid it as much as I can. Good riddance.
They'll do what your government lets them get away with. Demand better regulation.
A few years ago when they suddenly switched on flawed mandatory TFA in my country, it took them nine months before they started to man phone support so people could get in. At about the same time they also implemented a policy to charge for having money left in your balance — when you couldn't access it! Add to that that hey had started with cryptocurrency. I cancelled my account (17 years) as soon as I could.
I'm a victim of such a fraud. It started gently on LinkedIn and ended up on http://fiverr.com that exploits PayPal to extract money from unsuspecting clients. I paid for CV editing service that was never provided. 60 euros gone and PayPal just accepts sellers side of the story.
http://fiverr.com is a scam. Don't use it. PayPal's support is a joke.
What's so specific to German banks ?
PayPal is the most important online payment service in the German market, with nearly 30% of online purchases made using the platform.
The sheer volume of PayPal and direct debit transactions in Germany magnified the impact of the outage compared to other markets.
With millions of potentially fraudulent debit requests appearing simultaneously, German banks chose to freeze all incoming PayPal direct debit payments. This was a necessary step to protect their customers from what appeared to be a massive, systemic fraud event.
Also protect themselves (or rather, PayPal's bank). These were almost certainly SEPA debits. Consumers could reverse unauthorized transactions (think "chargeback" but on steroids - customer says to revert, it gets reverted, no discussion) and their bank would then have to try to get the money from PayPal's bank, which would then have to get it back from PayPal.
I think the bank of the consumer is also completely automatically getting the money back. The risk is on the initiator if the payment (=PayPal).
Yes, I may not have described it well. The "try" only refers to "if the other bank is bankrupt, they get stuck with the loss" - they don't have to argue with the other bank. So unless PayPal's bank fails, it's a very simple process for the customer's bank.
In general, the bank of the entity initiating the debit will only let someone initiate debits to the extent to which they'd be willing to give them a loan.
The article is from a German publication, which is probably why the focus is on German banks.
Germany seems to actively resist to modernize on all electronic fronts. Banks still charge you for transactions and they take 24hrs plus while in other countries they are free for private accounts and within seconds. This lack on the market has made unregulated services such as PayPal big.
I've been doing online banking with German banks since at least 2002, and never payed a single cent in fees for transfers.
Funnily enough when I spent some time in Scotland in 2007 I opened a local bank account there, and OMG:
* they charged a fee for receiving a SEPA transfer from Germany
* they didn't give me a debit card or credit card, all I could do was withdraw money at the ATM or pay with paper-based cheques (!)
* when I asked them how to transfer money to my university, they looked at me quiet shocked and said "but their account is at a different bank!". The bank teller there didn't even know if they supported cross-bank money transfers, and had to ask a colleague. Turns out they did, but at exorbitant fees (25 GPB, iirc)
German banks aren't as modern as I'd want them to be, but transaction fees aren't a practical problem for most of us.
I'm not sure which bank you're using, but even Sparkasse and Commerzbank have long supported free SEPA ICT (and it's becoming mandatory at the end of the year).
Thank you. I'm not in Germany but could not withdraw to any (UK) banks for days. From Paypal that is. It is now restored but no entry in the list would show like it normally does.
Makes sense Germany would be particularly impacted, seems like the UK to agree was as well. It is restored now though.
Why do we use PayPal in Europe at all?
Because what is the alternative, with the same level of convenience and support by (online) shops? Genuine question, because I do not know any and would be happy to.
Wero is not supported by most shops (yet), Credit / Debit Cards often charge fees if the payment goes to a foreign country, direct transactions cannot be undone.
Theoretically the alternative is whatever collection of local mobile payments EMPSA[1] manage to shackle together, but they’re taking an exceedingly long time to do it.
[1] https://empsa.org/
Wow this headline is quite striking. I wonder what happened all of a sudden for their fraud checks to fail. This is exactly the kind of issues where we could use insight from some insider. I am somehow not super optimistic that PayPal will publicly respond to it
Serious (aside) question. If you have MFA turned on then you’re safe enough right? I don’t use my account very much but sometimes it’s useful.
> If you have MFA turned on then you’re safe enough right?
Many of these payments (or would-be payments) are automated, so MFA doesn't play a role. i had automated payments get blocked yesterday for the first time ever and thought it was just my problem until seeing this thread.
Is PayPal common in Europe? I don't know anyone who still uses it in the USA.
Yes. Im European. Everytime I'm out in a group and someone pays for everyone, they always ask for money via paypal, and I'm always the only one who doesn't have an account.
Crazy Venmo and Cashapp are all anyone in the USA uses for passing money to each other.
To be fair, Venmo is owned by PayPal...
paypal is trash, if you have issues, they can hold your payments or does whatever they want to you and you have very little recourse. They make up all the rules as "regulations". A lot of times there is no choice but to use them.
In April the German state wanted 30,000 technocrats to use Libre Writer.
[1]:https://blog.documentfoundation.org/blog/2024/04/04/german-s...