A Failure of Security Systems at Paypal Is Causing Concern for German Banks
Key topics
A recent PayPal security system failure has sparked concern among German banks, prompting them to block billions in payments. Commenters chimed in, sharing their own frustrating experiences with PayPal's security measures, which often lock out legitimate users while failing to deter actual fraudsters. Many expressed a strong distrust of the platform, with some vowing to delete their accounts as alternatives become available. The consensus: PayPal's business model relies on shady practices, but changing regulations and increasing competition may finally be forcing them to shape up.
Snapshot generated from the HN discussion
Discussion Activity
Very active discussionFirst comment
50m
Peak period
127
0-12h
Avg / period
22.9
Based on 160 loaded comments
Key moments
- 01Story posted
Aug 27, 2025 at 1:28 PM EDT
5 months ago
Step 01 - 02First comment
Aug 27, 2025 at 2:18 PM EDT
50m after posting
Step 02 - 03Peak activity
127 comments in 0-12h
Hottest window of the conversation
Step 03 - 04Latest activity
Sep 1, 2025 at 5:00 AM EDT
4 months ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
Though extremely innovative (for its time), it's been a slipshod org since inception and slipshod is a property you decidedly do not want in a payments processor.
This is literally their business model, which is why they are able to get away with so many shady practices. Until very recently they held a practical monopoly on web based international payments.
yup, my paypal got locked after using it for over 20 years. Customer service refused to help and wouldn't even tell me why it was locked. I still get messages from paypal that they "couldn't get process subscription for X." won't delete my data either.
Scummy behavior from them on multiple levels.
Gave up on it after a while and now try to avoid it as much as I can. Good riddance.
When my argument is kinda weak I love throwing in some hyperbole to spice it up.
Merchants are definitely selling email lists.
Dealing with fraud is a red queen game: The fraudsters can keep trying until they find what gaps are there in your system, and will sometimes communicate with each other: Part of our defense system involved infiltrating some of those spaces and seeing the guides that were being sold to try to commit fraud in our platform. Meanwhile you will still have a false positive rate, and getting it all the way to zero means crazy fraud. Most people just don't get to see how much fraud is stopped before they know it exists. This isn't just for financial institutions: You'd be surprised by how much credential stuffing is attempted at, say, any very large streaming site which charges a subscription.
Without looking in, it's hard for me to say exactly how successful their security team is, but being as big as they are, and having probably thousands of people whose only job is to do fraud on their platform, winning has to be pretty hard.
I've had one since shortly after their merger from the old X.com https://en.wikipedia.org/wiki/X.com_(bank) .
Per discussions on this thread, the singular reason people have tolerated their horrid service over the years they've been an effective monopoly in many locales.
They blocked me claiming suspicious activity occurred in my account (just a low traffic personal account). Ignoring me wanting to know what suspicious activity was it and if it needed, or actually already was, reported to the authorities.
Unluckily this deletion does not hold well, occasionally with weird merchants only offering PayPal payment - credit card through PayPal - the paying fails using my old email used in the purchase and was used with PayPal before. They keep forcing me to log in. But can't! It is deleted!
I did not trust their sloppy ways then, the feeling is stronger now.
This is correct. For some reason, many people (merchants surprisingly!) love PayPal and only accept payments through it, especially those outside the US and UK. Sometimes "guest payments" aren't an option, and that means you either get a PayPal account or don't purchase the product/service.
Until that is solved, I'd argue that the benefits are not worth the costs.
Federal government provided electronic money accounts and transfer systems, along with federal government provided identity verification APIs, where the fraud requires defrauding the government. Basically, a government utility. They do it with passports, why not with digital travel?
Obviously, this has to go hand in hand with constitutional inalienable rights to protect people's access to electronic money accounts and identity verification.
The lack of effective appeal seems to be the real problem with paypal.
1. https://mobilepay.fi/
The predecessor of Wero (iDeal) has been in use in The Netherlands for almost two decades. Nobody has credit cards here and everyone does online shopping with iDeal
I am amazed on how this practical solution can't be implemented for age verification instead of all those ID uploads etc.
(The U.S. really is an outlier among developed nations in that its giro system is not widely used, and many residents would not even know how to access it. Hence Paypal's network effect can offer value there. Europe is very different.)
Bank transfers were not instant though, they usually took a work day. This is changing with the introduction of instant transfers, which become mandatory to support this year, and are also not allowed to be more expensive since this year also.
I wasn't even aware such a thing existed? Or do you mean Zelle, which seems to be some sort of hybrid system... It's not quite a giro system as found in most of EU, more like "PayPal, but built by BofA and CapOne"
If I need to pay a friend, it’s Venmo or PayPal in the US. In theory Zelle too, but I don’t know anybody who uses it.
