It's a constant fear, and there's no way to avoid using these companies. I'm currently dealing with a bakery business that was suddenly suspended from Google Maps. This is a big deal because it's the main way, by far, that people find us.
7 days ago, boom. Your account has been suspended for not following the business guidelines. The only thing I've updated recently was our hours. It's been listed without problems for about two years.
Of course they don't tell you what the issue is. They just tell you to fix it and then beg them to reinstate you. It takes up to two weeks apparently (7 days so far). And if they decide not to, the only thing you can do is delete the listing, and two years worth of hard earned reviews go up in smoke.
A few days ago one of our staff told me a Korean tourist came in the day before we were suspended and accused us of being fake. I don't know exactly what happened but due to the tourist's limited English nobody could persuade them we were the real location. Or maybe they were looking for somewhere else entirely? Who knows. Apparently they left a negative review, which I can't see while the account is suspended. Probably they reported the location as fake.
So that's it. Two years, over 100 positive reviews sitting at 4.9 stars. Gone because of one confused tourist. Or maybe because I updated the hours. Or maybe an automatic spam check didn't like us.
I sincerely hope that the next round of EU laws tackles this instead of privacy. It's just as big an issue, especially if you're running a small business.
My wife's floristry business has been blocked from being able to access facebook advertising and permanently restricted in how she is able to interact with her customers in part because a bot flagged and suspended her for trading in trading exotic animals. The exotic animal she was accused of trading? Aphelandra Squarrosa - The zebra leaf plant.
There's no way of getting this ban reversed, there's no way of invoking any human to perform a manual review on the ban. It is a permanent restriction that impacts her ability to communicate with her customer base.
> There's no way of getting this ban reversed, there's no way of invoking any human to perform a manual review on the ban. It is a permanent restriction that impacts her ability to communicate with her customer base.
You know you're doing it wrong when the the Ministry of Information in the movie Brazil has better customer service than you do.
Every time someone complains about being kicked off of Facebook or Youtube or some other such service for political reasons, the response from just about everyone is "they're a private business, they have a right to kick you off for any reason they want to with no explanation".
How isnt that also true here? They're a private business, they have a right to kick you off by automated systems if they think it's cheaper to have a couple of errors in the automatic system than to pay for manual reviewers. Hey, they're a private business and don't have to justify themselves, right?
Not sure if you were responding to the right comment, but yeah, this is a pretty major argument for who unchecked private centralization is very dangerous. The main solutions to this contradiction are website keeping healthy competition between firms to have a rich ecosystem of competition or to place everything in a centralized location controlled by the govt where things like access are intensely regulated (i.e why every subway and post office is ACA accessible)
chinathrow said that tivert said "> You know you're doing it wrong when the the Ministry of Information in Brazil has better customer service than you do."
But tivert didn't say that! tivert instead said "...the Ministry of Information in the movie Brazil ..."
Getting lawyers involved is one guaranteed way to talk to a human at Facebook. It won't be easy or cheap though, so I can understand why a business like a flower shop wouldn't want to do that.
Odds are you won't need to involve any judiciary institution, just lawyers. On that case, there's no case and no filling required.
If your country has a working small-cases court system, there are good odds you can achieve the same result without any lawyer involvement at all. But if you are discovering this from a random internet comment, you are almost certainly better talking with a lawyer about it anyway.
Depends on the country. In the UK I'd probably go to the Law Society website and search for a B2B lawyer under "Business -> Dispute Resolution" or "Media IT and intellectual property" (https://solicitors.lawsociety.org.uk/). Having used lawyers like this at start up companies in the past they are not cheap. However in the first instance you'd probably just want them to send a letter on headed notepaper, which might be enough to get someone's attention at Facebook and get the matter resolved.
if you're based in Europe, try framing it as a GDPR issue. Article 16 says that data processors have to rectify data that is inaccurate or incomplete within 1 month. If they don't do that, you can raise it to your national privacy ombudsman as an incident. This being Facebook, there is a chance that they'll act on it.
Be sure to CC privacy@facebook.com and legal@facebook.com
Only issue: not sure that the GDPR applies to companies. And it's a 'pro' account I guess?
GDPR protects individuals 'natural persons' and not businesses 'legal persons'
Recital 14 - The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data. This Regulation does not cover the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person.
At least in German juristiction there is the viewpoint that a law should also be applicable to a legal person if it indirectly affects a natural person behind it (so-called "Durchgriffstheorie"). In other words, the GDPR applies when it comes to protecting the natural persons behind the legal person, including their economic existence.
Maybe article 22 (“automated individual decision-making, including profiling”) can be useful here, too. This will not work if the account is not nominative though.
Sorry to hear this. Floristry is pretty cut throat with all the shipped direct sites that undercut prices. (Used to work at FTD.com, which bought ProFlowers, a very large flowers-in-a box operation.}
> I sincerely hope that the next round of EU laws tackles this instead of privacy. It's just as big an issue, especially if you're running a small business.
This! Couldn't agree more. I believe this is a much more bigger, huge problem compared to privacy, which is preventable (users can choose not to use a service) but this can take down entire businesses because of data giants' crappy/false alerting systems.
It should be illegal for Google, say, to remove listing without proving, or if that's not possible, if they remove they should legally be forced to compensate for the damage done. (Of course Google is just an example here, applies to any large enough platform)
By that logic you can just not use Google. But that's ridiculous, as ridiculous as the statement that users can choose not to use a service. I believe it's impossible to live in modern society without having an account in FAANG, even harder than a business not having a google maps listing.
I just visited family in California and I was surprised at how many things needs an app now, and there is no alternative.
For example, I went to visit the beach, which is on a national park. Parking required an app. There were park rangers there, the location was staffed, but they did not accept cash or credit card. Just an app. And there are two phone operating systems now, Apple and Android. So no. Can’t live without FAANG. I ended up downloading the app on the spot and purchasing a pass.
I’m sure the park service does this for their convenience. And it’s so populated near the coasts that if anyone doesn’t comply, they still have plenty of people who would gladly use the app. They can get away with demanding smartphone use. You can certainly get away with not having a smartphone further inland, and not needing to depend on FAANG explicitly. But I know this expectation is going to creep into the continent over time. In 5 years, if you say “I don’t have a smart phone” you’ll just be denied service. Period. No questions asked. And you will be considered the unreasonable party by most.
> They can get away with demanding smartphone use.
> In 5 years, if you say “I don’t have a smart phone” you’ll just be denied service. Period. No questions asked.
IANAL, but I feel like that should be illegal.
Sure, they can set up an app and those who want to use it may do so, but for things things like parking there ought to be an alternate. Beach, national park etc is a predominantly offline service for which it's absurd to insist on using an app.
Especially for something that's on a "national park" — I don't really know what the "national" part indicates (not from USA) but I'm assuming that the govt is involved.
It should definitely be illegal. There are so many other options for charging these kinds of fees, all of which were used by public bodies in the US in the past, from dropping envelopes of money in a box to paying a person at a kiosk or using a vending machine to buy passes. Many of these payment methods are still in use at some parks/facilities.
The noose is tightening around the necks of those few of us who do not use smartphones. I hope a future wave of 'tech minimalism' gains enough traction to ensure that there are alternatives, but for now, as we ride the wave of tech-optimism and the mass adoption of intrusive technologies in the name of convenience or cost cutting, most people seem to see asking for alternatives as unreasonable.
There is an element of innate freedom in anonymous, analogue processes, even if they are not entirely 'anonymous' - such as writing a car license plate number on an envelope of cash for a drop box - it might as well be if the information is never entered into a searchable digital database where it will presumably be stored for eternity.
I few years ago I went camping at a state park in a system that had recently introduced usage fees (having always been free in the past). The state apparently partnered with some obscure parking app company to collect the fees. The use of the state park required submitting a considerable amount of information to a third party, with little or no information on how that data might be used, stored, or sold - in essence you had no choice but to submit to a third party's TOS in order to use public facilities at all. I did not like this at all, and having no smartphone, I paid cash at the manned office - only to have them collect my information and enter it into the parking app database.
A few months ago someone here made a comment in another discussion about having a pervasive sense that things are not quite as they should be. That stuck with me.
In my country the religious eschew smartphones, so every service has an alternative. I often have to pretend that I am of that group to avoid "just installing an app" for something as simple as taking a place in a line at a physical location.
Guessing by your name that you're Israeli, and you're speaking of the more Orthodox communities there...
In the US, there are still large groups of Mennonites whose choices to avoid most post-19th century technology are generally well-accepted by the rest of the population, the best known of which are the Amish. They do travel around to varying extents, because not every Mennonite community agrees to what degree to avoid technology and under what circumstances - some have a community cellphone, some even have family cars (with a preference for less showy models); many are fine with taking public transit or hiring an "English" (non-Amish) driver. Individual smartphone ownership and use would conflict very strongly with what I understand of even the most "liberal" Amish communities, though.
There's got to be some sort of alliance that privacy-conscious techies can form with technology-skeptical religious communities, despite radically different worldviews.
> I’m sure the park service does this for their convenience.
Nooooo...this is dark UX to artificially increase the number of violators and collect more revenue.
I expected better from the park service but around here they've started making people enter their license plate number on parking lot passes too to prevent the time-honored tradition of sharing day passes. They're in revenue-generating mode these days.
Case in point:
I had to drop off a cashier's check at a landlord's office. Same deal-- paid streetside parking, but didn't realize it was app-only. I struggled with downloading the app on a crappy connection and couldn't successfully pay for parking after 45 minutes of fucking with it.
What am I going to do, leave? I drove an hour to get there and had 3 minutes' worth of business there. In the end I just ended up parking illegally.
To be any scummier, they'd have to implement paid parking at rest stops and ticket anybody who dashes past the meter trying to get to the bathroom before they piss themselves.
This is pretty much the only thing stopping me from throwing my smartphone in the sea and never looking back, it's actually quite hard to avoid needing one to interact with society.
Increasingly, even public agencies require/assume people to have a smartphone now, either an iPhone or an Android.
At that point, you literally cannot live as an adult in the society without FAANG dependence, even if it's a third party Android phone, at least not legally.
Does that include banking and credit card apps? Most of my bank and card accounts require their own phone app to authorise transactions from time to time, and several accounts require their phone app to authenticate login to online banking, even if I'm opening it in a regular desktop browser on another computer. Three of those accounts don't have any other way of being managed than online, so their phone app (or tablet app) is mandatory to do anything with the account.
I had to buy a replacement phone in a hurry last year when my old phone's screen stopped working, just so I could login to make an urgent bank transfer. I would have preferred to take my time over what to buy, but so many financial things I use are blocked without a smartphone now.
99.999% of businesses don't publish APKs or upload them to F-Droid. Expecting people to use third party distribution mechanisms like Aurora store is entirely unreasonable.
As for "working around" it, it's ridiculous to impose that expectation on the general population. Sure, you and I will always be able to find a way to hack around restrictions, but it's inaccessible to the overwhelming majority of the population.
What is unreasonable about showing people there's another interface to access all the apps in the Google Play Store, where you can download and use all of them without signing into a Google account?
