Unfortunately, I believe this is correct. I received over 1,000 messages from one contact of mine that had the message of "secure session reset". It seems his phone tried to reset the encrypted connection with me over and over. Considering that I have 3 devices in total, that's thousands of messages just from one user alone.
I'm sure millions of devices doing the same thing probably bogged them down.
It is proprietary, so there is no proof they didn't tamper with the code to appear to be working on clients. And chances are against the fragile link in the chain - the user.
I don't like attacking the author for not being a lawyer (mostly because I am not a lawyer either), but it's quite clear to me that their legal interpretation is completely wrong.
To fix the original title: the First Amendment is a censorship law, not Section 230. Or at least, the First Amendment constitutionally protects internet websites that censor their users. It's called freedom of association.
More people outside of the legal profession should have an understanding of that freedom. I feel like our educational system concentrates so much on specific freedoms we have that it ignores other limitations we place on our government's powers. The implicit, and well litigated, restriction against limiting freedom of association is an extremely important example of the "forgotten rights". So when lay people run up against it, they assume there must be some kind of corruption going on, when in fact, it's an obvious consequence of constitutional law that everyone probably should have been familiarized with in high school.
Of course, that's only the tip of the iceberg when it comes to people misunderstanding the law. As the article that birthed this thread illustrates. Which only reiterates the need for our nation's civics classes to do a better job.
Because the laws of physics trump the laws of the sovereign? I agree with the position that law enforcement should be able to attempt to access communications with a judicial warrant. I do not agree with a government mandate to use flawed encryption that would allow anyone to read my communications. It's questionable whether that would even accomplish their stated goals, and personally I doubt it.
It doesn't assume it's always impossible. If you think the problem with the current summons/warrant/arrest system is "unscientific", then I invite you to consider what kinds of effects mandatory court appearance between 9 am and 5 pm have on low-income defendants.
I'm not aware of any jurisdiction in the United States that prohibits employers from firing workers who have to appear in court. But I totally understand why "respecting the legitimacy of the courts," while nice in principle, doesn't match in comparison to putting food on the table.
The other problem with this approach is that some proportion of perfectly legitimate funds likely will remain in pending for an inordinate amount of time, which dilutes the strength of the indicator in the first place.
Not necessarily. In most cases people won't check the status. As noted in the story the sister actually checked because there was some suspicion. In this case she would have paid more attention to the status and possibly could have said, "its still in pending... can't transfer yet". Of course the scammer would have a well-rehearsed reply, but it at least moves the level of suspicion up a notch.
So let's say banks do display 'funds available, but subject to recall if check cannot be collected'.
A year later, the internet will have thousands of threads on various sites with people complaining that their (real, legitimate) paychecks still show the indication weeks after depositing.
People who are so wishful-thinking that they think someone is paying them a 10% commission to deposit a check will still be wishful-thinking, and will continue to accept statements like "this is normal, you'll see it all over the internet" at face value.
Perhaps that would be the sort of customer dissatisfaction that would move the needle to something less Rube Goldbergish.
As I understand it, there is literally not a "transaction complete" message in the ACH protocol. After enough days without hearing an exception, you assume it went though.
U suspect this comes to the implementation model-- since it's so much based on batch files and potentially offline processing at the destination bank, they probably don't want the overhead of composing and returning a success response for the 95% of transactions that behave normally.
I'm sorry to say but this isn't a Chase specific problem. Chase is required by law to make the funds available after a couple days, just like all other banks. The OP's sister fell for a common scam that's been going on since forever, and Zelle warns you fairly explicitly to never send money to a stranger or else things like this could happen.
Of course Chase isn't going to eat a $3,000 loss because a customer fell for a common scam and ignored Zelle's warnings and didn't even do a cursory look through the bank agreement which clearly explains how checks clear.
The difference between the other services "taking responsibility" and "not shaking down their customers" and Chase Bank is that unlike a checking account, credit card transactions can be easily reversed. Once you send the money through Zelle, it's gone.
