|
Grex > Coop13 > #66: Accepting Paypal verification for Grex Memberships | |
|
| Author |
Message |
aruba
|
|
Accepting Paypal verification for Grex Memberships
| 
Jan 4 18:51 UTC 2004 |
I'd like to propose that we accept Paypal's verification of users as
acceptable ID for a Grex membership. This will make it easier for people to
become members of Grex.
I'm still not sure I entirely understand Paypal's system, so I would
appreciate help from people who have been through the process. It seems
they have at least two levels of security: 1) verification, and 2) address
confirmation.
Here's how
https://www.paypal.com/cgi-bin/webscr?cmd=p/gen/verification-outside
describes verification:
--------------------------------------
To become Verified, a PayPal Member must provide us with proof that he
or she has a checking account. This tells us that you have passed the
screening process of a financial institution.
--------------------------------------
But then it goes on to say:
--------------------------------------
U.S. residents can become Verified in two easy steps:
Add a checking account (after you log in to your PayPal account)
Confirm your checking account
If you live outside the U.S., you can become Verified by following these
steps:
Add a credit card
Enroll in the Expanded Use Program
Enter the Expanded Use number
---------------------------------------
So I guess if you're outside the US, you just have to have a credit card.
(I don't know what the Expanded Use Program is.)
Here's what
http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/shipping-address-outside
says about confirmed addresses:
---------------------------------------
A buyer's Confirmed Address is checked against the credit card billing
address maintained by his or her credit card company, or is verified
by PayPal through an alternate process.
---------------------------------------
However, it goes on to say
---------------------------------------
An Unconfirmed Address sometimes poses an inconvenience for legitimate
buyers. An address is Unconfirmed if it is not associated with a
credit card or it can not be independently verified by PayPal. Gift
Addresses and addresses associated with a Switch or Solo debit card
can not be confirmed. Also, in general, most non-U.S. addresses can
not be confirmed at this time.
Since an address may be Unconfirmed for several reasons, it is the
seller's responsibility to look at all aspects of the transaction
before deciding whether to ship to an Unconfirmed Address.
A buyer's Confirmed Address is checked against the credit card billing
address maintained by his or her credit card company, or is verified
by PayPal through an alternate process.
---------------------------------------
So, there are good reasons why a person outiside the US wouldn't have a
confirmed address.
So: Should Grex accept Paypal's verification of a user? If so, should we
require a confirmed address as well?
|
| 54 responses total. |
gelinas
|
|
response 1 of 54:
|
Jan 4 19:37 UTC 2004 |
Since we accept a check as verification of identity, I think we can accept
Paypal's "Verified Members".
I don't think we should accept a Paypal "Confirmed Address" as proof of
identity.
|
ryan
|
|
response 2 of 54:
|
Jan 4 21:43 UTC 2004 |
This response has been erased.
|
jep
|
|
response 3 of 54:
|
Jan 5 14:44 UTC 2004 |
I went through the Paypal process, and am both "Verified"
and "Confirmed". I had to go through it because I bought something on
eBay, then the seller wouldn't accept payment unless I
was "Confirmed". I still don't know why.
I don't clearly remember the process, but I think it involved supplying
a credit card in addition to my checking account number (which Paypal
already had).
I would like to see Grex lighten up just a little on verification. It
would be no harder to fake IDs directly, or create checking accounts
with false information, than to create Paypal accounts with Confirmed
Addresses for the purpose of spoofing Grex into allowing Internet
access or votes.
Also, this isn't something on which I feel the need to vote. If the
treasurer believes someone is a unique person that's good enough for
me. I think the standard being used should be made clear to everyone,
but other than that it should be up to the discretion of the treasurer.
|
davel
|
|
response 4 of 54:
|
Jan 5 15:02 UTC 2004 |
Um. Wasn't Grex's current verification system established by member vote?
In that case, I'd like to think that either the board or the membership would
have to vote to modify it.
But I may be misremembering, of course.
|
jp2
|
|
response 5 of 54:
|
Jan 5 15:23 UTC 2004 |
This response has been erased.
|
aruba
|
|
response 6 of 54:
|
Jan 5 15:56 UTC 2004 |
Right, the current ID policy was passed by the board.
|
albaugh
|
|
response 7 of 54:
|
Jan 5 22:29 UTC 2004 |
But here's the deal (flame me if I'm off): Even though *PayPal* might have
someone's address / locate-the-sucker info, *grex* still wouldn't have it,
if it simply took PayPal's word for it. So if grex wanted to locate someone
on its own (would it ever want to do that), it would have to work with PayPal
to get it. And if grex were required to identify a member, would saying
"please contact PayPal" be legit?
|
aruba
|
|
response 8 of 54:
|
Jan 5 23:15 UTC 2004 |
Yup, that's the tradeoff all right. I suspect law enforcement would be OK
with us referring them to Paypal, but I don't know. There was some talk a
while ago about a potential law requiring ISPs to accumulate and retain a
certain amount of information on paying customers. I didn't pay much
attention because it didn't seem to confilt with anything Grex does. Does
anyone else know anything about such a proposed law, and if it ever came to
anything?