Because Google could flip a switch and stop that at any moment. There is a systemic problem with how society is becoming more and more reliant upon a few large tech firms. Work arounds will work whilst they're small enough and fly under the radar, but if they get larger they'll be stopped by the holders of the binaries.
We're increasingly like animals that become dependent on a single source of food or a single watering hole. It's really risky. You could hardly design more fragile systems (or business models) that depend in these very narrow bottlenecks.
You can use android without logging into a google account with the default ROM and settings, just don't log in. I'm surprised more people don't do this, the app store is the only thing you "need" a google account for, and before they banned Aurora it was trivial to use it too.
Aurora store does not work anymore without a google account, at least for now. Google blocked their proxy accounts, I think. So curently there is no secure way to install apps from the play store without an account.
I do. I am beginning to feel the costs though. Even telling people that I don't have one is getting a bit awkward. Imagine the look of incomprehension.
A lot of people talk about 'needing' a smartphone for services/stuff I have never used, and probably would never use. I suppose I just kept living my life as I did before the 2010s, while everyone else changed. I was already in my 30s at that time, so not subject to the same social pressures a younger person would have felt, so perhaps it was easier.
When I tell people that, sorry, I don't have WhatsApp, they either look at me like I have a screw loose, or offer to help me install it (I am a middle-aged lady, so technical incompetence must be my excuse). I'd love to see the reaction to pulling out an old-school flip-phone, or providing an obvious land-line number!
That and my avoidance of Facebook didn't really matter until I had a kid and he started nursery school. I somehow got myself elected head of the Parents' Council, but it's been tough dealing with the mental block the slightly-younger generation has for email, and Signal is apparently a little too out there for non-techy 20/30-somethings of either gender.
I'm not as privacy-conscious as you, as I have a fairly recent iPhone; I'd probably be better described as social-media-skeptical, but your right to live a normal life without a smartphone is tied to my right to live a normal life without intrusive social media.
I've encountered the WhatsApp issue too. It's the communication tool in some parts of the world, but not others. In some circles people cannot imagine that you are a living breathing person who does not have it.
I use a bottom tier flip phone in the US, and a 13 year old Nokia with a pay-as-you go SIM in Europe.
I've noticed that there has been a generational shift towards smartphone-only communications, but I haven't really had to deal with it. I'd like to hear more about that. Oddly I use some of the same communication tools that young kids use, namely Discord, as it doesn't require a phone number. Linking online accounts and communications to a phone number has always put me off.
In Germany, WhatsApp is ubiquitous, possibly because when it hit the app stores, a lot of people were still paying per SMS, but had adequate data plans, and offered easy-enough group chats early on that at least felt private.
Also, even a lot of Facebook skeptics have no idea they’re owned and run by the same company…
I think the shift to smartphone-based communication is part of a vicious cycle of people giving up personal use of “real” computers, making a letter-replacement email something more comfortable to conduct as a bunch of short texts, which also have the “benefit” of quicker feedback before having to reveal the next thought.
Even I spent awhile when I first got a smartphone (ca. 2010) feeling like what I typed into or read on the device in an app was more confidential than what I did on a full computer, even though I intellectually understood what an API was and that apps that communicated outside the phone were essentially very niche web browsers. These little devices that fit in our pockets, have cute cases that we picked out, and are cradled in our hands just feel less scary than a desktop or even laptop that can get viruses and throw up cryptic errors and chime accusingly at us when they don’t like something we did.
So now we all have these little tethers that started out being a lot cheaper than a new laptop (but now easily cost $500+)
Early motherhood is particularly good at providing compelling use cases for a smartphone. Baby spending 45 minutes every 2-3 hours leisurely feeding, frantically reaching out to more experienced friends (or your various moms’ groups) for help with a small but urgent problem - much easier to pick up the little device with your free hand than to break out the laptop.
So once the kid is in nursery school at 12-18 months, even if you used to be a laptop user at home, your communications habits have been thoroughly changed.
And since mothers are the main social organizers, their preferred means of communication will dominate. Absolutely no one was interested when I offered to set up a website for the nursery school Parents’ Council, and from the perspective of people mostly ok with Facebook and WhatsApp, I understand the many reasons why.
I do in the UK (use a desktop for digital services), but I will need a phone next year after my current contract ends since employers like to have a chat via phone after applications.
What do you do when you need it? Banking or CC app for mandatory 2FA? gvmt Covid mandatory app to travel anywhere? QR code for restaurants? Places that require an app in general?
This is ofc locale-dependent, but if before the pandemic you could barely live without a smartphone, today is just impossible (at least in the 2 countries I visit often).
Some places do require an app and while there are alternatives, there may not be another choice in the future. But not today, most of my elderly neighbours also don't own a smartphone and yet they survive in this city (Antwerp).
Life without a smartphone is possible, and imho calmer and more relaxed.
The easiest way to avoid this is by going physically to your bank branch.
> gvmt Covid mandatory app to travel anywhere?
Don't live in a country that does this, so I don't know.
> QR code for restaurants?
I ask for a menu.
> Places that require an app in general?
Haven't seen that happen yet. There are some parking lots that require an app to park in them, but I just park elsewhere. The laundry room in my apartment complex requires an app to pay, so I just go to the laundromat down the street instead.
I do have a smartphone, although I'll switch to the dumbest phone I can find when this one dies. I do not use any apps for doing any commerce or the like, though. It's far too risky for my taste.
Banks tend to have some back up, such as a TAN generator. I have used those for Euro bank accounts that require 2FA. US bank accounts are usually fine with a phone number, which can be a dumb phone. There were no real covid restrictions where I live, and no app, so that was not a problem (but that is definitely something people should push back against, as it's horrifying). I would never, ever eat in a restaurant that required you to use a QR code. They can simply go to hell. It's mostly trendy places that do that, anyway, and I prefer hole-in- the-wall restaurants anyway. I understand this stuff is a lot more advanced in some countries, but even in the US it's pretty easy to get by without any of it.
Aside, one of the best hacks for networking without a smartphone is a small notepad and a pen in your pocket. Write things down for yourself and others e.g. phone numbers, addresses, email addresses, reminders.
To be fair even the surveillance-obsessed UK offered a paper alternative to the vaccine passport scheme, although Partygate completely crippled the government's political capital for keeping restrictions around anyway not long after if I remember correctly.
I love this liberal argument. It's the sister argument of "Well, if you don't like YouTube censorship, then you can start your own YouTube!" It is truly out of touch with how societies actually function.
This argument only works when you have lots of market competition full of small players where it doesn't make any difference which service you use. But large corporations can effectively become something like public utilities that function like economic gatekeepers in a way that even governments are incapable of.
It is also hostile and encourages/enables the hostility of big players. My presumption is characterized by liberality, but it's a presumption, which means I default to liberality, unless there is a good reason to restrain it. Saying "just don't use it" can either be unrealistic, or something like a move of last resort. We regulate business and have always regulated business for a reason, pace free market extremism.
The common good is the concern of the law, and protecting the individual is for the sake of the common good. Start there, and you might take a different view of the function of economies in societies and how they may or may not be constrained.
If you don't want to be homeless, you're either renting or buying, and in either case people are going to be processing your personal data. You're also probably going to need a bank account, which you also can't open without handing over personal data.
If you want electricity, you're then dealing with another company that is processing your data. Same for water and gas and internet.
Sure, some things are optional, some things can be worked around by buying in person and using cash instead of buying online. But a lot of things are just not practically optional.
Good luck with that. I get that you can refuse to email anybody with a gmail.com address, but lots of people use Google to host email. You may not be willing to upload your address book to Facebook, but the people who also have you in their phone book have likely shared that with FB through Instagram.
These companies get to know you pretty well even if you never directly use their services.
All my university systems run on Microsoft. All my future employers' systems will probably run on Microsoft. All public transport in my country effectively requires an app which is tied to either Google or Apple operating systems to buy tickets. Schools require students as young as 6 years old to have an iPad or chromebook tied to Google or Apple.
There is no real choice in our modern society to "not give your personal data" to these megacorps.
There are a lot of businesses for which life would be much harder choosing not to use their services, and more services are digitised each year. Gov online services, essential utilities (water, gas etc), mobile phone providers, private health and so on.
Given that Google handles a tremendous amount of email (not all to gmail.com domains either), and that other companies maintain "shadow profiles" of non-members, or simply track vast numbers of people (credit bureaux and other data-brokers), let alone the vast levels of surveillance baked into the present-day Internet, saying people can simply opt out of services is ... profoundly untrue.
There's not need to pit fairness in business dealings against privacy. Both are wins for the average person.
For example it is illegal for the water utility companies where I live to cut off water supply, even if someone does not pay the bills. It should be illegal for payment processors, search engines and other large internet platforms to take away people's business. We need utilities, not services.
I really am I favor of your suggestion. Next to that my stance is that big companies should be by law be required to have a human representative you can contact, especially in the time of AI.
Not if you have to provide proof of your identity to register. Such proof could then also be a prerequisite to have government protection against arbitrary bans.
> I sincerely hope that the next round of EU laws tackles this instead of privacy. It's just as big an issue, especially if you're running a small business.
At least in Germany, you can file for a court order ("Einstweilige Verfügung") against Google - that usually works out and is relatively cheap, a couple hundred euros. Consult a lawyer, I think most EU countries have a similar instrument. Do note, you might have to file for an order both against the Google Europe HQ in Dublin/Ireland and against your country's Google office.
How would this work? Google isn't an official registry, do they have an obligation to list any business?
And the privacy argument is often effectively countered with security concerns, even more so if that is expressly stated so in the ToS.
Just to be clear: I'm 100% on the GP's side, I'm just curious what the Verfügung could do here. In order for the court issue such an order, it needs at least a reasonable legal basis.
If you're 1 out of 100 marketing agencies, you're part of a free market.
Once you have monopoly or near-monopoly, you become more like infrastructure, whether you provide electricity or access to customers.
At that point, you either have to expect to be willing to host anyone who stays within the law, or have the monopoly broken up.
Only the most hardcore market fundamentalists/objectivits tend to disagree about this principle, in my experience. (Which means practically nobody outside the US). Though some seem to be quite willing to accept abuse of market power if it primarily hurts their political enemies.
Like a sibling comment of yours, you are arguing principles. I'm not arguing those principles; I already stated that I'm 100% behind them [in favor of the GP].
> Only the most hardcore market fundamentalists/objectivits tend to disagree about this principle, in my experience.
Even if the court agrees in principle, it still needs a adequate legal basis to issue an order. Violation of a law, or a contract, or whatever. I asked the GP, who seems to have experience with such cases, what this legal basis this could be.
The EU, and especially some of the member countries, tend to go harder on cases where monopoly power is either misused or cause some harm to the general public.
The legal basis to intervene is there, but may be vague and open to interpretation.
For instance, a near-monopoly position might cause other regulations, like laws against unfair business practices to be interpreted more strictly than for other intermediaries:
As long as the population within a jurisdiciton univerally supports the principles behind a ruling, finding some regulation to support it usually can be done.
