Exactly - as the article points out, without released voice recordings (if they exist, which is not a given), they can't prove that they didn't. Haven't similar things happened before with paypal though?
Its partly because PayPal's reputation precedes it. Paypal is a shitty company with often scummy policies. They also have a demonstrated history of employees making horrible decisions.
If PayPal didn't do anything wrong, they would probably be far more eager to provide their customer with assistance. In their initial communication they should have volunteered whether or not there is a recording of any conversation they may have had with the attacker. If there is a recording, they should have immediately volunteered to play it back for the victim in order to give him peace of mind. That's basic customer service.
The thief allegedly got the last 4 digits of the CC by posing as an employee.[0]
If true, it would mean paypal gave out financial information to an unknown third-party, which would be a breach of a bunch of laws, terms, internal policies etc.
The burden to prove innocence in this situation would definitely fall on paypal.
Excerpts from the original article[0]:
>I called paypal and used some very simple engineering tactics to obtain the last four of your card (avoid this by calling paypal and asking the agent to add a note to your account to not release any details via phone)
>Yes paypal told me them over the phone (I was acting as an employee) and godaddy let me “guess” for the first two digits of the card
edit: financial companies, or any company when dealing with a financial or privacy breach usually needs to prove their innocence when they are attributed to allegedly causing financial loss (to varied extents depending on the situation).
This is an expectation from society in general. It may not seem fair or be legally required, but that's just the way it is.
You need a course in elementary logic. Specifically, on the burden of proof. Also, everything you wrote in this comment here seems to be a complete fabrication.
I work for a bank and it's absolutely on us to show that our transactions and treatment of financial information is verifiable. We have to be able to demonstrate due diligence, there is no assumption of innocence when the auditors come knocking on the door, whatever 'elementary logic' may say.
Thats why I completely believe the posters here claiming this wouldn't be possible in a banks call centre. What I don't know is whether PayPal operates at the same standard.
That's a different question altogether. Banks are required to keep meticulous and auditable transaction records -- nobody is disputing that or even questioning if PayPal does so. Banks are not required to show extend themselves to whatever demands made to them, in order to show that the claims of a random internet person are false.
Legally, no. But if enough people find the claim credible, then it is definitely in their best interest to convince everyone else that the claim is false. Whether or not you think that is fair is irrelevant; if enough people feel the bank is not safe to use, the bank will lose business.
Ok well if that's your hand, the converse principle is more pertinent -- if it has no impact on profits, nobody cares about the random rantings of an insular group of technologists, and how they think PayPal ought to conduct itself.
The 'burden of proof' is a social/legal concept which has absolutely nothing to do with elementary logic, so maybe you're the one that needs the refresher.
When debating any issue, there is an implicit burden of proof on the person asserting a claim. The fallacy of an argument from ignorance occurs if, when a claim is challenged, the burden of proof is shifted to be on the challenger.
The burden of proof is a philosophical concept which extends into the legal domain. In fact, it's the only sane way to process assertions made by purportedly rational actors, it's hardly limited to 'social/legal' contexts.
But I'm not sure why you didn't go look this up in Wikipedia before you commented.
That really does not apply in this situation. A thief made a claim that he tricked PayPal into giving out personal information on his victim. We know the thief got the personal information. What is in question is if he is telling the truth that he got it from PayPal.
You are looking at this as a claim between the thief and PayPal. The thief made the claim, so the burden of proof is on the thief.
But that's not what's going on. PayPayl is asserting a claim that they are safe, and the other party is every potential customer of PayPal. The burden is on PayPal to convince us of their claim that they are safe, in light of the claim against them.
To me, it is credible that the thief got the information from PayPal. Between the thief and PayPal, I think the thief has little incentive to lie about where he got the information, but PayPal has high incentive to cover up.
The burden of proof applies to all logical propositions. You are confusing two issues -- PayPal's marketing claims and those of a random thief. The truth is that you actually have insufficient information to decide one way or another who is telling the truth here, and at least you wouldn't be able to substantiate such a conclusion without appealing to prejudices. That's the point I'm making -- personally I think that the thief is telling the truth. But I'm reserving judgment because we certainly don't know enough to warrant some of the strong claims made on this thread.