That your sister was victimized is clearly terrible, but it doesn't change the fact that her negligence caused her bank to lose 3 grand, and your father is liable as a cosigner as well. She is reasonably expected to recognize that Craigslist arrangement as too good to be true, and she ignored Zelle's admonitions not to send money to strangers.
Ok but part of the reason people lower their skepticism is because they see their bank’s UI heavily implying that the check has cleared. The main point of the post is that banks’ UI about whether a check has cleared is very misleading and really needs to be changed.
Yup. I think this is true for all sorts of aspects on the UX of financial related institutions. Not just banks, but anything you use money on.
My mortgage is paid through something that frankly looks like a scam site. You connect to it with an odd domain. When you login, it hops all over the place changing domains and forwarding you repeatedly. The UI is old, odd, and breaks with modern and safe UX patterns, like password managers (can't paste). When you finally land on the site to enter your payment information, it no longer matches the domain you went to.
I don't think a single one of my online payment hubs for standard bills like mortgage, utilities, loans, etc don't at least have one glaring pitfall that helps to introduce confusion to uninformed customers. Hell, i consider myself reasonably informed and i still fear i'm logging into a poorly thought out phishing attempt every time i pay my bills.
We've given very little consistent information to the average person about how to safely interact with the web. And that's just obvious issues, not even straight up incorrect data like what the OP seems to describe.
I have the same problem with my mortgage bank. Not to mention the emails and physical mail I get from them, which I don't even consider until my mortgage agent confirms they're legit.
Hilariously, the best online credit payment I've used has been Synchrony. I got their card when my wife had laser eye surgery because it came with a nice deal. Then I got another card for a deal at the auto mechanic's. It was so simple to go to their website, log in, make payments or change autopay, see my balance, anything. It took barely any time to tweak uMatrix so it worked. And I've never been surprised by them.
Interesting. My mortgages have always ended up with a known retail bank and can be paid through their normal websites. Is your mortgage held by some fly-by-night bank?
The only sites I visit frequently that do the domain forwarding and have ancient designs are local government sites (for paying taxes and fees).
"Interesting. My mortgages have always ended up with a known retail bank and can be paid through their normal websites. Is your mortgage held by some fly-by-night bank?"
I think you misunderstand. Your parent is saying that after logging into his normal bank, he is taken through two or three third party banking providers that have their own domain names and web user interfaces - just to perform some core action related to paying his mortgage.
I have seen this and can give you a few concrete examples:
- Log onto unionbank.com. Mortgage payment is done through "my mortgage portal" which jumps you to unionbank.customercarenet.com.
- Log onto tiaabank.com. You are quickly redirected through the first third party domain which goes by too fast to copy/paste then you are redirected to cibng.ibanking-services.com, where you do your TIAA banking online (!)
USBank bounces you around weirdo domains as well. FWIW, I have never seen wells fargo do this.
This is a phishing nightmare and it is right at the crux of high-consequence interactions (your mortgage, your banking) and barely technically literate users.
> I think you misunderstand. Your parent is saying that after logging into his normal bank, he is taken through two or three third party banking providers that have their own domain names and web user interfaces - just to perform some core action related to paying his mortgage
Actually i think it's slightly different (in my specific example). It looks and feels just like you describe, but i get the impression that it's all the same bank. For some reason the application operates on multiple domains.
My old credit union was the same way. I'd log into `someCU.com` and be forwarded to `secure.CUentry.com` or w/e (i forget the specifics). Both domains were the same CU entity, i imagine, but the pattern we should be telling the "average person" to look for is to always find `foo.com` in the address. If you're not connected to `foo.com` then it's evil. However when sites forward you to likely safe but alternate domains entirely we erode this trust in fixed domain names.
Next time a user clicks on an email to `scamCU.com` and don't think anything of it, since `someCU.com` already has multiple domain names.
But yea, you hit the nail on the head with the root problem. It's gross.
I think I have it. I just haven’t encountered that with my banks. There may be some requests that cross domains, but none of them drop me on a payment page that looks suspect.
Even if it's not, it might be if someone decides to sell it. years ago, I went with a well known company, and in the disclosures they have fine print saying "we may sell this". 2 months after closing, they sold, and the new servicing company required $5 per payment 'fee'. I never agreed to that, but... essentially have no choice in the matter. Options? Spend another 4 figure amount to refinance and hopefully get a different servicing company?