In the US, there seems to be two factors that make it a lot harder to enforce such regulation (to the extent that they even exist there)
- The fact that these companies are American and able to buy influence through lobbying and contributions
- The current division in American politics, where virtually any position supported by one side automatically will be opposed by the other, causing paralysis
Simple: by offering you to host a marker on google maps or by even giving you an account, they are entering a contract with you/your corporate entity from which they can't just unilaterally exit without good reason. The legal basis is just the same as the various people on both ends of the political spectrum who filed for injunctions against Facebook/Meta and Twitter to have their accounts unbanned.
The question of course is if the jurisdiction of the person I replied to has the same idea about contract law but IIRC (and IANAL...) it should be harmonized across the EU - but heh, if the removal of the maps marker has led to a drastic decrease in traffic, a couple hundred euros for an actual lawyer should be more than worth it!
The key thing is, going via the court system or even "just" the legal department without involving the courts short-circuits the relatively powerless first-level support.
If you're interested in the finer details and a bit of ranting, read e.g. this post from lawyer Christian Saefken [1] - it's geared towards Twitter (and Facebook, which a friend of mine had success with just the same).
> Simple: by offering you to host a marker on google maps or by even giving you an account, they are entering a contract with you/your corporate entity from which they can't just unilaterally exit without good reason.
Contracts work both ways: now imagine Google, or Facebook, or Twitter stating that you can't close your account without a good reason because you have a contract.
The point is that you don't need a good reason, you just need a previously agreed upon reason.
A cursory examination of the ToS [2] is shows numerous cases in which Google (or the user) can terminate the contract. Whatever happened here, it's all but certain that Google claims that one of these cases is fulfilled, hence they have the right to terminate the contract.
> If you're interested in the finer details and a bit of ranting, read e.g. this post from lawyer Christian Saefken [1] - it's geared towards Twitter (and Facebook, which a friend of mine had success with just the same).
That lawyer is claiming a Right to Free Speech. I don't how this strategy can be successful, as Twitter will counter-claim that they it's a private platform they are free to regulate. Sexualized content can be free speech but surely one wouldn't claim that Twitter has the obligation to host it if they don't want to.
If Twitter indeed caved, then they caved simply because they assessed that said Tweet wasn't worth the trouble, not because they were legally obliged to.
I guess it has mostly to do with the fact that once legal gets involved, even at Google scale it makes sense to just take a look and see that, yes, of course, it was just another case of someone sabotaging someone else and the system being to dumb to catch it, lets fix it before we have to show up in court.
On a side note: GDPR demands that companies provide a way to get a manual review for decisions made by machines.
> even at Google scale it makes sense to just take a look and see that, yes, of course, it was just another case of someone sabotaging someone else and the system being to dumb to catch it, lets fix it before we have to show up in court.
Rather than "Evan at" I'd say "especially at". It costs big companies way more money to deal with legal issues than it costs you to raise them.
Google only has so many staff lawyers and it doesn't take a lot to get them bogged down. The bigger you are, the now likely you are too have a bunch of legal work.
It's simply in their best interest to make your legal case go away as quickly as possible in most cases.
> On a side note: GDPR demands that companies provide a way to get a manual review for decisions made by machines.
Correct. Unfortunately, from what I've heard so far, all that this entails is that some drone looks over the case, and checks a "reviewed" box or so. It's a right to manual review, not to manual rectification.
I wonder if the refusal to list a business could be considered tortuous interference now, as it has effectively become a negative false statement: "There's no bakery here".
Honestly this kind of "honest question" is quite depressing: If you don't start out from the understanding that yes, Google is ground reality for most people and yes, the law should protect you from unjust persecution on those kinds of platforms then what can we tell you? This point of view is inhumane and should just be released. It is not for others to convince you that you should consider human rights more important than corporate rights. You should wonder why you have this point of view and why you think it's reasonable. Then let it go, so you don't infect others with it (and make the world a measurably worse place as your legacy).
I didn't ask a question about the ethics of the action. I asked about the specifics of the court order.
Courts (at least in Germany) cannot just arbitrarily decide on what is just or not; they must follow the rule of law. Without some adequate legal basis, a court won't order a thing.
> It is not for others to convince you that you should consider human rights more important than corporate rights.
Human rights are by definition more important than corporate rights. I take offense at your suggestion that I'd consider the latter more important, given that I explicitly stated that I'm 100% on the GP's side.
Even if you dont want to be listed on google maps, they will sometimes generate a fake listing for you anyhow. I got burned by one of these as a customer, the link for takeout was not actually a site the restaurant was partnered with. I’ve also seen restaurants with similar names url squat these other places.
It seems so bizzare google will publish such information without ever validating it with the business. It must cause a lot of damage and support quite the environment of scammers though.
This happened to a restaurant I go to a lot. Their Maps listing said there was online ordering, but the link went to a site that even had a disclaimer saying they were not actually affiliated with the restaurant. I reported it to Google and they removed the entry, but anyone can make a change and double checking seems to be cursory at best.
If they don't want to validate it, they shouldn't publish it or sell advertising on a service that used the unverified data. It was OK for the web because that's the only way, but maps have a lot more sources of truth.
On the flip side, as an avid Google Maps reviewer they also removed my negative review from a restaurant without any good reason (supposedly the business reported it as being “fake” or something)
It really pissed me off because I wrote a long thoughtful review and mentioned the good aspects of the restaurant too as well as some recommendations, and it’s just completely gone
The worst part is the restaurant is sitting at 4.5 stars despite being quite bad, and the recent low star reviews are all questioning the rating, which is obviously artificial
I've been reading a lot of reports recently about how businesses abuse AirBnb and Google Maps reviews by forcing the companies to remove them on technicalities or by outright lies. I wonder if I should just post any less-than-stellar reviews without any text but with rating only in order to make it harder for them to remove. Thoughts?
> It actually helps people. The only negative thing here is that Google makes money from it.
I used to be that naive, then I tried to correct a Places issue on Facebook. I stumbled into this netherworld of similar people being abused with horrible tools continually banging their heads against a wall "to help people," with little or no support from Facebook.
After months of trying, I totally failed at my task, and I vowed never again. These company just abusively exploit people's need to help others for their own profit. If Google/Facebook/etc. wants me to work for them, they can pay me and give me reasonable tools.
OpenStreetMap didn't have the same error (which was still on Facebook, last I checked). Facebook Places has a buggy duplicate detection system that would frequently merge different places together, including one I specifically cared about. It would suck in any new instances into its merged blackhole. IIRC, a huge portion of the activity in that "netherworld" Facebook group I found was trying to mass-report merge errors to the automated system, which frequently didn't work.
However, OpenStreetMap would have been a very good suggestion for some of the other "netherworld" Facebook group members. Many of them seemed care about making Facebook Places accurate in general, so they'd look for and fix errors far afield from the stuff they actually interacted with.
Yeah I was just commenting in general towards the attitude of wanting to help people. It's wonderful when people have good intentions like that. But people should direct those good intentions on improving open data sets instead of being slave labour for large corporations.
I enjoy taking photos and reviewing food. I used to do it on Zomato, and made some friends through that, but Zomato pulled out of my country and Google Maps is pretty much the only good existing choice
This is also a problem on the customer side. I don’t shy away from leaving bad reviews to businesses that deserve it. These businesses either reply with a passive aggressive doxx like “Hi Or Nornor” when I don’t use my real name anywhere on the internets (including medical-related businesses), or they report the review and my account gets blocked with all my reviews removed.
And then of course there is it a single living human at google you can contact to even find out which review was flagged, why, and what to do about it.
I don’t even read reviews anywhere anymore, they’re all faked or AstroTurfed anyway that they give no indication of anything. What a brave new world.
I encountered the same problem recently. My family member’s business changed location. Updating the Google maps listing caused Google to flag it for not following guidelines and weeks passed with the listing being “under review”.
The solution that ended up working for me was to start paying a few dollars a day for Adwords. For some reason that cleared the issue up the next day. Then, I turned AdWords down to a few bucks a week and then later off entirely.
> The solution that ended up working for me was to start paying a few dollars a day for Adwords. For some reason that cleared the issue up the next day.
Yes, for some reason it cleared up after spending money. I really hope it’s not the norm. Sounds like extortion to me.
Can confirm. This works in more places than one, Reddit too. Reason? When you're a paying customer, you get routed to elevated support staff. They have a higher incentive to help you fix the problem and fast.
I don't hate it, I appreciate it. Better than having no easy recourse. Because I bet if everyone were treated equally, it'd be shitty service for all. Better to toss in a few bucks if it's valuable and get the support (and some ads run).
This sounds like an Mafia movie. Pay up for a little protection and don't let it happen again!
Intentionally or accidentally, it's a great problem for big tech to have. You scramble with everybody else to be on the service and the DDOS crowd, confused tourists and local ruffians take your account offline. Better grovel up to reinstate your honour and pay for protection/added services/more identity validation that doesn't stop the problem from happening. Same thing every big country does, we are all under a "security umbrella".
Honestly, real life advertising needs to make a come back. And localized knowledge of the businesses worth keeping alive, when Google's security algorithm dumps them without administration even knowing it. Eggs all in one basket, was never a good idea.. right?
Also, how should a small business deal with fake negative reviews in, say, Play Store? Google does nothing to fix that. As the app developer you know a review from an account that didn't sign-up to your service is fake, especially when it appears at the same time other similar fake reviews do.
If you happen to review few places on Google Map you are holding superpowers. Idk if that works for new accounts too. But yeah, at least if you do some activity then you report a place as closed, they are "checking" it for 1h, then you get the e-mail that the place got removed from Maps.
I use that for good purpose - I fix a lot of invalid information on Google Maps around my home town, and they apply the changes without batting an eye. This is good for society. But I can clearly see how that could be used for abusive purposes.
I feel like you should be able to request a call from their call center rather then be forced to wait on the phone for one. The long wait times to speak to representatives is a cost savings measure.
First saving on having to hire an appropriate level of customer service staff. Second that percentage of people who give up.
It's a feature, not a bug.
I think one of the pixel phone had an option to detect when there was a human on the other end of the line. Definitely made me consider getting it back when I was looking for a new phone.
Well because there's already been a lot of laws passed in that regard and there's already momentum. I don't mean they should stop this momentum, these privacy laws are incredibly important.
Because privacy laws have zero teeth and workarounds are technically easy (or endlessly annoying for zero new outcome, e.g. see cookie popups). If the EU would actually enforce GDPR it would be amazing.
Meanwhile these companies who have essentially became a public utility don’t provide customer support or explanations.
TLDR: less than 2 months ago, Meta - one of those de facto public utilities you're describing - was fined 1.2 Billion Euros for GDPR breaches. they and Amazon have previously been fined hundreds of millions
I'm guessing that the core idea behind GDPR laws wasn't a to flood internet with banner popups, but to limit excessive and unneeded for honest usage, storage of PII. IIRC GDPR allows for some limited PII storage without any banners, but it is restricted in time and scope, to prevent selling this data. Instead nobody is limiting usage of the data (not even Eurocommission site with GDPR rules) because that is not enforced in reality. So in essence GDPR law was a spectacular expensive failure, because nobody restricted their PII processing and analytics.
