Curious that Paypal is getting the hate in the comments here: when did they threaten to permaban him from his software?
Anyhow, constructively, you want to escalate to paper on both your bank and Apple (maybe Paypal as well, your call). Start getting an evidence trail together with certified mail, return receipt requested. Apple will kvetch a bit but they (and virtually every other large company) understand the difference between that and a phone call, which you should stop doing immediately, because the contents of them are known to be totally opaque to judges.
You probably won't have to sue anyone, but the demonstrable capability of suing will cause them to escalate this issue internally very, very rapidly.
1. Depending on the jurisdiction, you may ask to record a telephone conversation.
2. Keep a written journal of conversations on the telephone. A paper journal. Dates, times, phone numbers called, full name of person spoken to and their title, matters discussed.
When two parties turn up, it's frequently the case that any admissible written evidence trumps verbal recollection.
That second one is really good advice and the first one is really good advice if you're careful and savvy about it. However, they're both strictly dominated by doing (important) business only on paper. If you really need something resolved, the extent of your phone calls should be finding out what their mailing address is. (And I only say that because the people I used to help with this were mostly non-technical. Most of y'all could Google up the right info in your sleep.)
> However, they're both strictly dominated by doing (important) business only on paper.
Agreed. Writing with two signatures trumps writing by one party which trumps verbal memories of either parties.
I refer readers to the pre-eminent scholar of such matters vis-a-vis minutes, Sir Appleby:
It is characteristic of all committee discussions and decisions that every member has a vivid recollection of them and that every member's recollection of them differs violently from every other member's recollection. Consequently we accept the convention that the official decisions are those and only those which have been officially recorded in the minutes by the officials, from which it emerges, with an elegant inevitability, that any decision which has been officially reached will have been officially recorded in the minutes by the officials and any decision which is not recorded in the minutes has not been officially reached even if one or more members believe they can recollect it, so in this particular case if the decision had been officially reached it would have been officially recorded in the minutes by the officials. And it isn't so it wasn't.
- Get a hold of those minutes. I have to correct the record.
- We can do that?
- Yes, we can. Those minutes are an aide-mémoire for us. They should not be a reductive record of what happened to have been said, but they should be more a full record of what was intended to have been said.
> You probably won't have to sue anyone, but the demonstrable capability of suing will cause them to escalate this issue internally very, very rapidly.
Not even slightly true. They don't care. The cost of the occasional lawsuit is baked into the system cost already.
So my background in this is in consumer debt issues, largely dealing with banks, CC companies, and debt collection agencies. In my pre-HN days, I spent a lot of time hanging out on a message board for folks who had issues with that, after having a credit report that got totally trashed because of a poorly chosen hash function causing my identity to collide with someone else's. Because I have really screwy hobbies I would write letters for folks to send to their banks.
Add the two dozen letters I had to send for myself and I have personal knowledge that this definitively resolved the issue in 40+ cases, in many cases jumping over "our policy is to never...", "you can't do that", and collections at fairly advanced stages.
It is entirely possible that Apple is a tougher nut to crack than BoA or Capital One, but that is not the way that I would bet.
Edit: By the way, this is a catchphrase for me: bureaucracies are stage machines which take paper as input and return outcomes you want. Hackers should be comfortable with paper. Consider it an opportunity to demonstrate your ability to hack non-technical systems.
I do, but given that I discussed my personal financial situation and other thoughts pseudononymously a lot on that forum, I'm going to ask that you respect my privacy and not dig for it.
The brief sketch: credit reporting agencies have Seriously Hard Problems (TM) in determining which identity to associate with an incoming piece of data. For example, suppose you have a file on a Patrick J. McKenzie who once lived in Chicago. You get a report from a hospital that a P.J. MacKenzie in an unspecified town in Illinois (not the actual guy) stiffed them on a $250 medical collection. They sold the debt to a debt collector who, having run a skip trace, determined that I am probably him, and they've reported the debt against my information directly. Do you merge those two identities? By the way, he's also delinquent on $100,000 in other debts.
This sort of thing happens all the time in credit reporting. See my blog post regarding "names are hard."
> They don't care. The cost of the occasional lawsuit is baked into the system cost already.
The cost of run-of-the-mill settlements is baked in, but if they do not quickly and decisively handle every claim, then a person who claims $10M will automatically win. So large companies usually have staff whose job is to clean up disputes with some degree of competence.