Not at all, not even close! In most cases, that's wrong even today.
Want to sell something online? A book you wrote, a game you made? There's no way for people to pay you via giro and automatically receiving the good on the page where the payment process was initiated.
Giro is not instant, and almost no bank will offer an API that signals that a specific customer has transferred funds successfully. It always takes hours, and the confirmation process is almost always only semi-automatic for the seller.
Visa/MasterCard/PayPal/Twint/Tikkie/Wero have and will provide actual value. Giro was nice 15 years ago, but hasn't kept up.
And even for money transfers between two private individuals, giro is the inferior system - mainly because Euro banks fail at UX/UI. I don't know a single bank that offers an "address book" in their online banking app/website. If you want to send someone money, you better remember their IBAN yourself. And because the system comes with a degree of anonymity, you can't even send people money back! Their IBAN is not part of the metadata of an incoming transfer, the only way to send money back is to contact that person and have them send their IBAN.
And because of that we have leeches like Sofortüberweisung. They basically proxy the web interface of your bank and you'll give them full access to your account, so they do the transaction for you by scraping your banks web interface (and your transaction history) and report success to the vendor.
A reminder that Sofort is made by Klarna, the company that mandated usage of AI and fired 700 employees because of AI.
All three of my banking apps offer adresse books.
why couldnt i sent money back? I see the sender and the IBAN
I can even in some cases cancell payments
where are you at?
me france germany italy and switzerland.
Are you from the states or canada? The parent talked about europe.
Instant transactions are a very recent development and are only starting to become common because banks are required by law to support them for free come October. Up until rather recently instant SEPA transfers were often either not supported or came with additional fees attached.
Instant transfers have been the default for quite a while, and possible (for a fee) for as long as I can remember.
Online payments with instant confirmation have been really easy for 15+ years.
SEPA transfers are (at least mine have been) max. 1h until the transfer is complete (some limit this to "banking hours"). Instantaneous transfer is common.
It seems to me like there is great variety depending on what bank you use.
API's are common, and even the same between banks now with PSD2.
Tbh, a banking barcode (or EPC QR if you prefer) displayed on the seller's webpage with unique reference + reading it with your phone and making the payment is that internet payment method via giro. The webshop uses PSD2 open banking to get notified of new transactions and knows when it is transferred.
Mastercard has started to punish banks that support Girocard by default, demanding that banks drop support.
This is not an issue with Giro or Girocard, but with the existing payment monopolies.
Yes, that's what I'm talking about. This is how services like Twint in Switzerland or PayPal in Germany have worked for the last decade+.
You're saying this is currently possible, with any arbitrary two German/European banks on either end? Your customer scans the QR code, hits a button, and the QR code is replaced by a download link, and the delay is <20 seconds?
Do you have a link for the tech stack to built this?
dude honestly no idea what your point is. since instant and free giro transfer with more or less 3 clicks is the death pf anything else.
why the fuck should I have an extra layer to my bank? Its insecure ;)
I would like to know are you american? This thread is about europe
The thing Twint (and Wero and PayPal) allows is really easy, fast, cheap (not PayPal) and secure (not PayPal) online stores. Scan the QR Code on screen, 1 second later your download link replaces the QR code. Done.
Now, I'd like to know how to do that with SEPA/giro. PSD2 and open banking sounds promising. You seem knowledgeable. Why doesn't anybody use that (or do you have an example for a online store using it)? How fast is it really?
And why did it take so long? Twint is 10 years old, iDeal is 20 years old, PayPal is 25 years old.
Because once you have those capabilities, you can do a small firmware update on credit card readers with a display, and you can pay by app everywhere - no credit card, NFC or Google/Apple/Samsung pay integration neccessary.
I don't have a complete solution but this is all public information.
Barcode to read with your bank app (guide is in Finnish) https://www.finanssiala.fi/wp-content/uploads/2021/03/Pankki...
Example Bank API: https://op-developer.fi/p/psd2-info
The user will likely take ~20 seconds to get their phone out, unlock it, log in to the bank app, confirm the transaction and set their phone down. The PSD2 API shows the transaction immediately (again, instant transfer being enabled is a prerequisite) and the seller can confirm that payment is complete.
Banks have APIs you can integrate with, which e.g. KDE's money app used to support in the past.
The actual underlying transaction system is extremely well designed and reliable, it's just missing the nice APIs that other payment systems have.
There was a earlier competitor much better than PayPal, called Giro-Pay: https://de.wikipedia.org/wiki/Giropay
It had all the stuff PayPal had at launch, also some of the feature made it into the eventually-died "Paydirekt" (which also died)
The main reason could be the high fragmentatin across the EU market.