GDPR forces companies to make a choice: stop invasively selling data, or get explicit permission to do so. if a company chooses the shady second option, they have to hamstring their UX and have a big nasty banner that says "we don't give a fuck about your privacy"
it's actually very clever. the more profit hungry and and invasive a company is, the more desperate they are to sell your data, the shittier they have to make their website - or break the law and get a nasty fine a year or two down the line
this idea that gdpr isn't enforced or is somehow expensive (?) doesn't have any grounding in reality: just 2 months ago, Meta was fined 1.2 billion euros for GDPR breaches. they've also already been fined hundreds of millions multiple times. in 2021, Amazon was fined ~800m euros. smaller businesses are being fined all over the place[1]. GDPR is the opposite of expensive. it's profitable
GDPR is a huge deal at companies that handle any data at all. they don't think it's not being enforced
if you were criticising the lack of enforcement of a github policy, do you think you'd actually go and make sure they weren't enforcing it? so why not the EU?
you get bad service from these companies for the same reason the government generally provides bad service, they are monopolies with no reason to spend more money to improve
I worry about the horrible side effects that would occur from trying to grant that wish. It is always easy to make demands when you aren't the one carrying them out and most people don't think the implications through.
My mind just boggles at the implicit additional bureaucracy, expenses, and slowdowns being cheered for. The kind of mess which results in a system so complex that it has its own "degrees which shouldn't exist" spawned from it like medical billing.
You can blame the evil competitor but the real problem is that credit cards are not the right tool for payments to strangers over the internet.
Every time I do a CC transaction I’m giving a stranger exactly the information they need to do an entirely different, arbitrarily large CC transaction in my name with any merchant. That’s bonkers.
I’ve recently seen more use of Apple Pay via websites. Assuming it works as Apple Pay usually does, this at least is technically more secure (though I don’t like giving Apple more power) since it’s basically an exchange of cryptographically secure/verifiable one time tokens.
PayPal is no one’s favorite but at least if you use that you’re not handing over your CC number. (And yet they seem to lock out tons of merchants, hmm)
Why are we still using credit cards? It’s not great as a consumer either - I have had my card locked for traveling within the same city and spending maybe $20 at a merchant I don’t usually visit. I had it locked because of a $5 web service monthly charge - and I had verified the same charge the two prior months.
> Every time I do a CC transaction I’m giving a stranger exactly the information they need to do an entirely different, arbitrarily large CC transaction in my name with any merchant. That’s bonkers.
You may be surprised to know that, when doing a "conventional" CC transaction, you are most certainly not giving any stranger information that would allow them to perform a transaction in your name on another merchant. What you are doing is providing your card information to a PSP (payment service provider) that has been contracted by the merchant and will provide the merchant with a token with which the merchant can trigger a charge request to your card but only to their own pre-approved acquirer account. The merchant can do nothing else with these tokens.
A breach of the merchant's token database would be embarrassing but harmless. A breach of the PSP's database of card numbers would be bad and inconvenient for the cardholders, sure, but it would be a business-terminating event for the PSP as its PCI DSS [0] compliance would be shattered and it would be unable to operate again.
In summary, ordinary card payments are essentially as secure as Apple Pay. The only difference is that in one case you are trusting a gigatech brand which is very saliently involved in the process but whose side-business in payments has only operated since 2014, while in the other case you are trusting businesses that you may or may not have ever heard of —Adyen? Braintree? WePay? Worldline?— but that have probably been dealing with secure payment processing as their primary or only business for much longer.
I think you missed the “over the internet” part. When you do a CC transaction over the internet, you give the merchant your CC number and all the other information needed to make a transaction happen. A legitimate merchant may pass that information directly to a PSP, but you can’t deny you’ve given the merchant the information. Surely you’ve filled out a CC form in a website before?
Yes, I have filled out a CC form on a website uncountably many times. I can also deny that I have ever given any merchant my card information (at most, if the merchant was utterly massive, I may have given my information to their own fully-owned subsidiary PSP).
My source is that I work in a payments backend software engineering team at a large company (FTSE 100) that provides an ecommerce platform for multiple medium-to-huge retailers worldwide. And yet, even at such a massive scale, neither our software nor let alone our partnered retailers ever even see the customer credit card number. It's not that we pass it directly to the many PSPs that we integrate with. Rather, only the PSPs' own systems actually see it. And yet, if you were to shop online on any of our retailer partners, as a customer you would still have the illusion that you are giving the actual merchant your number.
Could a non-PCI-compliant merchant ask you for your credit card number and store it themselves? Well, technically yes. But then they would not be able to do any legitimate transaction using it, as they have no way to use card numbers to get money into their bank account without a PCI-compliant PSP performing the transaction.
Could a non-PCI-compliant merchant integrate with a PSP in such a way that they send the inputted card number to the PSP [0] rather than the PSP receiving it directly? No, the PSP would laugh in their faces at the suggestion.
Could a non-PCI-compliant merchant ask you for your credit card number and details and then use them to buy stuff in your name for themselves? Yes, but "non-PCI-compliant merchant" is a very bad euphemism for "online scammer".
[0] One exception being MOTO (Mail Order/Telephone Order) transactions, but they are a specifically regulated case which, by its very name, is by definition not applicable to online card input.
I think you’re confusing what you’re supposed to do (according to PCI) vs. what you’re technically capable of doing. Look at the Stripe’s documentation for creating a payment method [0]. The parameters it takes are card number, expiration, and CVC. Any merchant using this API could trivially save the information for future, malicious use.
Please refer to the section just above, in the "Tokens" section. Emphasis is mine:
> Tokenization is the process Stripe uses to collect sensitive card or bank account details, or personally identifiable information (PII), directly from your customers in a secure manner. A token representing this information is returned to your server to use. You should use our recommended payments integrations to perform this process client-side. This ensures that no sensitive card data touches your server, and allows your integration to operate in a PCI-compliant way.
> If you cannot use client-side tokenization, you can also create tokens using the API with either your publishable or secret API key. Keep in mind that if your integration uses this method, you are responsible for any PCI compliance that may be required, and you must keep your secret API key safe. Unlike with client-side tokenization, your customer's information is not sent directly to Stripe, so we cannot determine how it is handled or stored.
So in summary, yes, you can integrate with Stripe in such a way that you send them the card details... but then your business will need to be PCI compliant to the level of a PSP which, believe me, is damn hard. If you suspect that a merchant may go through the trouble of becoming PCI compliant only for the sake of being able to get customers card numbers for possible future malicious use, or do it in such a shoddy way that a malicious employee will be able to steal card numbers, you might as well just stop trusting online card payments in absolutely all cases, including Apple Pay.
This conversation is really crazy to me. I’m going to assume these people really do work in payment processing and it explains a lot. Apparently they can’t even properly recognize a potential attack vector let alone mitigate it. If this mindset is common in the payments industry, then it explains why payments are still so insecure.
I don't think you have paid enough attention to detail when reading my comments to have an informed opinion as to whether I am "missing the point" or whether I am instead talking from in-depth practical experience on the subject.
New user joining the fray here. I worked in cybersecurity at a bank for many years. I haven't read all of what you said, because I agree that you're missing the point that someone was making. Right now, I could throw up some kind of merchant page for some homebrew service, and have an HTML form that asks for a credit card number a CVV and an expiration date. That would be illegal or otherwise non-compliant with PCI, absolutely but it's technically doable. Every time that someone types in a credit card number into a website, they have to trust that the merchant they are doing business with is handling that data in a secure and compliant manner. That is the point of the OP.
Their point extends to the fact that there are other ways of exchanging payment data that would not allow a malicious recipient to reuse that data illegally.
You’re arguing that using a PCI compliant PSP solves the problem of credit card number harvesting, but that’s not correct unless the entire transaction takes place on the psp (like PayPal). Once the payment details are collected in environments outside the psp’s control, it’s not protected. For example, payment info could be skimmed by devs with access to payment pages using js like in the NewEgg Magecart attack
Here is a summary of your argument in your own words:
> So in summary, yes, you can integrate with Stripe in such a way that you send them the card details... but then your business will need to be PCI compliant to the level of a PSP which, believe me, is damn hard.
What others in this thread are arguing is that sharing CC details with anyone is a stupid way of doing payments. It doesn't matter if you're interacting with a PSP or otherwise. You shouldn't share a secret that someone else could use to generate payments. You should share some type of payload that is only valid for the payment you're making.
As another person that's worked in payment (specifically aquiring) for 6 years: PCI compliance is not a trivial matter as you seem to believe.
It involves recurring audits of all systems in contact with cc information.
While I've never used stripe, i doubt they'd let you use that API without the certificate, as they wouldn't be able to do the aquiring for illegitimate transactions such as that. They could lose their status as an aquirer if they did that knowingly, and that would make it impossible to process any visa/Mastercard transactions.
You're more likely to encounter a simple scam/phishing site then a legitimate shop that let's cc information onto their servers. And that's honestly the only danger apple pay protects you from.
> You shouldn't share a secret that someone else could use to generate payments. You should share some type of payload that is only valid for the payment you're making.
He’s advocating for a more secure one-time way of making a payment.
It would be more secure since it’s one-time and could not be reused even if the merchant didn’t use a pci compliant design
What PCI says is irrelevant. The argument being made is that when you enter your CC number into a website you have no idea if the receiving party is PCI compliant or not. There are ways to design a payment systems that reduces this counter party risk.
> You may be surprised to know that, when doing a "conventional" CC transaction, you are most certainly not giving any stranger information that would allow them to perform a transaction in your name on another merchant.
How do you know as a client the merchant doesn’t have a skimmer embedded in their payment page? Or that they don’t post directly to their servers (whether accidentally or not)? Are the PCI police going to catch them? Maybe they want to store cards to process later and don’t know or care about pci.
The problem is using the same details for every transaction in a loosely authorized way.
In a perfect world the merchant won’t have access to the card details (like with one-time payments) and everything would go thru a provider with a preauthorized payment. But we don’t live in that world right now.
Are you talking about trivial e-commerce transactions that you could make with Shopify? Yes, you could embed a payment gateway here. However, this is hardly universal or the norm.
In an actual application, you're going to have some API layer over the processor you use. You don't store these credentials, but you do pass them over your API layer and could easily intercept them.
I'm making the point that I work in a department that develops a payment platform for a variety of retailers and has to perform non-trivial integrations with a broad range of PSPs worldwide, covering all sorts of payment flows, including cases in which the PSP itself has had to do new development on their end to cover use cases that they had never come across before. And yet, we do not at any point pass the card details through the API to the PSP.
The input of all payment method data by the customer takes place either in PSP-hosted fields, on an iframe of the PSP front-end, or via a PSP-provided SDK or drop-in UI, in such a way that our software never sees the introduced data. All we see are the sanitised details (card type, BIN, and last 4 digits) that the PSP then sends to us.
That's actually not how most of e-commerce payment works nowadays. If you use Shopify, merchant doesn't see your credit card. Same for SquareSpace. Same for Salesforce Commerce Cloud / Demandware, where everything is more often integrated with Stripe/Paypal directly and merchant never even see it. Very rare the merchants that will actually "see" your credit card.
Merchant doesn't pass your information to the PSP, you are actually talking to the PSP directly.