Why is PayPal even in the title? They seem to have handled the case fine. Yeah, the additional freezes probably weren't necessary but it was Apple who went completely crazy.
A user was hacked so they stop allowing him to update their software?! So that it can more easily happen again?
And they will revoke his account (and license?) that allows him to use the software he bought?! This is like a horror story written by Richard Stallman.
EDIT: On second thought, why do you even need an account to update the software? When I'm updating my Ubuntu, it's the software that's signed so that I can trust the repository. The user is not signed so that the repository can trust them, you can stay completely anonymous. Hell, even Microsoft never required me to jump through any sort of hoops to get updates. I once had to verify my key, that's it. Does Android require a Google account to use the market and get updates? Even if, you still can get an anonymous one.
Why would anyone need my name to update their own software? It happens to run on my computer but that doesn't change anything.
> And they will revoke his account (and license?) that allows him to use the software he bought?! This is like a horror story written by Richard Stallman.
Hardly. Valve has been doing this with Steam for years. Microsoft does it with Xbox Live. It's the main caveat of a managed environment, sometimes the manager makes the wrong decisions.
This might be bad or distasteful, but it's not novel or unique. It's par for the course when it comes to software distributed through a central DRM system.
> Does Android require a Google account to use the market and get updates? Even if, you still can get an anonymous one.
You can do that with iOS too. Likewise, If Google decides to revoke your access to your Gmail account that all your Android purchases are associated with because you violated Gmail policy perhaps, you would be in the same boat.
Once again, not unique to Apple. Par for the DRM course.
I don't think you've actually disagreed with the original point in any way. :)
As you point out, Steam and Xbox Live have exactly the same disturbing retroactive revocation property that Apple does; that doesn't make it any less of a horror story, just more disturbing that people put up with it. (I suspect people mostly just don't think about it, because it probably won't come up for them.)
But so do Android Market purchases, and any other managed DRM system. You put up with it just like everyone else. Where I disagree is my level of concern. I have plenty of games on Steam and plenty of purchases on the iOS and Mac app stores. It doesn't bother me because it's status quo. I got over it quite some time ago.
I didn't comment on Android, though in the case of Android you can at least bypass the Android market and install arbitrary apps without revocation. (I don't have an Android device, though; still looking for a comparable replacement for my n900, since it won't last forever.) I use quite a few digital services, just not any that control my access to bits I've already purchased. And I use a pile of mobile apps, all FOSS.
I wouldn't even consider the entirety of mobile apps ported to the N900 a pile, but whatever. GP commented on Android and you followed up pretty directly, so I just assumed.
True, I should have said the vast majority of popular digital services, not ones targeted towards the kind of people that would use an N900 to make a point.
At the time I wrote my comment, the original post hadn't actually mentioned Android; that appeared in a later edit.
> True, I should have said the vast majority of popular digital services, not ones targeted towards the kind of people that would use an N900 to make a point.
I don't think services offering the not-quite-purchase of data represent "the vast majority of popular digital services". Also, services like Netflix don't have this problem, since they very clearly position themselves as analogous to a rental, not a purchase. iTunes, the Android Market, Xbox Live, and Steam all very much position themselves as purchasing mechanisms, which makes the ability to retroactively revoke purchases unacceptable.
(And I don't use an N900 to make a point; I use it because it does the things I want it to do better than anything else I've tried, and that includes Android devices. I only mentioned it because you seemed to assume that since I didn't use iTunes or Android I must not use mobile apps at all.)
I'm looking at the truest scotsman in the world right now.
> I don't think services offering the not-quite-purchase of data represent "the vast majority of popular digital services".
I would, assuming you aren't counting rental services. Netflix isn't really the same thing. I'm referring to purchasing digital goods tied to an account.
> And I don't use an N900 to make a point; I use it because it does the things I want it to do better than anything else I've tried
Right...
> and that includes Android devices. I only mentioned it because you seemed to assume that since I didn't use iTunes or Android I must not use mobile apps at all.
Nope, I assumed you use an N900 or something similar the moment you said you didn't use an Android device. You seem like the type. I stand by my original comment, there are very few mobile apps published for MeeGo. I didn't say you utilized no mobile apps, I said a small handful. Still true. Hell, for MeeGo a handful might even be overly generous.
