I've implemented express checkout on a few carts I've written. It isn't possible to calculate the shipping cost/method until the user gives at at minimum their zip code and country. So basically the flow of Express Checkout doesn't allow this since that information is sent back once they authorize a charge and return to your site. At that point the customer is prompted with an order confirmation, final total and to select their shipping information. When they click confirm the charge is actually made. Express Checkout is extremely popular on all of the sites I've worked with and is probably quickest payment method people can use. In the 6+ years we've been using it we have not had one single complaint about charging the wrong amount shown on the PayPal confirmation page. Customers understand they must select their shipping method and I would rather not have them enter duplicate information.
I am confused how this "bug" is any different that using something like the payments pro API. Sure your cart page says you'll charge X amount, there is NOTHING keeping you from charging some other arbitrary amount when they press pay.
I wouldn't mind entering my ZIP to precalculate the shipping costs. But seriously, Shipping costs are a lame excuse. There is nothing that stops paypal to call back to the shop to get the shipping costs. Or just make a CORS request from the browser itself and have the shop sign the shipping costs so paypal knows.
> Sure your cart page says you'll charge X amount, there is NOTHING keeping you from charging some other arbitrary amount when they press pay.
Which is exactly why I only use shops with paypal where I see the amount charged on paypal.com if I don't completely trust the shop. I was under the impression that this was the value paypal provides. Apparently I was wrong. Might as well get a prepaid credit card now.
Of course it is a bug. Proper behavior would be to confirm the amount plus shipping, or at very least, limit the change to an amount no greater than $20 more than what was confirmed.
Hi - It's anuj Nayar from PayPal. I can confirm that through our Bug Bounty Program a researcher reported this suspected vulnerability with our PayPal Express Checkout.
After looking into the issue, we don't think this is in fact a vulnerability. We work closely with our merchants who use Express Checkout to provide them the flexibility they need to complete their transactions in a timely manner so they can offer excellent payments experiences to their customers. We offer robust buyer and seller protection to cover both ends of the transaction and our systems are pretty good at finding and flagging this kind of illegal behavior if a merchant were to start overcharging your customers.
This is how it has always been; it's written in the documentation. I don't personally consider this a bug, since a retailer could feasibly accept a credit card and charge whatever they want to it. The fact the PayPal allows the amount to be changed is not dangerous, because PayPal holds the liability and any charges can be reversed. Furthermore, the business who charges consumers without consent will be committing fraud.
It's a flaw though. A user trusts that the amount that they see in PayPal ($19.95) is what they will be charged when they click accept - not $21.95 or $25.95 or $2,000.
It's different if you are having your customers type in their details, even though they hope you will charge them $19.95, and not double charge them or steal their credit card information - this is a reason why people use PayPal.
But yeah, like you said it is fraud, though a business could argue shipping charges or tax or "addon pricing" or whatever for a small amount (a company I would see doing this is GoDaddy), but larger amounts their PayPal account would probably be banned.
Good luck with that. It's very hard to get your money back when the merchant knows how to answer Paypal's questions. I failed at doing so when a merchant sold me something he could not deliver and then insisted on giving me a voucher instead returning my money.
This story is going to need more detail because one of the biggest complaints merchants have is how PayPal will pretty much always side with the customer.
Agree here - That has always been one of the thorns in accepting PayPal on any decent scale. At least with chargebacks, you can fight them and win about 50% of the time with the right docs. PayPal barely entertains dialogue.
What happened is that I wanted to register a domain using www.mediaon.com, but that failed because someone else registered the same domain in the meantime using another company. When I asked for my money back because they failed to register the domain, they refused, saying that firstly it wasn't there fault (which is technically true) and secondly that I would be free to use the paid money to register another domain. That's in direct contradiction to their "money-back guarantee". Anyway, Paypal sided with them. It seemed to me that they exactly knew what to tell PayPal and PayPal does not seem to be very consumer-friendly when it comes to digital products (the policy for physical products differs).