People use Stripe’s forms because they’re convenient. It’s not a requirement in any way. Stripe provides APIs to build everything in their provided forms so you can build the functionality into your own site easily.
You are apparently not working in eCommerce and don't seem to know how 99% of merchants work nowadays. Merchants don't integrate by calling the Stripe API. They use a platform and those integrations are built-in. The amount of merchants that are actually building their own integration to Stripe API is a very small %, and majority of them would be very large retailers that have the staff to create their own ecom platform and are PCI compliant. Small/medium retailers for the most part are not working that way.
Again, merchants don’t integrate by calling Stripe APIs directly out of convenience. It’s more convenient to use an out of the box solution. But from a technical perspective, nothing is stopping a merchant from accepting your CC details directly.
> But from a technical perspective, nothing is stopping a merchant from accepting your CC details directly.
From a technical perspective, no, nothing is stopping the merchant from asking you for a string of numbers and a month/year date, storing it, and believing that "technically" they can send it to the Stripe API to charge you.
That's when they will realise that, from a business perspective, there absolutely is something stopping them: that they literally cannot do any business whatsoever with your CC details directly, unless they are fully PCI compliant to the same level as an actual PSP.
I had a job waiting tables when I was a teenager when my co-worker got busted for writing down credit card numbers and info when she took the tables' cards to charge them. Apparently she had racked up over 100 thousand in fraud over time.
You’re usually prohibited by the PSP from gathering or storing the CC details directly. You’ll notice you often don’t give the merchant the details directly.
Some large merchants do take the details directly, but they typically have to go through all the PCI compliance hoops and maintain that.
There are exceptions, but most of the time the merchant does not see your credit card details.
What prevents me from cloning some product's website and changing the payment form to send me the details instead, which I then submit somewhere else to purchase something online for myself? Not sure why Stripe or PCI is even important here.
(IMO) what GP was arguing for is that we should have a fundamentally asymmetrical form of payment, viz. the information I give for one purchase should not be able to be reused for another purchase, like a one-time token. Imagine if you had to send your private key every time you wanted to purchase something in crypto, for example.
This is correct and the GP is (confidently) talking nonsense.
However the big issue is most normal users would not have the ability to see if they're using an embedded iframe or cross origin JS from Stripe, Braintree, etc.
He is not talking no-sense. He is talking what he perceives as a user.
the same way that when you get a refund, you dont see the money back immediately. What the user doesn't know is that when you pay a business, the same thing happens, and the business don't get the money immediately.
And to pay by credit card feels much more insecure than using paypal or amazon pay, even if it isn't.
> You may be surprised to know that, when doing a "conventional" CC transaction, you are most certainly not giving any stranger information that would allow them to perform a transaction in your name on another merchant.
No. In best case, you’re giving your payment details to a PSP. A couple years ago NewEgg had a javascript skimmer on their checkout page that harvested all their customers payment details for months. Obviously anyone with access and intent could do the same for any payment page.
> I have had my card locked for traveling within the same city and spending maybe $20 at a merchant I don’t usually visit. I had it locked because of a $5 web service monthly charge - and I had verified the same charge the two prior months.
This happens to me almost every time Skype bills me, and I've been a customer for probably 10+ years with both my bank and Skype, and the billing is regular as clockwork. For at least of half of that time, I've complained about it vocally and customer service can't do anything. Now I think about this every single time I hear "AI-assisted fraud detection", and by extension, "AI-assisted security" and really "AI-assisted XYZ". Without another credit card, I guess I'd simply live in constant fear of being embarrassingly declined totally at random on any/every transaction. It's not like I* know the billing cadence, even though my bank has a decade of history.
Clearly they are simply selling my history to the highest bidder, because they certainly aren't using it to help me. On a related note, ever notice that vanilla "exact substring match" search even in gmail is just as bad as google web search? All these corporations that are allegedly indexing us to "value-add" with some perfect high-resolution consumer model can't even do basic shit despite all the spying. I almost expect* my privacy to be fucked, like I guess hey that's modernity. What never ceases to surprise me lately is how the pretense has kind of dropped and we get nothing in exchange, even petty conveniences.
> This happens to me almost every time Skype bills me, and I've been a customer for probably 10+ years with both my bank and Skype
Why are you still with that bank? Even if you like everything else about them, couldn't you just open an account with another bank for Skype billing? Having more than one account is helpful anyway for avoiding having a single point of failure where you can't buy anything.
Unfortunately we didn't use the contactless change to finally fix this. NFC payments are still stuck in the world where the client doesn't have a way to make the payment themselves so has to trust the payment terminal the merchant puts in front of him with their secret information. The transaction should have been reversed. The merchant should have the dumb side, where they only communicate payment details, and the client's phone should be the one doing verifications and initiating the payment. It's bonkers that this hasn't become standard yet. Even more bonkers that internet payments didn't make the same switch long ago.
at least in this respect the now prevalent UPI (unified payments interface) used throughout India fares better.
each merchant -- even a roadside vendor or a mobile hawker of wares -- displays a QR code that has their payment account details / UPI handle.
Customer uses their own phone and UPI payment app to scan that QR code, look at the merchant details displayed, punch in the amount to pay and authorize the payment using their PIN.
(a variation on this is: hand-held POS terminals display a QR code that also encodes the amount to be paid so that the customer doesn't have to punch in the exact amount).
and since this is a unified protocol the users are not stuck with a single payment app or a single payments processor or a single bank network to transact with each other. QR codes are universal - can be scanned by any UPI app.
I have other reservations about the digital trail this leaves for every petty transaction of your life -- and the small risk of a petty vendor being able to harass you later based on the information you leave in their records.
If we don't trust the government -- this makes us jittery about how much they can track you or even cripple your life by disabling a few key things that you need this all to work smoothly.
Those risks aside,this UPI system has been a boon to ease of transactions (without worrying about handling cash and change) across the country. Net positive with some scope for improving privacy protections.
> look at the merchant details displayed, punch in the amount to pay and authorize the payment using their PIN.
Feels like a lot of work. I prefer just tapping my phone and then getting the amount charged pushed to my phone and watch so I can complain if its wrong whilst I'm at the checkout.
That would have been nice, but not backwards compatible with millions of POS terminals and payment processing setups out there.
One big advantage of contactless card payments as implemented in most countries is that you can seamlessly introduce it, making it look like a regular chip or even magnetic stripe transaction to the POS and everything behind it.
With the recent new QR systems around Southeast Asia, they got around this by adding support to existing terminals with just a software update. They print out the QR code for the payer to scan. It’s a bit janky, but works until the merchant updates their terminal to one with a screen capable of displaying the QR.
It might work for some use cases, but being able to receive a payment is often only part of the story. There's reconciliation, settlement, refunds, tax reporting, handling of/liability for fraud disputes and much more.
For example, consider a rental car agency or a hotel reservation. These usually make extensive use of the pre-authorization "feature" [1] of credit cards to reserve a deposit without actually charging it before the final billing amount is known. After a rental car is returned, toll charges are often posted to the card weeks or months after the rental.
QR payment systems often don't support these use cases at all (since they're usually payer-initiated and confirmed); and even if they did, chances are that their API semantics are sufficiently different from credit cards as to require significant reworking of the POS and/or backoffice systems of the merchant.
[1] It's actually more of a historical artifact of how authorization and clearing/settlement used to, and to some extent still do, run over almost completely independent rails, but for some use cases, this can actually simplify things.
> It might work for some use cases, but being able to receive a payment is often only part of the story. There's reconciliation, settlement, refunds, tax reporting, handling of/liability for fraud disputes and much more.
Disputes are quite simplified by the fact that this is always a "customer present" transaction; the platforms generally simply do not provide the ability for the payer to dispute and this is understood by the payer.
Refunds are fully supported by every QR system in wide use. Reporting and reconciliation is different but not a problem; the QR service providers all integrate with POS systems and accounting systems.
In many cases in these markets, merchants and consumers both went from dealing mostly with cash to dealing mostly with QR, so there is less of a legacy issue.
> For example, consider a rental car agency or a hotel reservation. These usually make extensive use of the pre-authorization "feature" [1] of credit cards to reserve a deposit without actually charging it before the final billing amount is known. After a rental car is returned, toll charges are often posted to the card weeks or months after the rental.
> QR payment systems often don't support these use cases at all (since they're usually payer-initiated and confirmed); and even if they did, chances are that their API semantics are sufficiently different from credit cards as to require significant reworking of the POS and/or backoffice systems of the merchant.
Bharat QR (India), Alipay & WeChat Pay (China) and QRIS (Indonesia) all support pre-auth and are widely accepted for hotels and car rentals in their respective markets.
Sure, the APIs are different, but that hasn't prevented almost universal adoption in the world's largest and second-largest markets (India & China) and rapid ongoing adoption in the world's fourth-largest (Indonesia).
> Bharat QR (India), Alipay & WeChat Pay (China) and QRIS (Indonesia) all support pre-auth and are widely accepted for hotels and car rentals in their respective markets.
Interesting, I didn’t know that!
Anyway, all requirements I mentioned definitely all feasible using QR codes (and apparently it’s already been done) – I just don’t think it would be a drop-in replacement at the terminal-to-POS interface if the existing terminal expects a credit/debit card like interface.
And the point you mentioned probably makes this a non-issue in many cases anyway:
> In many cases in these markets, merchants and consumers both went from dealing mostly with cash to dealing mostly with QR, so there is less of a legacy issue.
EMV is in a substantially better position than online credit card payments: the terminal cannot clone a card (though it sees a PIN and card number, it does not see the CVV, so it is not useful for online transactions, and the card contains private keys which are relatively hard to extract. The only remaining hole is creating a magstripe card, but these are becoming rare even in the US). The card does see and verify the transaction. The two main issues are the PIN entry onto the pad (which exposes some information, though with NFC this hole is somewhat removed), and the fact that the payment is still initiated by the terminal, with no way for the user to independently see the transaction amount before authorising the transaction (NFC on a phone can in principle fix this, though in a somewhat annoying manner: it could refuse the transaction the first time, then prompt the user, and accept the next transaction for the same amount).
This is how it works in a lot of places, including everywhere in China and parts of south east Asia. The merchant’s device displays a QR code, which you scan with your phone. The details of the transaction are shown on your screen, and you can select things like where the money should come from, sometimes discounts etc, and then tap to complete the transaction.
In the case of Bharat QR (India) or QRIS (Indonesia), it's just a standard which various payment methods implement. So you can choose to scan the QR with the app of the bank that you want to pay from, or with a mobile wallet app (those wallets themselves usually being able to be linked to bank accounts, cards, etc).
In the case of Alipay and WeChat Pay (China), the QR codes are proprietary to the mobile wallet app, but both also support connecting the wallet to bank accounts and cards.
When using a card the safety characteristics are quite similar to Apple Pay or PayPal: the card details are neither stored on your phone nor transferred to the merchant. But in these markets few people use cards; they either pay directly from their bank account using these QR systems, or they keep a balance in a mobile wallet and pay from that.
> You can blame the evil competitor but the real problem is that credit cards are not the right tool for payments to strangers over the internet.