Gotta love the "run through and downvote everything I said" response because I was being honest. I guess a certain HN member is channeling reddit a little today.
Certainly wasn't me; users don't even have the ability to downvote replies to their own comments. I do find it surprising that someone would systematically downvote everything you said (and AFAICT systematically upvote everything I said in the process). I certainly don't think your comments need to disappear; mostly I'd say "I resemble that remark". :) I've upvoted them to compensate.
I realized after I posted it that the "certain person" remark made it sound like I was accusing you. I wasn't, I literally meant a certain person, as in some random other user.
> Which is disturbing but when it regards software your livelihood depends upon
I like the implication that nobodies livelihood depends on a game. Of course nothing could be further from the truth. I'm sorry but to find it disturbing it kind of has to be novel, and it's not.
IMO it's pretty sad that what is supposedly a community of developers is "shocked" by something that has been going on for years now on plenty of platforms, including iOS and Android. You might still have a problem with it but it shouldn't cause an incredulous reaction like that.
> Sure, but the article is about Apple.
I'm not discussing the article, I'm discussing your incredulous reaction like this is something out of some dream. It's not, in fact there is tons of precedent for it.
1) Someone steals his PayPal account and uses it to buy a bunch of stuff on iTunes
2) He reports the fraud to PayPal, which refunds all of these payments to him
3) He reports to Wells Fargo that PayPal has engaged in fraud by taking these payments to fund his PayPal account, which is a false claim -- the transfer to PayPal was authorized as a funding source and PayPal was already handling the refunds
4) Three months later, PayPal gets hit with a bunch of disputes from Wells Fargo to take back money that's already been returned, double dipping and creating major hassles for them. Wells Fargo is, essentially, stealing from PayPal on the basis of this person's old false claim. PayPal flags the account.
So PayPal did everything right: they were available for immediate contact, were "courteous and helpful", promptly reversed the fraudulent payments to iTunes, and his account was left in good standing while he was made financially whole. What more could they have done?
"He reports to Wells Fargo that PayPal has engaged in fraud by taking these payments to fund his PayPal account, which is a false claim"
No, he didn't. In his own words:
"I told the representative there that I had reported the claim through PayPal, but wanted it noted that the charges made on my account that day were fraudulent in nature. The representative appeared to understand, and helped me make record of the incident."
The problem isn't with PayPal or his bank, as they'd eventually sort out the ping-pong notifications. The real problem is with Apple's draconian policy of taking all of a customer's purchases and data away from him if fraud reports occur on three or more occasions, regardless of why they occur (such as in this case with ping-ponging notifications between Wells Fargo and PayPal).
It's yet another reason to not trust your life to the cloud, and always procure a separate, pirated copy of your purchased software so that nobody can take it away from you.
Thank you. Again, PayPal got credit where it was due in the article. The problem is because one company doesn't mesh well with another, not so much that PayPal was in the wrong. If anything, I'd say Apple was the one that left me with a sour taste in my mouth. PayPal to a lesser degree, though I do understand now why people are cautious about trusting their money to it.
I'm trying to remember where I heard this before. I can't say for sure but I thought a few friends had this issue. It would seem to make sense though, wouldn't it? It'd be easy to spread Trojans by adding them to pirated software.
If its not the case, what is it that keeps botnets from abusing file sharing?
PayPal informed me that I have to file a claim through my bank for the amount that had rolled over to the bank. PayPal ONLY refunded me the amount that PayPal didn't send to my bank. I'm sorry if that wasn't clear in the article (there were two paragraphs about it), but those are the facts.
PayPal was fairly good throughout the ordeal. It's the internal policies that conflict and caused further issues down the chain. I can only do what the CSR advises.
Amazing. I had no idea Apple could just arbitrarily (or even with great reasons) decide to shut down your Apple ID, killing your software and disable a lifetime of DRM protected music, ebook and application purchases. Reminds me of how you now must show a passport to leave the US and being behind on your child support is cause to prevent US citizens from leaving the country, just as if they lived in East Germany. Starts out, oh sure, we need this system to check to make sure you're not some kind of criminal. Then it is used for arbitrary control and enforcement of the whims of a cold centralized bureaucracy.
Still worse, if you're an indie iOS developer they can yank your entire living out from under you without explanation. This happened to me this year, I suspect because I made some app store purchases while traveling abroad. They disabled my ID and refused to even tell me why and only reinstated it after a long and arduous exchange with support.