Interesting. My mortgage has always gone the other way - initiated someplace small and unheard of, and then bought by a name-brand bank. Just luck or the draw, I suppose.
Speaking of bill pay, there seems to be some contractor that provides the Bill Pay software for banks because the UI looks nearly the same between my Schwab and BofA accounts and its always on a subdomain of its own.
Under the More -> Charities tab, one of the 9 charities in the world they have chosen to preload as defaults is Focus on the Family, a notorious anti-LGBT hate group.
This exactly. I get that banks have to release the funds by law, but they should show the status of the checks to their customers in a way that shows the potential risk those customers are taking on
> Somebody who uses/deals with cheques in this day and age though kinda deserves it in my books. Cheques are themselves bad UX today.
Nobody deserves to get scammed. This is puritan thinking, to blame the victim. People aren't supposed to understand every single thing and systems, and banks should do a proper job at educating their clients, if they care about good PR. Obviously, Chase and many more do not.
Local/county governments and landlords tend to pressure people to use checks in my experience (northeast US). Property taxes where I live, for instance, you can pay with a credit card or EFT but the fees are absurd. I don't know why people don't want to at least take an e-check, but that's the way it is.
In the United States, cheques remain the most reliable free-to-the-user way to move amounts of money above about $2000 from one individual to another. There are a bunch of companies that effectively give you ACS access, but they tend to have low limits due to KYC concerns. There's wire transfers, but those are pricy ($50/transaction is normal) unless you have very large deposits with the bank. Most banks will let you do transfers online, but often only to other account holders at the same institution, or else with Zelle or one of its clones, usually with the aforementioned ~$2k limit.
The use case here is paying rent. I write exactly one cheque a month, and I haven't found a better way to do it that wouldn't either be expensive or require action on the landlord's part to set up a portal or something.
> There's wire transfers, but those are pricy ($50/transaction is normal
Holy crap Americans are getting scammed ( for reference, bank transfers in the SEPA space are free). How the heck did N26 and others fail at such a broken market where the competition is stuck in 1995?
Just because the law forces them to make the money available doesn't prevent them from putting a big warning on the associated transaction.
Clearly, the bank knows how cheques work and how they can bounce 6 months down the line. They should make it clear to the user with a warning explaining "we are required to make this money available to you by law now, but this money can be taken back at anytime if the cheque ends up being fraudulent, and this can happen for up to 6 months down the line".
The bank also knows (doing otherwise would make me doubt their competence to operate a bank) that this is a common scam and should similarly warn their customers about it. They also know (and have the data) to prove that a lot of people fall victim to this scam suggesting that there is a lack of knowledge in the majority of people when it comes to how cheques work and how they can bounce down the line after the money has already "cleared".
Finally, when it comes to the law, the law was most likely drafted at a time where 1) there were no easier ways to transfer money instantly while making sure it's actually legitimate, so it was a necessary trade-off and 2) there were similarly no easy ways to irreversibly transfer money out of the country in an untraceable fashion, so that the majority of occurrences of such scams would also give better chance to law enforcement to actually trace the funds and make the victim whole, so the fact that someone could temporarily end up out of pocket was also not a big deal.
Nowadays that particular law is clearly inadequate and is doing more harm than good, but laws take time to change (and no doubts there are vested interests at play that would want the system to remain as-is) and there's nothing preventing the banks doing their own part to "patch" the bug until a proper fix can be installed (by deprecating the whole cheque system altogether).
It amazes me that in 2020, we still struggle to implement a simple system where someone can reliably and permanently transfer money to someone else as the default, expected behaviour of the financial system.
There are far too many scams based on someone thinking they've got money they haven't, whether it's person-to-person because of weirdness about reversible money moves or someone successfully abusing some sort of chargeback or dispute mechanism against a merchant. It's not as if these things aren't well known by the industry. It just chooses not to do anything about them, and to continue to rely on fundamentally insecure and unreliable methods of moving money around when it is perfectly capable of implementing better ones.