Though, WERO, now we have a new appraoch, this time with support von ECB :-D
What giro system are you talking about here? Do you mean the postal giro system that has existed in Europe since the 1960s and has been used for postorder shopping since before the Internet existed? That system was already obsolete in NL last century when we had the first digital invoicing systems via e-mail (and digital personal banking via dial-up), and we've had direct online payments via iDeal since 2005. Are you saying that some countries are still relying on paper-based payment instructions in 2025?
I don't know a single bank that offers an "address book" in their online banking app/website.
Conversely, I don't know a single online banking portal that does NOT offer such basic functionality. Santander, ING, and Rabobank all do.
And because the system comes with a degree of anonymity
What do you mean? Every payment in my bank's transaction history shows the account number on the other end of the transfer.
Quote: "Wero is a European mobile payment system that is intended to replace Giropay in Germany, Paylib in France,[1] Payconiq in Belgium[2] and Luxembourg, and iDEAL in the Netherlands."
I was thinking about "SEPA" (more precisely "SEPA Instant") which is the layer WERO builds on.
On January 9 2025, EU made it compulsory to have receipt of transfers instant and in October 2025 - sending too should be available at the same cost as the normal transfer. There's nothing stopping from implementing bot send/receive instant transfers in January 2025. Yet, some of these banks only enabled instant receipts in January and will make the sending available exactly on 8th October 2025, 1 day before the deadline. What a business mindset to have!
It's a bit complex for a comment, but the TLDR is:
* funds in transit (called "positive float") are held in the banks account, and can be used by the bank to earn interest
* liquidity management - there are a bunch of considerations here, but the longer settlement periods enable banks to do "deferred net settlements" (just paying each other the difference between all transactions in a batched way) and also helps balance sheets in other ways, making it easier to meet reserve requirements, smoothing out intra-day liquidity, etc
The delay also means systems have more time to catch fraudulent transactions, and to block them before they happen.
For example, during Covid when interest rates where negative - some major German banks like Commerzbank charged interest from customers when their balance exceeded an amount like 50000€. Now that the interest rates have gone up - they are not even close to passing on those high interest rates. The same Commerzbank now asks for 50000€ in assets otherwise they charge a 4.90€ subscription charge from their customers.
So yeah there might be technicalities but nothing stops those technicalities being addressed until the law does.
So you're only paying for your second or third account.
This has changed since May 2025. Talk about inaccuracies ;)
Btw, as much as I appreciate the “correction” it doesn’t change overall direction of the comment.
It has? I've never paid a subscription charge, and I've never been above that amount.
Which is complete nonsense as the transaction is actually forward-payed, and guaranteed by the central European bank, exactly for that reason.
So, in fact, the only reason why certain banks delay payments is so that they can keep the funds "in transit" to earn interests.
Plenty of banks don't play that game, so if your bank does, they are taking the piss and it's time to change.
Here you could do "cash on delivery", credit/debit card, account transfers (yes even across banks, it not as big an issue as US banks makes it) or you could send stamps (not a popular options).
There was never a need for PayPal or PayPal style services. These days it's safe to assume that people have a debit card (or MobilePay in the case of Denmark).
But now, you can generate one-time use cards, which are safer than assigning a card on your PayPal account.
The other thing, is that you can do chargebacks more easily, when you buy on eBay, but this comes at the cost of higher fees (which is basically insurance)
Other than that, it's a platform that cannot be trusted
Charge backs was also always fairly easily done via your bank. Though you did have to call them, so yes PayPal was/is easier. I don't know, the trust in PayPal was always really really low.
Let’s say direct bank transfers are not counted. What alternatives are not based on Visa/Mastercard on global scale?
EU scale there are tons of solutions: iDeal (expanding to EU from NL), Klarna, sofort..
Each country had a local solution. Direct transfers, or better direct debit, was the common way in Germany. You literally just entered your bank account number and that was payment, the seller would debit it from your account. Zero authentication, and it worked - never had a fraud issue (in the background, I assume sellers checked the delivery address against some database before accepting this, as the seller would ultimately be on the hook for any fraud).
Aside from manual bank transfers (seller ships when the money arrives 1-3 business days later) there were also two systems based on direct bank transfers. One (Sofortüberweisung/Sofort) was essentially institutionalized phishing - you give a third party your banking credentials, they log into your account, snoop around a bit, wire the money to the merchant using your credentials and confirm to the merchant that your account has enough money and the wire is happening. The other was a similar service but by the banks, so you'd log in directly at your bank to authorize the transfer.