I really enjoy developing for iOS but this was a sobering experience.
There are no "indie" iOS developers, because iOS developers are not independent. There are only "iOS contract developers", paid on a royalty basis, but retained at-will by Apple.
Since when do you have to show a passport to leave the US? All you have to do is prove that you are eligible to enter the country you are traveling to. (This is strictly a money thing: the airline doesn't want to transport you to another country where you'll be refused entry, because then they'll have to fly you back, which costs them money. So you show a passport at checkin and they save money, making your ticket cheaper.)
That's when you check-in and get your boarding pass issued. After that, many countries (not sure how it works in the US now) have an immigration check point where you're supposed to show your passport (probably to check if you've overstayed on your visit). Some places don't have this check - I noticed that London doesn't.
I'm guessing America started enforcing this check as well recently.
The US does not have exit immigration. Airlines have to ask for your passport to ensure that you meet the entry requirements of your destination country. If an airline transports a passenger who is then denied entry, that airline will be fined and on the hook for getting the passenger out again. Generally they can recoup these fines from the passenger but it's a pain and they don't want to deal with it.
The EU and Japan, for instance, do have exit checks. These are done by the relevant immigration bureaus. The passport checks performed by airline personnel are completely different and bear no impact on one's ability to leave the US.
As an aside, this is the reason that most international connection at US airports require a visa. US airports (with LAX being the sole exception, AFAIK) have no way to monitor anyone leaving the secure area. Nothing would stop passengers in transit between international flights from simply leaving. Connecting in, say, Tokyo-Narita doesn't require entering Japan because everyone in the secure area has either exited Japan or is in transit in the sterile zone.
The only exception is passengers on Air New Zealand's Auckland-LAX-London run and Air France's Paris-LAX-Tahiti flight, though I may be wrong. Special arrangements have been set up for these flights.
The EU and Japan, for instance, do have exit checks.
Not if you leave from an airport in the Schengen area to another Schengen airport.
Some airports may check your ID (and determine if it matches your boarding pass) before allowing you into the restricted, passenger only area. But others don't. In Vienna and Zurich you just automatically scan the bar code on the boarding pass and an automatic gate admits you. Some of the gates now even have automated gates where you scan your boarding pass and get admitted to the plane.
There is also no entrance check, when you arrive from a Schengen airport.
I usually don't need an id when flying within Schengen (Prague being one of the exceptions), just the boarding pass, which I usually print at home.
Please note that I don't recommend not to carry id. Even if you're usually not asked. If they do check at the gate you're quite obviously not boarding when you don't have a valid id.
Of course, excuse my Amero-centrism. I should've written that the Schengen Zone does not have exit checks, which is what I meant when I mistakenly wrote "EU."
I miss my time in Europe. Flying around Schengen nations is so much easier than between states these days.
That's not entirely accurate. Since the arrival of the US-VISIT program, visa holders need to record their departure. At least at some locations and times, this was done with a mobile "pseudo-checkpoint" near the gate area. You weren't required to talk to them, though.
Reminds me of how you now must show a passport to leave the US and being behind on your child support is cause to prevent US citizens from leaving the country, just as if they lived in East Germany.
Curious, what country did you travel to that you experienced this?
Driving across the border to Canada recently I did not have to talk to or interact with anyone from US Customs.
The Paypal dispute policy is broken in my opinion. Admittedly we've only had a few disputes (in the region of ~10) but without failure the disputers ALWAYS gets their money back.
The worst case we had was when one customer made a payment to us, and we got an email saying the payment was on hold whilst Paypal authorises and investigates this payment.
A day or two later we got an email from Paypal saying their investigation is complete, and we can ship the item. We sent our software license off to the buyer and within a couple of hours they disputed it and won all their money back the next day.
Paypal each time make us feel like there's nothing we can do, there's no dialogue, there's no acknowledgements, it's extremely frustrating sometimes.
I've had the opposite experience. I also sell intangibles like software, and win virtually all disputes. The PayPal Buyer Protection Policy does not cover services and virtual goods. Simply escalating to a claim and writing "NON-TANGIBLE, SERVICES" in the tracking number box gets it closed in my favor 90% of the time when someone is lying to get the service or software for free.