Granted the entire system needs a revamp, but credit cards are one of the best tools we have to pay strangers right now. Credit card money isn’t your money being spent, and comes with a fraud guarantee. I would rather use a credit card than something linked to my money in a checking account for sketchy transactions.
Yes, it’s a hassle when the card number inevitably gets stolen, but NFC payments, etc are starting to tackle this.
One thing I’ve seen a lot is people misunderstanding credit cards. If you pay them off monthly, you usually get some kind of reward and additionally a huge layer of fraud protection from your personal finances. That being said, I also can’t wait until more secure credit card systems become more prevalent.
In much of the world, the "credit card" payment goes through a pre-paid card. Then you're actually putting your own money on the line, and even if there's a guarantee, it's a pain to actually go through the process of invoking it.
If this is one of the best tools, then I'm really dismayed at the state of payments around the world. SEPA bank transfers are so much better, even if they have other problems.
Define "much of the world", because that is absolutely not how credit cards work.
Paying with a credit card means your credit card company pays that charge for you. Yes, you are borrowing money from your credit card company.
Once a month (or whatever your billing cycle is), you receive a statement showing all the charges on your credit card. The statement will also show any credits if applicable (eg: refunds). The sum of all charges and credits is called the balance.
At this time, if you spot any suspicious or fraudulent charges on the statement, you call your credit card company as soon as possible to dispute those charges. If they are indeed fraudulent, those charges are reversed/removed.
If the statement looks fine, you pay your credit card company whatever balance is shown on the statement.
Note how your own personal money only comes into contact with the credit card at the time of paying off the charges on the credit card, and only after confirming the charges are legitimate. The credit card company has a vested interest in fighting fraud because it's their money on the line, not yours. This is why credit cards are considered safe and widely popular.
Contrast debit cards and banks, where all charges on your debit card come into contact with your own personal money immediately. Banks don't have a vested interest because it's your money on the line, not their's, so they won't be nearly as enthusiastic about fighting fraud on your behalf.
You’re definitely correct in how credit cards work, but I’d like to make one wording change:
> Contrast debit cards and banks, where all charges on your debit card come into contact with your own personal money immediately. Banks don't have a vested interest because it's your money on the line, not their's, so they won't be nearly as enthusiastic about fighting fraud on your behalf.
The credit card issuer may be a bank and for most new credit card holders, there’s a decent chance it is their main bank (e.g. BoA and Chase in the United States have many credit card products).
Also, with debit cards, the federal Electronic Fund Transfer Act does limit liability for the card holder.
This is not how credit cards work, because the system of "credit card payment" is typically used with things other than credit cards. At least in Europe you go through extra expense and hassle to get a credit card, if you're even allowed.
Let me put it in another way: there's no "credit card payment system" for payments over the internet. There's Visa, MasterCard, whatever other "card" system. Those don't just facilitate payments for credit cards, but also for other kinds of "cards", which, in my experience, are no less common. Talking about paying by card over the internet doesn't make sense without considering that hordes of people don't use credit cards for that.
Is it? Last time my card was used in an unauthorized way, one phone call to the bank locked the card and had a replacement the following day, and I got a letter a few weeks later for me to sign to confirm it was a fraudulent transaction, that was it.
I think it’s possibly your wording that had me confused.
> If you pay them off monthly
You get the things you mentioned whether or not you pay them off monthly or just pay the minimum and carry a balance. You just have to remain “in good standing”.
My cc number is useless without access to my bank account. The hacker would also need to steal my phone and bypass the fingerprint scanner somehow to get in there.
>One thing I’ve seen a lot is people misunderstanding credit cards.
Practically all the credit card haters turn out to not understand credit cards, it's almost hilarious. Are people not taught even the very basic of financial know-how from anyone?
> Why are we still using credit cards? It’s not great as a consumer either
Because the big networks (Mastercard and Visa) as well as the issuer and acquirer banks spend insane amounts of money on advertising and lobbying - even in the EU where payment fees are capped, the cap on CC fees is notably higher than on debit card/SEPA fees, so there is a clear incentive for everyone in the chain to push for credit cards.
Additionally, issuer banks make a ton of money on interest which means they have even more of an incentive to push for CC usage.
And also this reliance on a few payment providers causes the same type of problems as this business have with Google - big businesses trampling yours on a whim, with no real recourse. The problem is actually far worse with payment processors, who are increasingly taking it upon themselves to be an unelected worldwide morality police, deciding which types of commerce shall be legal with their own de facto law
I've talked about this before [0], but tl;dr - American banks operate worldwide, and since they are subject to US laws, worldwide banking is de facto under US jurisdiction.
> The banks operate under a laundry list of laws outside of a criminal conviction, such as the Terrorist watch list as well as whole countries that are under US sanctions. US sanctions are a particularly large bite because the US will sanction you from the US financial system for working with the above, even if you are not under US jurisdiction.
> This, of course, doesn't mention the all the reporting used for detecting tax evasion or money laundering.
> US banks are absolutely a wing of the court by operating under the given rule of law, and through the US banks' worldwide influence this 'rule of law' gains a global prominence.
Is it? My bank accounts in two European countries have in the last year transitioned from Visa Credit Cards to Vise Debit cards. Because the banks in both cases wanted about 2.5 euro per month for something that does not provide any value to me. Unfortunately Visa Secure seems to be changing its validation mechanism every 3 months though, which each time is super annoying.
This is not mandatory by law though and mostly it's up to merchant to decide whatever they require 2FA or not. AFAIK payment processors like Stripe actually let you make 3DS (and whatever it called for MasterCard / AMEX) mandatory.
I guess problem is that in US you'll lose a lot of customers by declining payments without 2FA. Also likes of AMEX use 2FA via email so I guess there could be fraud too.
The SMS (or more likely, bank app) confirmation thing only happens for online payments – and if you don't have internet, how are you shopping online?
For payments involving the physical card, the chip on the card and your PIN are the two authentication factors required. (Credit and debit cards are PIN-based in the EU; signatures aren't a thing anymore there.)
In the edge case where there is no cell service yet the PoS device has connectivity (e.g. WiFi or other cellular service) they might set up a WiFi access point for users to get push notifications (assuming the 2FA method is not archaic insecure SMS).
Personally, I am substantially more suspicious of whatever random wifi network I’d need to connect to in this scenario than I’ve ever been with payment terminals out in the wild. There so, so much more attack surface on my phone than there is with my credit card - and resolving fraud on the credit card is as easy as a phone call to the issuer (at least in the US). No such luxury if my device gets pwned or networks are MITM’d or I’m associate to suspicious activity originating from this network.
While a random WiFi network isn't what I'd love to join too, at least it's an option for receiving a code through an encrypted channel (push notifications).
If that encryption can be MITMed, then there is a much bigger problem as any traffic can be MITMed at cellular network level anyway, voiding out any WiFi-MITM concerns.
It’s not really a security concern, but SMS is only one factor (and EU regulations require banks to ask for two).
SMS fees outside the US are also orders of magnitudes higher – paying a few cents for that can make the entire transaction uneconomical for banks, since interchange rates are also heavily capped in Europe.
I have had too many phones land in water, then get bricked, then be unrecoverable. Then find that 2FA locked me out of key stuff. Like my Apple account.
I know that SMS is insecure. But I can get it back after a predictable disaster.
With my Apple account, I didn't even remember 2fa having been set up at all. And if I had backed it up, it would have been to a computer that itself had been replaced when it died. With the Time Machine archive having been corrupted and unrecoverable, so it would have been lost.
Today I've noticed the qr seed idea. But I'd prefer having my personal phone having access to nothing irreplaceable, and not worrying about it if it dies.
If I work in an environment that needs to be secure, then I'll worry about following security recommendations. But to whatever extent possible, I prefer not working in an environment that needs to be secure. And then not bothering with the UI disasters that secure solutions regularly impose on people.
I mean actually, I frequent a business where you cannot get a cell signal, but they offer free wifi. Metal building blocks the signal. This could happen anywhere.
Right but then you just connect your phone to the wifi? The following methods I have had for the 3DS card payments are (ultimately depends on the bank):
- Bank sends you a tiny card reader that you enter your PIN and it gives you a one time code. If you want to make payments that require 3DS (online only ofc) you have to have this card reader on you but it doesn't actually require an app or internet connectivity.
- You have an app on your phone, you drag a code from a notification onto another area of the app itself which does something (somehow - no idea the purpose) and verifies the transaction. Certificate is stored on device only.
- You open an app and it'l notify of the purchase amount, location, merchant and you just tap allow
- You receive a code in the mail that is renewed once a year which is then combined with a SMS message (or app notification). The payment flow asks you for some characters from both codes.
You do not require cell service for any that I have used and wifi is enough.
Further Edit: Just to clarify though, all of these are ONLY for online purchases. Purchases in shops you just use your pin if it requires authorisation.
Not rare at all. I grew up in such a place (well, before WiFi, but now it has WiFi and still doesn’t have cell service), and have lived in two other houses like this. On holidays I have stayed in hundreds of places like this.
I remember in Berlin going to a bar where there was no cell service (some combination of poorly sited base stations and thick walls made of something dense). They of course offered free WiFi considering this.
Where I am now, there’s a section of beach full of cafes that has no cell service. If you walk 100m north or south it’s fine, but that bit is a dead zone. All the cafes have free WiFi.
There's Wi-Fi calling, but unfortunately at least in Germany, many operators don't support receiving SMS over that, unlike the US carries I've tried it with.
However, most banks/issuers have since switched to using their app as the second factor, so all you need is Wi-Fi, practically.
A few even support displaying an offline code in the app that you can enter during checkout, but that's becoming less common since it doesn't support displaying the amount and payee given how it works.
I live in Edinburgh - buildings here are thick stone walls with lath and plaster on the internal surfaces. It's very common to have little to no cell signal indoors
We’re still using credit cards because they severely limit personal liability. Many CC companies give you the ability to have temporary cards with short term expiration linked to your account. However, there is minimal incentives for you to do so.
The credit card company and indirectly the vendors carry much off the cost of fraud. The credit card company spends a lot of resources on preventing this fraud. Introducing a proper solution for online payments would allow them to reduce costs and offer better deals to vendors and consumers. They also are the only participant in this who is a individual participant rather than a group. It seems like this is the ideal setup for credit card companies to introduce innovative solutions. They have the incentive and the leverage, yet it's not happening. What am I missing?
You are missing that the credit card companies want less transaction friction. If they wanted security we would have chip + pin in the US like the rest of the world. Charging volume overrides everything. Interest rates and those that carry a balance more than make up for fraud losses.
Strong authentication/payment confirmation and strong consumer liability protection are not mutually exclusive.
In the EU, card issuers and merchants are required to use 3DS for e-commerce payments and PIN verification for in-person payments in many circumstances; yet chargebacks are still possible.
We use CC because the infrastructure is there and there is legally mandated (depending on jurisdiction) fraud protection.
When you pay with CC, the issuer is potentially on the hook for fraudulent payments, so they are incentivized to provide the protections.
And of course there are many that use CCs for the purpose of a loan to purchase items they can’t currently afford.