Most other European countries had other local systems that covered this need, but there was nothing global. Globally, your best bet for small amounts is unfortunately likely still PayPal unless your counterparty accepts crypto. For bigger amounts, there is Wise and similar services (note that I've had a horrible experience with Wise - KYC asking for things that didn't exist, luckily before they had my money to hold hostage). Wiring directly to accounts with Revolut also works reasonably well.
For transfers within the Euro zone, a regular SEPA bank transfer is easiest, with the only "downside" that you need to ask for the destination IBAN rather than just a phone number or similar that some of the other systems support.
Cash on delivery was a huge pain since you had to potentially large amounts of cash ready to hand over to your postman upon delivery. That's the opposite of convenient.
Alternatively you could pay by bank wire transfer, which of course led to an additional delay of a day or two until your transfer actually arrived at the sellers bank account. Nobody wants to deal with barriers like these in ecommerce. Paypal was a godsend back then. Remember, barely anyone had a credit card in those days in Germany.
What really replaces Paypal in my everyday life is Revolut.
Of course nobody's using Wero now because the whole thing isn't really online yet, just a pilot program on a few websites with a few banks.
WERO is an application/UI layer on top of SCT INST payment scheme, which adds some additional features like "send to email" etc. as well as other pay-specific features in the future (pay-per-request, which is also a defined way in the SEPA/EURO rulebooks and processing docs)
https://en.wikipedia.org/wiki/Wero_(payment)
8 million transactions in only a few months (mostly in France), I wouldn't say "nobody's using Wero"
Portugal got mbway, Austria used to have paybox, there is iDEAL, sofort.com and generally besides the local country systems with de-facto European banks you get "SEPA Instant Credit Transfer" nowadays - however IBAN is "harder" to share than lets say the phone number your friends already got.
Also: https://wero-wallet.eu/fr/utilisateurs
P.S. lives in Germany 5+ years and can attest its banks and online banking are generations behind its neighboring countries. A travesty.
The sheer volume of PayPal and direct debit transactions in Germany magnified the impact of the outage compared to other markets.
With millions of potentially fraudulent debit requests appearing simultaneously, German banks chose to freeze all incoming PayPal direct debit payments. This was a necessary step to protect their customers from what appeared to be a massive, systemic fraud event.
In general, the bank of the entity initiating the debit will only let someone initiate debits to the extent to which they'd be willing to give them a loan.
Funnily enough when I spent some time in Scotland in 2007 I opened a local bank account there, and OMG:
* they charged a fee for receiving a SEPA transfer from Germany
* they didn't give me a debit card or credit card, all I could do was withdraw money at the ATM or pay with paper-based cheques (!)
* when I asked them how to transfer money to my university, they looked at me quiet shocked and said "but their account is at a different bank!". The bank teller there didn't even know if they supported cross-bank money transfers, and had to ask a colleague. Turns out they did, but at exorbitant fees (25 GPB, iirc)
German banks aren't as modern as I'd want them to be, but transaction fees aren't a practical problem for most of us.
Makes sense Germany would be particularly impacted, seems like the UK to agree was as well. It is restored now though.
> European banks have seen widespread unauthorised direct debits from PayPal accounts, the German Savings Banks Association (DSGV) says.
> The German newspaper Sueddeutsche Zeitung (SZ) says payments worth in the region of 10 billion euros (£8.6bn) have had to be blocked, after PayPal's fraud-checking system failed.
[0] I was impeded by cookie popups and adblock/privacy-mode blockers in another language, and neither are direct reports or superior details.
Also requiring acceptance from EU users would be a GDPR violation, I think? But it didn't ask me at all so I can't evaluate it well.
But making me click an "accept" button is just dirty. I hate that.
This company needs to get paid. For that it uses ads and other means, just like everyone else does. Their list of ads, tracking and other partners happens to be around 200. They tell you and you either choose to accept that, read their content for "free" (like you use other content/apps for "free") or actually choose to say "No, if "free" costs me this, then I don't want it".
And some really aren't even to "sell your data" but just their own analytics to let their dev/SRE staff see what's going on. Nothing nefarious at all.
Nobody forces you to accept this and read their content.
Heck, your online banking/brokerage probably uses a bunch of trackers you probably aren't aware of, because they don't tell you. Go open the network tab in dev tools and check.
If they're acting like the GDPR applies, these choices are invalid. If they're not extending that courtesy, then I'd rather be left alone about it.
And they're allowed to have ads without getting consent. It's the tracking that's a problem.
And there's no chance in hell that data isn't being sold when there are hundreds of partners.
And heise.de has already gotten in trouble for this before.
55 more comments available on Hacker News