www.richardhyland.com ..::.. richard’s diary

My RSS reader popped up with a new article from the IEBlog today, for those that don’t know the IEBlog is the web log from the Microsoft Internet Explorer team.

The article is over at http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx detailing that Internet Explorer 8 Beta 2 will include a Type-1 XSS Filter.  This is fantastic news as along with phishing and nigerian 419 scams, XSS attacks are an evil crime designed to simply steal user’s personal information or money.

Sure us developers should make sure we never make websites vulnerable to XSS scams but that doesn’t excuse people actually using XSS to steal information.  Heck even PayPal recently had an XSS vulnerability.

Well now finally the web browser manufacturers are going to start protecting users who don’t have enough knowledge or even need to know anything about XSS.

Now I’m not going to get into the argument of the rights or wrongs of using PayPal as a transaction processor, for me it’s simple, easy, relatively cheap and if you use eBay you’re pretty much forced to use it anyway.  Also not all of this is PayPal’s fault, but I’ll start there

OK so on 14th May 2008 I recieved an overly large transaction payment into my PayPal account, being a bit suspicious I logged in with the intention of refunding the payment, to be notified by PayPal that they had held the transaction pending an anti-fraud review. OK fair enough but that process blocks me from refunding it anyway so I have to wait for PayPal to conclude their ‘investigation’.

Next I get an email on the 15th May from PayPal saying they have reversed the transaction.  Great case closed, resolution I wanted anyway.

Now it starts to get complicated.  On the 22nd May I get a chargeback from PayPal (and they cancel the reversal) saying unauthorised transaction.  So now not only do I have to refund the month I fully intended to refund (and believed that PayPal had refunded anyway) but now I have to pay a chargeback fine for a transaction PayPal would not let me refund in the first place because they placed a hold on the funds.

On the 7th June PayPal closed the chargeback, refunded the month and charged me a chargeback fee.  OK so this should be case close right?  Think again.

Yesterday, 30th June, I get another email from PayPal stating a chargeback again!  What?  You’ve refunded the money, charged me a fine and now you issue me another chargeback?  Apparently the chargeback was initiated on the 28th but they only told me on the 30th.  Apparently the reason for the chargeback is ‘Special - Chargeback created by processing error’  What the heck does that mean? 

In the email it tells me that I should get in contact with my account rep at an email address, so I did, I get an email back telling me  I can’t email them I have to do it from within the resolution centre…. then why tell me to email you then!?!!?!

I’ve added info to it under the resolution centre but I can tell you this if they refund the money again and charge me another chargeback fine I will not let it rest as I’d consider that theft of my money by PayPal!

Now I did say that PayPal isn’t the only group at fault here.  Some responsibility must lie with the person who’s PayPal account was used to make the fraudulent transaction.  How difficult is it… don’t fall for phising scams!