Here’s what happened
My friend sold something he wasn’t using on eBay Kleinanzeigen for ~400EUR. The buyer used Paypal to transfer money from someone else’s account to my friend. My friend then shipped the goods.
Here’s what Paypal did
The next day, the real owner of the account filed a claim against my friend, through Paypal. Paypal looked at the details of the case and refunded the money to the real owner of the account. My friend is now short ~400EUR.
Here’s where Paypal is wrong
Given that the real owner of the account inadequately protected their Paypal password and caused the failure in the first place, the real problem here is also that Paypal did not do enough to safeguard the financial interests of their clients.
If their anti-fraud systems are supposed to be so good, then when those systems fail, they probably should also own some of the liability for their (in)action.
Or, put another way, if you only punish sellers when your system safeguards were inadequate… well, guess who won’t bother using you in the future?
And, if account holders have no incentive to improve their password hygiene, even by taking a symbolic $5 charge for online stupidity… well, guess who won’t be improving and varying their passwords in the future? This actually makes all of us less safe.
Paypal’s primary business is not really to handle money, its primary business is to broker trust.
This kind of failure spreads via network effects as well: my friend got screwed, I tell my friends he got screwed, and by whom; the account holders get screwed temporarily, you refund them, but they still tell people they got screwed.
Here’s what Paypal still refuses to do
1. Implement usable, native 2 Factor Authentication (either SMS, within their own App, or tied to Google’s Authenticator). No one uses Symantec Authenticator, or wants to.
2. Require this to happen when a person hasn’t used Paypal in 30 days or logs in from a new computer.
3. Require this before any transfer over $50 occurs, regardless of whether it is a personal transfer or a purchase of goods.
4. Apply and enforce 2FA unilaterally, in 2017.
In this case, and probably many others: by the time the money was transferred, it was too late for the real account owner to do anything. And for my friend, it appeared that everything was OK, so he shipped the goods.
This is pretty much backwards of how digital money should be handled.
This blog post will probably have no effect
It’s been pretty obvious, for years, that Paypal doesn’t really give much of a shit about its customers’ security. Just like eBay, their parent company, doesn’t give a shit about unifying their User Preferences system or improving their website in general.
This all flies in the face of all of the advertisements I’ve seen Paypal put up around Berlin: Paypal ist das neue Geld.
Paypal is the new money? No, thanks. In this case, it is worse than cash on delivery.
ps. Also, Paypal needs to stop wasting its money on advertising. Fix your systems first, and build trust, be like N26 (but don’t you dare try to buy them).