It's shouldn't really affect customers in any way. By terms of Express Checkout, after returning from the authorization at PayPal (which is NOT a checkout screen), the business must show the final checkout screen with the finalised price. If the business doesn't do this, it is the business committing fraud. PayPal is rather good at holding payments from businesses until they are happy everything is legitimate.
Maybe, but the implied behavior from what the buyer sees is that they are verifying a specific amount on Paypal's (trusted vendor) site, not on marginally trusted random internet vendor.
The difference is that if I want to order some two dollar bike parts, I'm happy to risk that I won't receive them, but I'm not in the habit of giving my credit card to every random site on the internet.
It doesn't really matter because the customer isn't on the line. It's PayPal that is. Considering how fanatically PayPal fights fraud, that they don't consider this an issue pretty much tells you that it isn't one.
Sure the customer is on the line. You make a very large charge on a customer's credit card, and best case is that they can't make further charges on the card because they've hit their limit. Getting it resolved in a week or so is little consolation when you have a useless credit card.
While I can see how this behaviour of PayPal is close to credit cards, I cannot see how they can show an amount that may be incorrect - they could just ask the shop whether the amount is final or not and indicate that in some way.
I wouldn't be astonished to see chargebacks (by buyers who think they were overcharged) resulting from this - that can hardly be in anyones interest.
I recently integrated paypal. I did a test to see how much extra we could charge if the customer chose an obscure shipping address and there didn't appear to be any limits like I was expecting(I was expecting a percentage +- of the "confirmed" amount).
I asked paypal and they confirmed that there's no limit.
It is a little weird, but since paypal always sides with customers in disputes, it's probably not so bad if you get hit with this.
I spotted this earlier this week when ordering a t-shirt through TeeSpring using PayPal. I authorized a payment of 22.95 USD. Here’s a screenshot from the payment confirmation email I received: http://i.imgur.com/BGjKcsW.png The math doesn’t quite add up.
This confuses the heck out of me every time I have to work with the Paypal API. I never understood why they implemented it this way. It makes absolutely no sense IMHO but has always been this way. I'm surprised that this isn't used much more often for fraud.
Some businesses store their delivery costs at PayPal (by country), rather than on their own servers. Hence, they have to go to PayPal to determine these costs. But then, that's just rather poor implementation on part of the retailer.
This is the magic if market dynamics. If a business fraudulently takes advantage of this they will not build up a customer base, paypal will shut down their account, and money will be refunded. PayPal is taking most of the risk so that businesses can be flexible and provide a better experience.
It's not a bug, it's the way things should work with more services. PayPal's product may be outdated in many ways, but this is not one of them.
1) You get the check with a total
2) the waiter hands you a mobile card terminal (like this: http://pay-tec.de/cms/paytec/wp-content/uploads/2014/04/1.jp... )
3) You put your card in the terminal
4) waiter enters amount to pay + what you said you'd tip
5) You see the total, enter your PIN, press confirm
6) waiter hands you back your card.
The US lags behind in card payment systems. We usually hand the card over to the wait staff, they carry it away to a remote terminal (and we trust that they don't copy the card while in their possession), then we manually enter a tip after the fact.
Now I have to pay, then verify each payment manually. This is the job I thought PayPal was doing for me. Instead they've created more work since now I have to check two places to make sure charges are correct: my credit card statement and PayPal.
Hi - its Anuj Nayar, senior director of global initiatives at PayPal. I have been reading this string with interest. We offer both buyer and seller protection to try and make sure we cover everyone. We do not always side with the buyer. On the restaurant payment side, we have been rolling out mobile payments solutions at places around the world, that let you check out and pay from your phone (inc tip). You are notified via text and email as soon as it goes through.
I am confused how this "bug" is any different that using something like the payments pro API. Sure your cart page says you'll charge X amount, there is NOTHING keeping you from charging some other arbitrary amount when they press pay.