> It amazes me that in 2020, we still struggle to implement a simple system where someone can reliably and permanently transfer money to someone else as the default, expected behaviour of the financial system.
Certain countries have done so; look at Faster Payments in the UK for example. There's technically nothing preventing FPS to be used right now in place of the majority of card transactions. All it needs is better UX and a standard, like a fps://<sort_code>:<account_number>/<reference> URL that can be either put in a QR code for in-person payments or a clickable link online. Mastercard, Visa and plenty of other companies that make their $$$ off card payments in one way or another (whether supplying overpriced card terminals or selling fraud detection services) wouldn't be too happy that their entire industry is obsoleted by a feature everyone has by default in their bank account that is no longer earning them any fees.
I'm pretty sure any effort to improve the payments system and fix its inherent flaws would see pushback (either obvious, or behind the scenes) from a (big) industry which makes its money on patching symptoms one by one instead of fixing the root cause of the problem (as an example, the fraud detection systems for online card payments - they need fraud to exist and be possible because otherwise if the system is bulletproof in such a way that fraud is technically impossible they wouldn't have a business).
I'm in the UK, and yes, Faster Payments are clearly an improvement and more like how things ought to work. But they only work for payments to others in the UK.
Elsewhere across Europe, SEPA provides a similar facility, but again only "within its own walls".
I would love to see the sort of alternative payment methods you mention taking off as a replacement for card payments. That is exactly what needs to happen. But as you say, there are some very powerful organisations with a vested interest in preventing or disrupting any such change.
>It amazes me that in 2020, we still struggle to implement a simple system where someone can reliably and permanently transfer money to someone else as the default, expected behaviour of the financial system.
It's called cash, maybe you've heard of it?
If you want an electronic system that's exactly like putting cash in an envelope and handing it to someone, Zelle etc. represent that system. A wire transfer is basically the same, only with greater formality, complexity and cost.
By and large, consumers don't actually want that. They like protections such as being able to chargeback if services they've paid for don't get delivered; goods are defective or counterfeit and so on. Yes, this can make life hard for merchants: on the other hand, they are free not to accept credit cards. Most do, because it's a price of doing business.
By and large, consumers don't actually want that. They like protections such as being able to chargeback if services they've paid for don't get delivered; goods are defective or counterfeit and so on. Yes, this can make life hard for merchants: on the other hand, they are free not to accept credit cards. Most do, because it's a price of doing business.
That's the problem. You're free not to accept credit cards, but only in the sense that you're free not to be able to actually sell anything to a large number of people in some very important markets. It shouldn't be a "price of doing business" to accept chargeback abuse, and it shouldn't be OK for the financial firms that permit chargeback abuse using their systems to wash their hands of the resulting liability. But right now, in practice, it is.
> It amazes me that in 2020, we still struggle to implement a simple system where someone can reliably and permanently transfer money to someone else as the default, expected behaviour of the financial system.
Did you ever wonder why many transactions will accept money orders, but not checks?
The system is in place, and has been forever. It just isn't checks.
The problem is widespread around the world, and exists in different variations in different countries. And then even more variations if you're trying to transfer money internationally.
Part of that problem is the continued existence of insecure-by-design systems that should have been forcibly retired many years ago. Another part is that even where safer alternatives exist, as this very story unfortunately demonstrates, it's all too easy for an honest person to be misled about whether they are using one of them.
Both of these problems are directly attributable to the financial services industry, which continues to make a fortune from the status quo even as lives get ruined and businesses go under as a result of preventable crime. Sadly, I can't see this changing until someone in a national government grows enough of a spine to regulate the industry properly, by which I mean setting out a realistic timetable for fixing the problem and then imposing crippling fines on any banks and other professional actors that don't step up.
Are you sure? You're certainly correct that many popular payment methods are well overdue for being discontinued, but many methods of transferring money that you might think are permanent or even immediate can, under some circumstances, subsequently be reversed.
Unless you've been the victim who sent money to a scammer, of course, in which case all too often it mysteriously turns out that the method you used doesn't suffer from such a limitation. It's almost as if there's a whole dark industry of people who know which methods can be exploited like this and use it to abuse innocent people who made reasonable but incorrect assumptions about the competence and security of the financial services industry.