...etc. More transparency and human interaction would be nice, but I don't think PayPal could do much better from a policy standpoint. They provide a platform to self-mediate disputes, and they provide a system to resolve some easy disputes over physical goods under policies that protect both sides. But beyond that, what could they do? There's no simple way for them to decide whether you scammed that buyer or they scammed you. If they don't give you the money, they take themselves out of the equation and it's up to you to resolve the dispute in small claims court, where it belongs -- in front of a judge, not a 3rd party's customer service team.
Here's a tip: Don't use PayPal unless you absolutely have to. PayPal has taken to treating its customers as badly as many large banks.
Many credit card companies are very proactive about fraudulent purchases online, and I even had Discover call me when they noticed a series of small purchases on iTunes. It turned out it wasn't exactly fraud (my 5yo on a home computer I hadn't signed out), but I was able to cut it off and I'm sure they saved me a bundle of money.
I've had experiences dealing with fraud from both PayPal and Bank of America recently. BoA were easy to get on the phone and refunded my money instantly. PayPal won't let you speak to a human, and after a week or so of going back and forth determined that it was acceptable for me to be overcharged for an item as long as I got the correct item in the mail.
Using a real credit card (not debit) gets you a great deal of protection and is a better option than ever using PayPal.
Really? I've spoken to humans at PayPal many times. When I call, I don't even have to navigate a phone tree or wait on hold, someone just answers. The people I talked to were helpful and knowledgeable about their service and handling problems (which is what I called about, some weird customer that sent a bunch of <10-cent payments to my account then disputed them, and more recently with a question about the new IRS 1099-K form).
It wasn't hard to find the number to call either. You log in, click on Contact Us, then Call Us. Two clicks and you have a phone number.
Would it be fair to say that if both sides of the transaction are trusted then Paypal is OK? I would say that most of the time I use Paypal this is the case.
No, not even close. PayPal makes every transaction involve three parties, and PayPal imposes themselves even when unwanted by either buyer or seller. Notably, look up the various cases where people used PayPal for a charity or fundraiser, and PayPal cut off payments and stole the funds because they didn't quite grasp the concept of money changing hands without a product getting shipped.
I've been using PayPal for nearly ten years now and never had any issues with the service. Now currently my bank account is overdrawn, and if I don't get it out of the red soon I won't be able to use PayPal with my eBay account, etc. That's not PayPay's fault -- it's my own for not managing my money better.
Apple Inc. prides itself on its customer service. When I went in for a group interview to work at the local Apple Store that was the most important concept they drilled into our heads. That said, it's one thing for a company to talk the talk; it's quite another to walk the walk.
Having worked for Apple customer service myself, I couldn't agree more. Apple does a lot to help the customers, but why iTunes doesn't have phone support is beyond me.
This isn't a problem limited in scope to Apple and Paypal. If you get your identity stolen in any way it can be a huge hassle and take over 12 months to completely figure it all out and clear out your credit. Speaking from personal experience, I had to call over 20 businesses, send each of them copies of the police reports, and remind some of them, to clear their marks on my credit report.
The PayPal representative I spoke to was very courteous and helpful, though he couldn’t confirm whether or not I would experience the dreaded PayPal account freeze as a result. After all, all of my income comes to me via PayPal.
Wouldn't it make sense then to use a separate PayPal account for your self-employed business/income from what you use for personal purchases?
What I am most curious about, and what has never been mentioned in the article or in the comments here, is, how the account was hacked. If the author not only has been hacked himself, but also knows other people who have been hacked, it should be possible to find the common denominator between them.
That would be interesting to find out. It's hard to find a common ground between them, since my Sister-in-law has an incredibly different set of usage habits than I do. Further to that, she doesn't have an iPad/iPhone.
I spent over an hour on the phone with Mac support (remember, iTunes doesn’t have a customer support line)
That's because Mac support lines are the iTunes support line. He obviously figured this one out, yet he keeps claiming there's no number to call for iTunes-related issues.
Anyhow, constructively, you want to escalate to paper on both your bank and Apple (maybe Paypal as well, your call). Start getting an evidence trail together with certified mail, return receipt requested. Apple will kvetch a bit but they (and virtually every other large company) understand the difference between that and a phone call, which you should stop doing immediately, because the contents of them are known to be totally opaque to judges.
You probably won't have to sue anyone, but the demonstrable capability of suing will cause them to escalate this issue internally very, very rapidly.