Paypal halted a transaction because it contained the word "Cuba"


My wife, Carla Sinclair, is editor of Wink Books. Yesterday, she used Paypal to pay Ben Marks his fee for reviewing a photo book published by Taschen called "Castro’s Cuba: An American Journalist’s Inside Look at Cuba 1959-1969."

Carla included a message to Ben in the Paypal transaction, which read, "Hi Ben - Your Castro's Cuba review is up! Thanks so much! Carla."

As soon as she pressed the send button, she got a pop-up message on the PayPal site that informed her that the payment was being held for review. This had never happened before and she had no idea why PayPal was holding up the transaction.

Last night, an email arrived from PayPal. It turns out, the problem arose because Carla's message included the forbidden word "Cuba" (and/or possibly "Castro").

Here's the email from PayPal:

As part of our security measures, we regularly screen activity in the PayPal system. During a recent screening, we noticed an issue regarding your account.

PayPal's Compliance Department has reviewed your account and identified activity that may be in violation of United States regulations administered by the Department of the Treasury's Office of Foreign Assets Control (OFAC).

PayPal is committed to complying with and meeting its global regulatory obligations. One obligation is to ensure that our customers, merchants, and partners are also in compliance with applicable laws and regulations, including those set forth by OFAC, in their use of PayPal.

To ensure that activity and transactions comply with current regulations, PayPal is requesting that you provide the following information via email to


Read the rest

Paypal refuses to deliver online purchases to UK addresses containing "Isis"


The Isis River, which flows through the English university city of Oxford, has inspired many place names that include "Isis," including "Isis Close." Read the rest

Paypal rolls out the welcome mat for hackers

online_payment (2)

It's not bad enough that Paypal is prone to shutting down your account and seizing your dough if you have a particularly successful fundraiser -- they also have virtually no capacity to prevent hackers from changing the email address, password and phone numbers associated with your account, even if you're using their two-factor authentication fob. Read the rest

FCC tells Paypal to knock it off with the robocalls

Although Paypal's new take-it-or-leave-it terms-of-service give it the right to give robocallers your phone number for endless harassment, the FCC has warned the company that this idea isn't just stupid and evil, it's also illegal. Read the rest

Extorted out of a one-character Twitter ID by a hacker who seized control of Godaddy domains

Naoki Hiroshima was lucky enough to snag a one-character Twitter username: @N. Over the years, he'd been offered large sums -- as much as $50,000 -- for the name, but he kept it. Then, according to a horrifying first-person account, a hacker socially engineered the last four digits of his credit-card out of Paypal, used that information to seize control of his Godaddy account, and threated to trash all of Hiroshima's websites unless Hiroshima transferred @N to the hacker. The hacker also seized control of Hiroshima's Facebook account. The attack took place over the Martin Luther King, Jr day holiday, and Hiroshima couldn't get his case escalated to anyone at Twitter, Godaddy or Paypal while it was taking place, and so he lost his domain. All three companies now say that they're looking into his story. Hiroshima offers some helpful advice on avoiding his fate (use two-factor authentication, mostly).

I'd add that it's generally good practice to avoid Godaddy, because they're SOPA-supporting sellout scum, and they suck. Read the rest

PayPal: if you don't like the violin you bought, smash it and we'll give you your money back

Just when you thought PayPal couldn't get any stupider, well, they get stupider. Erica sold an antique violin to someone who paid $2500 for it over PayPal. The buyer disputed the authenticity of the violin -- which had been authenticated by a top luthier -- and PayPal instructed him that he could have his money back if he destroyed the violin. He did, and sent the photo of the destroyed, one-of-a-kind, precious instrument to the seller and PayPal. PayPal took the $2500 back from Erica, gave it to the violin-smasher, and called it a day.

I am now out a violin that made it through WWII as well as $2500. This is of course, upsetting. But my main goal in writing to you is to prevent PayPal from ordering the destruction of violins and other antiquities that they know nothing about. It is beyond me why PayPal simply didn’t have the violin returned to me.

I spoke on the phone to numerous reps from PayPal who 100% defended their action and gave me the party line.

From the Mailbag (via Consumerist) Read the rest

Phished PayPal accounts selling on the criminal underground for $0.50 apiece

Security researcher Brian Krebs got a look at the auction prices at, a criminal marketplace where you can buy hacked and phished PayPal accounts; he discovered that the going account for 100 zero-balance verified PayPal accounts is a mere $50 -- that's 50 cents per account.

Accounts are sold with or without email access (indicated by the “email” heading in the screenshot above): Accounts that come with email access include the username and password of the victim’s email account that they used to register at PayPal, the site’s proprietor told me via instant message. The creator of told me the accounts for sale were stolen via phishing attacks, but the fact that accounts are being sold along with email access suggests that at least some of the accounts are being hijacked by password-stealing computer Trojans on account holders’ PCs.

Read the rest