Although you're right that Apple Pay is cryptographically verified, you may be surprised to know these two things:
1. you can charge any amount - the amount shown in the Apple Pay UI is arbitrary
2. you can make multiple charges, also of any amount (e.g. for a subscription)
It is tokenized, but practically it's just a card number you can charge like any other card number. It's also typically linked back to the original PAN, so multiple payments can be correlated together with ease
Your payment processor and the network has to trust you if you're reusing the Apple Pay cryptogram for a subscription payment. You _can_ do anything (e.g. you can represent yourself as an open loop transit network reader and get a card number without any authentication from express mode cards!), but the network will not allow you to succeed doing that for very long, if at all.
A multi-cryptocurrency payment system would be the perfect solution for online payments but unfortunately nobody has figured out how to solve the double-bullet problem which stands in the way of mass adoption.
No, it's really not. As a buyer I don't want irreversible transactions to someone anywhere in the world, I want something that if the seller isn't acting fairly (items not as described, not shopping orders, etc) I can lean on to get my money back.
I hate 3D secure, it's a way for banks to move the liability and inconvenience to me, their customers. In most implementation, I need to wait for an sms, often that sms takes ages to come.
Then there's a bit of a monopoly with 3d secure implementation by cardinal.js and their solution falls down completely if you have a decent amount of traffic on the site (I have worked on flash sales websites, cardinal js is about as reliable as I can throw my car)
No information given about the actual activities ongoing here so I’ll focus on the service providers behaviour directly.
Given the meteoric rise of companies charging for services with no support of any type available for consumers other than hoping for traction on social media, how do we legislate to basically enforce some alternative to ‘computer says no, just make a new account and hope it doesnt happen again’. This seems like something consumer protections agencies should be all over.
Australia’s consumer protection body is actually quite active in enforcing our rights when dealing with these sorts of things. Does America not have a similar agency or has it been captured by the companies it’s supposed to regulate?
These companies are collecting sizeable profits and part of the way they’re achieving this is by simply disregarding all the support and engagement processes ‘normal’ businesses have to have claiming their scale makes them impossible. That should just not be an acceptable answer as far as consumer remedies are concerned.
Payment processors are a natural monopoly and as such they should be regulated like utilities, i.e. not allowed to deny service without good reason. Unfortunately the government rather likes having a way to destroy the livelihoods of undesirables without any of that pesky due process.
The payment networks (Visa/MC/etc.) may be monopolies but there are ton of processors (Stripe/Paypal/etc.). Sure, all the smaller processors "suck" but somehow they worked before Stripe was founded.
A lot of the other options are far more expensive to the service provider. They're mostly used by industries that the big players won't touch (porn, gambling). There is a much higher risk of invalid chargebacks in these industries. (That is, someone genuinely does use their card, and then denies it.) So the processor charges are higher to compensate the extra work involved. (Also because they can.)
All of them are at the whims of the main networks, however. The policies they set trickles down to affect everyone (see for example how damn hard it is to take payment for porn).
We need some new snappy word to describe what service providers are doing.
I know you could probably say that its just some other existing legal construct which we should just enforce, but the point is that the media needs some snappy new very specific word to talk about to make politicians pay attention.
Things like swatting, phishing, slamming, gaslighting and boofing we all know about and are easy to write articles on with decent enough SEO.
So what is the snappy new 21st century term for this, so that we can complain about it and write blogs and articles about it and demand politicians do something about it?
Every business wishes it could be a vending machine. Strip out all employees and customer service and damn the consequences if your soda gets stuck.
Too many people and businesses have been relying on these vending machines, partially because they have no other choice. Everything has been hollowed out, every store runs on a skeleton crew. You know this if you’ve walked around a store wondering if anyone even works there. I never noticed this until I traveled to other countries and found businesses that actually felt like they wanted to please me instead of feeling like I was expected to be grateful that BigBoxStore (tm) exists.
"Deaf corporations" since they cannot hear, "Divine corporations" since they won't listen to you, "Nosumers" as the opposite of prosumers and a nice play with no-sum (you heard it first here)
I like the brainstorming. "Deaf corporations" I think nails the concept and is easy to understand. I don't think its quite snappy enough to roll off the tongue or the keyboard though.
(Although if we don't come up with anything better off the cuff, we could just start calling them "deaf corporations" and then someone moar cleverer might come up with something better later)
I really don't like it as a term, because Deaf people can communicate just fine, thank you. (Also, as a practical concern, I have an interest in Deafness and signed languages, and get irritated by phrases like "turned a deaf ear" which pollute my search results.)
It does, but it's still newish, and faces a lot of opposition from both politicians and businesses.
In 20 or 30 years, once the various lawsuits and codes get sorted out, it might work. But it's still in its toddler phase, and everyone is seeing if they can push the baby over.
The Federal Trade Commission seems relevant. I've not tested them on these "no support; no recourse" situations, but have had good results for other issues.
Anybody thinking of the "Better Business Bureau" should note that the BBB is not a government organisation and behaves more like a Better Extortion Bureau: paying members can keep their good rating by unilaterally declaring a claim has been resolved (often requiring claims to be reasserted multiple times), while non-members or non-paying members cannot even contest claims via the bureau.
We also have an issue of enforcement, I'm not sure if you know... but many, if not all of these behaviors could be acted on with existing legislation. Anti-trust at the federal level and a multitude of state laws on paper make it illegal to do this type of behavior.
The problem is that it's really hard to take action on large corporations. As a consumer, if I wanted to seek remedy for say, false advertising of ingress protection on a phone, it would cost hundreds of thousands of dollars in legal fees. Without a significant war chest it's almost impossible to hold most companies to account as an individual, and the agencies supposed to be enforcing these issues either won't or can't enforce the laws on the books.
The Aussie government has the same new account cycling that corporate culture does. It's just that the gov has call centres and support staff.
Do you think there's any incentive to fix these problems when the constant inconvenience and technical gremlins can be more easily and excitingly solved with biometric IDs and whatever else?
Let's be honest, the Australian government may clamp down on corporations, but it plays the same game and doesn't care for anyone's dissent in the long run.
Not sure if anyone has experimented with this but I wonder if there is a solution but it's just relatively unused. I've heard suing the company (or in most cases, taking them to arbitration) works and often times the company is the one paying for the fees (because that's how arbitration works).
The claim that scale makes support impossible is ridiculous. Just make support a paid service and it'll easily pay for itself and scale proportionally. The will is simply not there
If you are being unethical there are a bunch of things you can do.
I would advise targeting people directly, anonymous letters directed to a spouse with accusations of cheating will help prevent executives from travelling and add a lot of personal stress on their lives, all it costs is a stamp. -- this is especially easy if you live in Sweden; since addresses and living arrangements are public info.
Other things you can do is to fabricate something racist and pay for a few hundred bot accounts to follow any mention of the company or product.
I have had both of these happen to me, and my industry is not very competitive nor am I a famous figure.
I hope this attack becomes more popular. I truly do.
Maybe these attacks will finally force regulators to do something about the financial parasites we call "payment processors". Any payment processing system that doesn't act like a public utility is broken and needs fixing.
I think the only digital payment system that comes close to acting like a utility right now is cryptocurrecny which is a sad, sad state of affairs.
OP: While not a complete solution, you might be able to partially mitigate this by allowing customers to pay you in other forms (e.g aforementioned cryptocurrency, bank transfers). That's what the porn industry and other legal businesses end up doing when they inevitably find themselves in your position.
If your customers want your product badly enough, a small fraction of them will learn how to use these payment methods. You'll have to learn to survive on those alone.
Pix, the Brazilian payment system, is basically a utility, and payers authorize the payment rather than the payee. It has very little friction, everyone uses it. It does require working internet.
I feel that Algorand (I'm not a holder anymore) was positioned to work as such but would require all the parts to make it successful. The 0.001 ALGO transaction fee cuts down on silly transactions while making 0.1 ALGO transactions possible. It also allows trading in stablecoins or CBDCs as they are enabled. It can complete transactions in milliseconds and moderately-sized participants can easily help maintain the whole network. It never gained traction, however, probably because it isn't a good HODL.
Why is it sad? I truly don’t get it, people on HN will say they are somewhat libertarian, pro decentralization, anti corporate oligopolies, but then use their dying breath to say “crypto has no use case”. Yet while AI took nearly 70 years to find its footing, in just 10 years crypto (currencies) has already found inroads into many areas as a nascent technology that has massive potential to solve some of our biggest problems.
I truly think it’s one of those cases where the “wrong/dumb” people jumped onto it (alongside scammers) and so it became poisoned to the right/smart ones. But we should be way better than that! Is it really so hard for people to separate good from bad?
It absolutely bowls me over to see this lack of ability to discuss it carefully around here so consistently. So many potential amazing conversations totally shunted by the absolute need to turn it tribal.
> Is it really so hard for people to separate good from bad?
If you mean "HN people", then probably no; but if you mean more generalized "people", then definitely yes. Unfortunately, your customers are much more likely from the latter group.
Also, being in a sad state doesn't really mean it "has no use case", right?
Not understanding what you're saying here. If anything HN has less able to separate good from bad at least on this topic imo, and I wasn't claiming the direct parent posted said exactly it has no use case, but still even that they had to couch any slight mention of utility with being a "sad, sad state" implies they don't like it and know it isn't liked here.
As someone who worked in France for a medium-ish size media agency, we had something similar happening to our google adwords account... and it took ~2 weeks for our legal studio to get it back with direct support from google.
Afaik it mostly took them to basically write a few legal letters and telling them "our legal representatives would be glad to meet you at your offices at Google France and discuss such unfortunate issue and so and so" - they basically went "how about no" and restored the account.
Laywer fees weren't particularly cheap (in the range of 2500-5000€) but still well below the money we were losing.
Is this not an option for US-based businesses? I have heard similar horror stories like the one on the OP a few times already but I've rarely seen them pursue a similar path.
It is absolutely an option. Some people simply choose not to pursue it for many reasons ranging from financial, to a matter of principal, effort required, or any other number of reasons.
> 10 year relationship with Paypal and 7 year relationship with stripe
Not that the author is implying this, but don’t ever make the mistake of thinking that these numbers ever matter. It’s not 1973 and you don’t shake hands with your banker.
The only number that matters is the number of dollars going through Stripe or PayPal because of your business.
Been there. It might be competitors. It might just be fraudsters looking to see what they can get for free from that otherwise useless stash of credit card numbers they stole or got on some forum from someone who did. Once your marketing hits the radar of one of these crews they will pass your service on to each other. As a merchant you need to develop your own fraud screening techniques or pay someone to do it.
(Pardon me if I am projecting from my past startup experience to yours in all my comments.)
I am not blaming the victim. But the industry is setup so the merchant is most responsible for detecting and dealing with fraud. And that is probably objectively not a bad call. You have all kinds of ways to detect who is doing this and ways to stop this. I hate this crime with a passion and cut it down from 5000/mo to 50/month at my first startup when it blew up on us. But it is true the credit card middlemen, having externalities the risk to you, don’t then innovate incremental tools for merchants that well. I was frustrated when I received fraudulent requests there was no third party I could report my suspicions of fraud to with a confidence rating (or check against other merchants suspicions). I did many years later see a service like that but now can’t find it.