I think you are concerned with correctly filling out The Universal Ledger of All Objective Truths. That's not what we're concerned with.
We're concerned with figuring out what we think is most likely. You are correct that we have insufficient information to know with high confidence who is telling the truth, but if we are in a position to use PayPal, we have to make a judgement anyway. Further, not having enough information to know most things with high confidence is the common case; we usually have to make decisions based on imperfect information.
In such cases, we have to use the imperfect information available to us. Prejudices is one word for it; Bayesians call it our priors.
For the record, I actually think PayPal is a net-good. I think that most of the negative press they put up with is unwarranted, and is a result of people not understanding how they are allowed to use the service. In addition, I think most people do not appreciate that PayPal is much more tolerant than the alternative that was the only-game-in-town before PayPal, which were merchant accounts with banks.
I would tend to agree with you, but paypal was emphatic that they _did not_ (emphasis theirs) release anything. There is a difference between not finding evidence and saying as such, "We could find no evidence that that one of our employees failed to follow correct and established procedures". If they had said that, I would be more inclined to let them go. I believe that they placed the burden of proof on themselves by coming out with such a firm statement.
Because the thief actually did acquire the last 4 digits of the credit card number, and there is plenty of anecdotal evidence that their techs can and will give out the last 4 digits of credit card numbers.
Because there are three parties here, not two: PayPal, the thief, and all real and potential customers of PayPal. PayPal has no obligation to convince the thief that they are innocent. But if they want to retain business, they must convince all of their current and future customers that they are innocent.
@1angryhacker - they're the only game in town for a lot of people, notably ebay sellers and users. More tech-savvy sellers know to diversify or to use other payment gateways (amazon, google, etc) but paypal has a huge userbase of average internet users.
We aren't convicting them here - this isn't a court. It's just pointing out that, once again, as always:
PayPal
Not only did they screw up; but they also can't man up, tell the truth and be transparent - as usual. Shit happens. Slamming us with a denial that shit happened is implying that you aren't going to do anything about it; admitting it is a clear statement that you are not proud of it and will work to make sure it never happens again.
It's come to the point where if someone said that PayPal are responsible for climate change; I would be inclined to believe them. No matter how much they denied it.
In other words you're prejudiced and see no reason to logically validate your preconceptions?
Great, that's what we need. More people commenting who have all the answers. What if PayPal were telling the truth, how exactly would that situation look different than the one we are in? Good thing PayPal's always wrong though!
It's more like extrapolation from a known set of data points. PayPal has a certain history. You can look up what's gone down in the past, and based on that, the accusations fall right in line with the sorts of things PayPal has historically done. At this point it seems far more likely that PayPal did in fact do what it's accused of than that it didn't.
If PayPal is in fact telling the truth (and that's a big if), then the question becomes where did the hacker get the last 4 of the CC from? GoDaddy has confirmed the hacker had a large amount of info, including presumably the last 4 of the CC when he called them, so somewhere in this whole thing someone gave that data away.
(I can't reply to jessedhillon's follow-up comment yet & i don't want to wait so I'll just reply here....)
If you look as far as... oh say, the top of this thread on HN, you will hear accounts from people who have apparently done this very thing (asking PayPal for last 4 digits and gotten an answer). So it seems like their policy did not forbid it, anyone could do it, so why not believe the hacker's claim?
You can't have a policy of routinely giving out certain info then deny that you gave it out in a case where it caused a security breach. What is the defense there? "Well yeah ordinarily we DO give that out but we could tell this guy was a hacker so we didn't." Yeah, they wish. If they regularly give out last 4 digits, then the claim that they didn't in this case is absurd.
...the question becomes where did the hacker get the last 4 of the CC from?
That's always been the question. Until you know better, what you have is a situation where you're believing the word of an anonymous criminal, relayed to you second-hand, over PayPal. I'm just saying you have no evidence either way at this point, and are simply expressing your preconceptions, which are not helpful.