The other question is, does accepting Paypal's word for someone's ID
fulfill our requirement that each membership be associated with a distinct
person? I think so; I don't know how one person could spoof Paypal's system
so that they looked like two people to us.
|
gull
|
|
response 9 of 54:
|
Jan 6 15:23 UTC 2004 |
They'd have to obtain two credit cards with different names and
addresses. Certainly possible, but it would be far easier to fake our
other verification methods. I think PayPal is at least as reliable as
what we accept now.
|
flem
|
|
response 10 of 54:
|
Jan 7 17:26 UTC 2004 |
At one point, I had control of both my personal paypal account and
Grex's. I don't know much about Paypal's current identity verification
policies, or the difference between personal and institutional accounts
or how we would be able to tell, but I suppose it's not impossible that
a person could acquire two grex memberships that way.
But, as gull pointed out, there are other equally fraudulent ways to
beat our ID requirements. I think taking paypal's word for it is a
reasonable thing for us to do.
|
flem
|
|
response 11 of 54:
|
Jan 7 17:31 UTC 2004 |
Hmm, on second thought, it would be nearly trivial to get two voting
memberships if we accept paypal; just send in a check the old way for
the one and use paypal for the other. As I understand it, we have no
way of knowing that the two are from the same source, and you don't even
really have to lie.
Again, I'm not sure how much we care. But it's somethign to think about.
|
gull
|
|
response 12 of 54:
|
Jan 7 18:36 UTC 2004 |
I don't see that as a big risk. Two voting memberships for one person
is not the end of the world, and it'd be difficult to expand that scheme
to a number of memberships large enough to affect a vote.
|
mynxcat
|
|
response 13 of 54:
|
Jan 7 18:54 UTC 2004 |
It would be a big deal if something was passed on the strength of one
vote. I don't think it's correct to assume that it's ok if one or two
people could hold two voting memberships but it's ok if it's not a
large number.
|
gull
|
|
response 14 of 54:
|
Jan 7 18:58 UTC 2004 |
I'm not saying it's desirable or that attempts shouldn't be made to keep
it from happening. But the effort we go to to prevent it ought to be in
proportion to the risk. I don't think this, alone, is a good reason not
to accept Paypal.
|
ryan
|
|
response 15 of 54:
|
Jan 7 19:07 UTC 2004 |
This response has been erased.
|
gull
|
|
response 16 of 54:
|
Jan 7 19:14 UTC 2004 |
I don't think that's relevant, really. We're not forcing people to use
Paypal, but if they want to I think it's reasonable to let them. You
might want to read back in other items and see how Grex has genuinely
been ripped off by other methods of accepting credit cards. Paypal is
extremely low-risk by comparison.
|
aruba
|
|
response 17 of 54:
|
Jan 7 20:00 UTC 2004 |
Yeah, Paypal is not the most savory institution in the world. I'm careful
not to leave our moneywith them any longer than necessary, because I don't
trust them not to freeze our account someday.
But, these days, a whole lot of our income comes through Paypal, so it
benefits Grex to use them.
Greg - you said someone could send in a check and also send money through
Paypal. Doesn't Paypal's verification method check that you are giving
your real name? And likewise the bank's? So wouldn't someone have to lie
to one or the other, and not get caught, for that scheme to work?
|
flem
|
|
response 18 of 54:
|
Jan 7 20:30 UTC 2004 |
I don't know, Mark. Do you get people's real, full names when they send
a paypal payment? Can you find that out from whatever user info they do
send with paypal? It's been far too long since I took a payment for me
to remember.
|
jep
|
|
response 19 of 54:
|
Jan 7 20:31 UTC 2004 |
How much of Grex's income is via Paypal?
|
aruba
|
|
response 20 of 54:
|
Jan 7 21:20 UTC 2004 |
Grex received approximately $2300 via Paypal in 2003. That's about 32% of
our total income.
|
jep
|
|
response 21 of 54:
|
Jan 7 21:50 UTC 2004 |
Wow, that's quite a lot.
|
jlamb
|
|
response 22 of 54:
|
Jan 7 23:44 UTC 2004 |
This response has been erased.
|
gull
|
|
response 23 of 54:
|
Jan 8 02:03 UTC 2004 |
When you get a Paypal payment, you get the sender's email address, full
name, and their confirmed address (if they check the box to send it.)
I use Paypal quite a bit for accepting ebay payments, these days.
|
aruba
|
|
response 24 of 54:
|
Jan 8 03:37 UTC 2004 |
Should a confirmed address be enough ID for Grex, then? Or should we
require verification?
|