Good luck. These guys are persistent. In my case most of them were coming from poor countries where a dollar of fraud is worth a lot more of their time than yours. Until you stop them cold, they will keep coming.
No OP, but I had it happen to me and adding a "3DS" card verification to the checkout flow made the problem go away. The 3DS step is where they text the customer a number they have to type in to proceed.
It's a pain for the customer so I only do it on newish accounts, repeat customers don't get bothered.
This was LONG ago so some context is less relevant now and may not apply to others, but three of a dozen of our tactics turned the tide, the last being the best, but building on the others:
1) The basics: track all information entered in the signup process and display it in a signup email to our customer service/onboarding rep, along with whether and how often each piece of info was used (or was similar) in past locked/disabled-for-fraud accounts and have a human determine via eyeball if the composite picture looked like fraud. You’ll be surprised how often a customer saying his name was Ibrahim with a phone number in Egypt had a IP in Jordan and was using a credit card belonging to Sally Jones with a zip code in Kansas. Don’t automate fraud decision. Have a human in the loop. Know your customers with a human touch up front at signup. (“Do things that don’t scale” is the more recent mantra for this approach.) But never emit info so fraudsters couldn’t game the system beyond the binary of getting enabled/disabled, and even then don’t give them immediate feedback during/post signup to run permutations quickly. Have a human vet asychronously shortly post-signup as part of customer welcome/orientation call.
2) Silently partially disable international customers so they could sign up and give us info and do certain things but not really generate expensive transactions until a customer rep called and welcomed/vetted them and checked a box unrestricting them in our admin panel. (I say silently but if they actually got to the final step of a transaction, we did give them ways to reach out to us to get activated after talking to someone (which was manned 24x7). 99+% of the time, fraudsters never called/reached out.)
3) Most subtly, reps especially offshore ones from white label partners of ours were slow to use our ways to vet their (and thus our) customers even though their management was pushing our development team for more and more technical solutions to cut fraud. It was frustrating because I could see the fraud and it was a massive chunk of our partner’s revenue (1/3rd?) shortly out of the gate with us, but since they were a white label customer of ours I/we couldn’t exactly tell their lower level rep employees to get off their butts and take the fraud seriously (when even their management wasn’t getting through), nor did I want it to continue to harm their business because it would also harm ours.
Remembering the mantra “you can’t manage what you don’t measure”, I built an admin screen that their reps (and thus their bosses) could see that showed when each recent customer signed up and when they were cleared or locked out as fraud, how many minutes were between the two and who (which rep) locked/cleared the customer and how much was spent (lost) before the account was locked. The difference was profound. Fraud from the white label partner’s customers dropped practically overnight, from $5000 a month to under $50 just by adding a report that quietly made the humans in the loop accountable. I didn’t even have to tell the partner’s people what to do. I just made the outcomes measurable and visible and the problem took care of itself. It was a profound lesson for me early in my career. I wish that exact trick had been more useful for me since, but still — very eye opening. Chargebacks were never a problem for us again.
I’ve heard that a lot of Shopify sites will have the auto credit card processing disabled for new orders. So that a real person can validate the order before hitting Stripe or whoever with it. Fraud orders are usually easy to spot by shipping addresses and you can get a good sense for it pretty quickly. It isn’t quite chicken sexing!
Maybe the hot take here is that the best way to ruin your own business is to automate credit cards?
"Fraud orders are usually easy to spot by shipping addresses"
You can find some of these by searching the shipping address and seeing if it's a freight forwarder or an obviously vacant home (listed on MLS with empty room pictures). Those kinds of shipping addresses have a pretty high fraud rates.
But, if you mean seeing that the shipping address doesn't match the billing address on the card via AVS... That's trickier, especially for B2B spaces where a business owner buys with a credit card tied to their home address, but ships to their business.
It's not really an attitude. I get that legitimate orders go that direction too. It's a flag to check into the order further. Same for vacant-looking addresses, mail-shop boxes, and so on...many are legit orders, many aren't.
With credit card fraud, the merchant holds 100% of the liability. They lose the item they shipped, the shipping costs, the associated revenue, then some chargeback fees on top too. So, they check on things that could be fraud.
I believe this is further along in other countries, but in the US, you lose a lot of sales as legit customers don't remember their 3DS passwords. I see stats quoting pretty high 3DS adoption in the US (30+%), which seems odd to me personally as I've never been prompted to use it.
3DS to me is still a Nintendo handheld game platform. I've never been asked to use anything other than 2FA — usually pretend 2FA in the form of a text to a mobile number. My hardware 2FA mostly sits unused, because almost nobody asks for it.
Outside of 3DS, they aren't liable for the fraud. So there's an incentive problem. They also don't have all the context. Their APIs generally want the billing address and don't have a provision to pass the shipping address...as one example. It's not the only piece of context they don't have and don't have a way to pass.
Yes, in an ideal world, they would find the fraudster and lock them up. But that’s not feasible and they need something to happen. Punishing the business owner makes no sense in many cases (like this one; you are not going to try to fraud your own system after 7 years of no issues), but that’s the only one they can get to.
Here’s a question, if Stripe or PayPal for example are processing so many transactions why can’t they see this stuff coming a mile away?
Shouldn’t it be trivial to “triangulate” the origin of a card hack / leak after like, I don’t know, three or four transactions? This whole thing seems rigged to put make small businesses liable for covering the cost of the PII failure of probably a banking institution, or a minimum a completely different small business!
Reading so many of the comments in this thread just strengthens my belief that we need large platforms to be governed like utilities, or even better, open source alternative based utilities
I know it's probably downvoted as society has sweet spot for pity, but to certain extend it's OP's fault.
As a merchant, you need to do proper anti-fraud system. Especially considering influx of orders with stolen CC. It's just necessary to avoid huge financial and reputational losses.
Don't rely on Shopify/Stripe "anti-fraud" - it's absolute garbage selling feeling of security. Proper analysis of order flow with spotting irregularities across many datapoints are needed.
Some may whine things are not fair - yes they are not, and never will be. You just need to adapt.
Let me guess, you think cloudflare is the devil, right?
This is happening because you are basically leaving your PoS system open and unattended while a scammer walks by with a wheelbarrow full of freshly stolen credit cards.
Throw a captcha on that checkout page at least for goodness sakes
Sidenote, I remember some people here wondering why websites don't explain why a transaction failed (wrong CVV, wrong AVS or Do not honor, etc...). This is what happens if you do give this kind of error through, don't put some form of rate limiting, etc.. It becomes a convenient site for scammers to test stolen credit cards and you end up being flagged by your payment provider.
Also, it's worth having a relationship with a smaller payment gateway, merchant account provider. It insulates you somewhat.
I unable to log in to my paypal account, because the confirmation sms never arrives, and the only contact given is to call them. Guess I’ll never use paypal again.
I just wish there was adversarial integration on these payment apps. I'm tired of setting up new ones.
Imagine if our phones still worked liked they originally did, where you could only call other people using the carrier you are. Oh you have T-mobile? Sorry. I have AT&T, i will write you a letter.
We didn't put up with it back then, and we shouldn't put up with it now.
I’m not a crypto evangelist by any means but one thing that I like about crypto is there are no charge backs. I added coinbase and it’s not a huge amount but about 5% of sales go over this. Apple/meta/amazon pay are also some what alternatives because the payment is going through a device that can be physically stolen but harder to do fraud than a virtual credit card.
I view it as paying by cash, so the same type of pitfalls exist. I'm not really pushing crypto as the best payment method, just giving the OP possible alternative payment methods they could use. There is a learning curve to using crypto, which I believe reduces the potential of consumers not fully understating the risk of sending payments. Consumers who want the protections should use a credit card to get those.
Coinbase could freeze your ability to process or receive your payments for a dozen random reasons too. False sense of security there, you need self custody.
Have open source self custody merchant tools improves?
Brick and mortar gone online and Web 2.0 services seem pretty left behind for accepting crypto payment. And Web 3’s crypto natives don't care or need purchasing flows.
I wonder what it is that we do differently such that I never hear of these problems from natively European payment methods. E.g. the payment platform iDeal draws directly from your bank account but there is apparently no significant trade in stolen logins. What makes that not as lucrative?
Related, but not strictly the same: a week ago my IBAN (eu-wide bank account number) was used via a Paypal guest account to make payments of 580€, paying through direct debit (Lastschrift).
There is no inherent security at all. Merchants usually send you 1 cent with a 2fa code, in order to verify that you have access to the account.
In my case this was not done apparently, and the scammers got their items. I was able to do something similar to a charge back, but I wonder whether the online store or PayPal will have to eat the loss.
I read about stuff like this every month, but then people (on the internet) tell me there are no uses for blockchains and they're exlusively for scams (yes, scams exists, a lot of them).
Try talking to a local (office close-ish to you) processor or acquirer. You usually need a good amount of transactions to get them interested, but they will have support, they will discuss before taking any measures etc.
In many countries you have a cheap, easy to implement and fast bank to bank for online which is faster, cheaper and more secure. And as such, mostly impossible to chargeback because unless you had a gun to your head, it was you who did the transaction.
In those regions, incentivise those means; give 5% discount for paying like that. We accept those in region where they are available, we also have our IBAN for you to pay directly. Some companies prefer that as they pay all their other invoices that way.
It would be relatively easy to implement in Ireland, but I've only used it once (buying from a shop in Germany). I placed the order on their website, and they gave me an IBAN and a reference number. I did a bank transfer to that account using the reference number they gave me, and they marked the invoice as paid and shipped the product. Simple system, though I'm not sure how they monitored their bank account: it may have been manual. It would work for any company which uses IBANs, which is all SEPA companies and many more besides.
Australia has a system called POLi. This injects a popup into the checkout page of a website which allows you to log into your own bank and do a transfer from there. That works well, and seems quick and easy for the customer.
> as a solo SaaS builder it seems harder and harder these days to have any sort of job security
This overlooks the hard work and risk undertook by the virtuous founders of Paypal and Stripe.
*SBOs love to advocate the virtues of "risk-taking" to defend exploiting others, and the opposite when they find themselves at the other end of the exploitation.
7 days ago, boom. Your account has been suspended for not following the business guidelines. The only thing I've updated recently was our hours. It's been listed without problems for about two years.
Of course they don't tell you what the issue is. They just tell you to fix it and then beg them to reinstate you. It takes up to two weeks apparently (7 days so far). And if they decide not to, the only thing you can do is delete the listing, and two years worth of hard earned reviews go up in smoke.
A few days ago one of our staff told me a Korean tourist came in the day before we were suspended and accused us of being fake. I don't know exactly what happened but due to the tourist's limited English nobody could persuade them we were the real location. Or maybe they were looking for somewhere else entirely? Who knows. Apparently they left a negative review, which I can't see while the account is suspended. Probably they reported the location as fake.
So that's it. Two years, over 100 positive reviews sitting at 4.9 stars. Gone because of one confused tourist. Or maybe because I updated the hours. Or maybe an automatic spam check didn't like us.
I sincerely hope that the next round of EU laws tackles this instead of privacy. It's just as big an issue, especially if you're running a small business.