SEPA is certainly one of the best options for a payer-originated transfer. We have something similar here in the UK as well, the Faster Payment system.
On the other hand, SEPA Direct Debits can be involuntarily refunded up to 13 months after the payment goes through if the payer claims the charge was unauthorised. From bitter experience, some customers are quite willing to lie about a legitimate charge being unauthorised in order to take their money back retrospectively.
In the spirit of the original article here, I wonder how many people appreciate the profound difference between those two methods of transferring money, both commonly known as SEPA.
No, I haven't. On the other hand, I don't think I've ever made a payment either way, and I'm not even sure that my bank account has the facility to do so. They're certainly no use for things like purchases in a typical online store.
We don't have such a system in the US as far as I know. Wire transfers would be the closest fit but 1) they are artificially made expensive and 2) they are not instant.
While all of these things may be true, how does this stop Chase from implementing a new cheque status?
This scam is so incredibly common and effective that I think we have to move beyond blaming individuals for making a mistake, and consider implementing a fairly simple safeguard.
It depends on what the definition of stranger is. At the point she sent the money she had entered a relationship as an employee. Granted, it was a new relationship, I think it is easy for most people to now think of this entity as no longer a stranger -- even though they probably should.
As noted in a below thread, the solution can still be to make the funds available, but to note clearly that the actual funds may not really be there.
As you note, this scam has been going on forever, and some simple UI changes could make it harder to execute, while not hindering the common case (non-scam).
True, but--the bank should communicate clearly when the check has cleared, and display an intermediate icon that says "per the law/policy, you are allowed to access these funds now, but payment processing is not complete. if the payment does not clear, you must repay these funds."
Also, if the bank really wanted to help, they could offer the services of its fraud unit in attempting to identify and have the check writer prosecuted.
Honestly, it's time to kill checks. They have no place in today's world and can only cause problems.
I get what you’re saying, but the main complain I have is that Chase gave no indication that the funds were not guaranteed once the check appeared to have cleared
The law only forces them to make the funds available, not to pretend that that funds cannot be reclaimed
If the true status of the check had actually been made visible, then yes, Chase would have a much stronger position to claim their was irresponsible
No, the bank fell for the scam. They cleared the fraudulent check. But their TOS says their customers are on the hook for mistakes made (and hidden - there's no way to tell if a transaction really cleared) by the bank.
I don't really know if you have a legal remedy under your state's "Unfair Trade Practices" law, but this might be one worth a complaint to your state attorney general's office or maybe a consultation with a consumer affairs attorney, if you have the money. I am pessimistic that this would go anywhere, though.
Small claims only provides monetary relief, you can't get equitable relief. How exactly are you going to calculate your monetary damages? And quite frankly, why would Google reinstate your account over losing a maximum of potentially $7,500?
Correct. In order to get injunctive relief of having account access restored, you'd have to sue Google in a Superior Court.
The difference between Small Claims and Superior is that in the former you're generally not allowed to bring an attorney, whereas in the latter you may actually be required to bring one.
Does anyone know whether account suspension without a reason is actually something that a pro-se litigant has any chance of suing these big companies for, and winning at all?
> in the former you're generally not allowed to bring an attorney
That only applies to individuals.
Corporations are not only allowed, but in fact required to be represented by an attorney in court. Even small claims. Corporations do not have pro se representation rights, and only an attorney can represent another person.
It is not true in all states that corporations must be represented by an attorney in small claims court. In California, corporations must be represented by a non-attorney employee for small claims actions.
The idea is that a Small Claims judge in Cali does not expect a lawyer, so, there is no need or expectation to any legal lingo, which by itself can be confusing to normal people, plus the rules of evidence are not nearly as strict as in Superior Court, plus, not that much money is at stake.
The thing that may be daunting about Superior Court is that the judge is supposed to take it easy on pro-se litigants, but at the same time, they are still supposed to be impartial, and can't really act as your own lawyer.
I'm sure millions of devices doing the same thing probably bogged them down.