And this is why I haven't used paypal in over 5 years. I also avoid ebay like the plague.

Shouldn't Apple be the one giving him his money back? Nobody hacked into his Paypal account, it was just the payment method he had set in iTunes. Apple let someone get his password easily, go into his account and buy iTunes gift cards, so why is Paypal responsible?? Can't Apple track these cards to see who uses them? Can't Apple deactivate these cards?? Is Pirillo such an Apple fan boy that he can't see it's them and not Paypal that dropped the ball here?

Don't get me wrong, Paypal can really suck, but in this case it seems like Apple is the problem.

@jaydez: I'm with you there. If I come across a merchant who only uses Paypal, I find another vendor.

After reading Chris post on this I have to side with papall its not there screw up (This time) Apple needs to pay up not papall.

Paypal is heading for some serious ass-whooping by any Attorney General(s) that has an ounce of integrity. They are strutting all over as though they are a bank - but they are absolutely not. They make up their own rules and regulations, change them on a whim, have no government oversight, operate as a monopoly on Ebay, and make fraudulent claims to the people they hold money for. They will "investigate" and even when they find themselves guilty and promise to reimburse you, they just disappear.

The "best practice" in dealing with Paypal/Ebay is to register a checking account with *no* money in it (you HAVE to give them an account number), then *ALWAYS* ALWAYS* ALWAYS* use a credit card funding for *EVERY* purchase. When Paypal screws up as they often do - then they have to deal with a federally regulated BANK rather than self-regulate you to poverty with their mickey-mouse investigations.

@DarrenO: I agree. HE linked his Apple account to Paypal, and it is Apple who let someone make purchases, not Paypal.

Paypal may be big, bad and evil, but when you link one vendor directly to your Paypal account, you always run this kind of risk.

The problem with his case for anyone not familiar with PayPal is that he approved iTunes to make deductions from his account (through the Preapproved Payment Agreement). So PayPal is not who he should be dealing with but Apple as DarrenO mentioned. This is Apple's fault plain and simple. It's always important to read what you're agreeing to on these sorts of things.

Now I get to wait for the Apple Fanboys to attack!

I've never had any problems with PayPal, then again I use it only to accept money and pay for an occasional eBay auction.

Apple's actually done this to my account recently. I sold my used iPhone on eBay (made a tidy profit, no less), and the new buyer somehow managed to talk customer service into converting MY iTunes account into HIS iTunes account, instead of, you know, transferring registration of the device. Took some figuring out, but it got fixed.

File a fraud claim with the bank or a charge dispute and that will get the attention of PayPal. Otherwise they will just continue to deny it.

@dweebster: Then you still have to worry about PayPoop taking the money from your low balance bank account anyway and racking up overdraft fees. It's best not to deal with the jackholes at PayPal at all, if you can.

It's too bad google checkout isn't living up to its potential.

His podcast used to be really good. Sucks for him.

Oh, by the way, I never let websites store my real credit card info anymore -- it's just not worth the worry and aggravation if something goes wrong.

I use a different one time use credit card number at each site that insists on storing my info (Apple, Amazon, etc.) and the card only works for one purchase. When I'm ready to make another purchase, I issue another one time use number for the exact amount. Lather, rinse, repeat. This way, if the site gets hacked, the credit card info they have on file is no good cause it's already been used.

@Hogan1: I thought the same thing. However, when someone created a felonious BlockBuster account under my name, Blockbuster would not refund it and made me call the bank to challenge the charge? Could this be what Apple is doing, ie expecting Paypal to act as a bank would?

@Imaginary_Friend: I worked at Zappos for a while and your credit card information is kept on file even if you ask that it not be. In fact when they pull up your information over the phone and they say your CC number they also see the fact that you asked for it not to be stored. They are instructed to ask for the number again, even though they have it, so that the customer doesn't catch on.

@Imaginary_Friend: Google Checkout isn't living up to its potential because Ebay won't allow a competitor to Paypal to act as a payment gateway on Ebay...

My question is, why would anybody bother hacking an iTunes account when you can get all you tunes for free via p2p or torrents? It's like breaking into Aquafina plant and filling your bottles from their taps.

Pay Pal is hurting Ebay. Ebay peaked in late 2004 around 58 bucks a share and has fallen like a rock since then.They bought PP in 2002 and have tried to shove all other payment methods off their site via restrictions,changes in terms of service and not so gentle persuasion.They strongly discourage using cash,checks and Western Union to pay for purchases because, "using these payment methods eliminates Ebay buyer protection". Yeah ,right. Like you would have any protection from them. Ebay (and PayPal's) policies are designed to lubricate the relationship between your bank account and theirs. I have all but abandoned Ebay and so have many other registered users;Listings are down and average transactions are heading south,too. It looks like Ebay's arrogant,monopolistic behavior (like the above story)is going to be their undoing.Good riddance...

Apple will NEVER help. I learned that the hard way when I worked for them. They do not CARE if something is stolen, they follow the adage "possession is 9/10ths of the law."

I personally bought the security keychain when I started using paypal because I figured $5 was worth it for the peace of mind. Would this prevent stuff like this from happening if I were to use my Paypal account to buy something online from a place like iTunes, or would they need my paypal password every time along with the code on the keychain (the way I want it to be)?

I tend to avoid using it when I can. I mainly go with reputable sites for buying things and then use my credit card as it is easier to tell how I spent on my Mint.com account that way, and it lets me ride the float, which I don't rely on, but just follow for the general idea that all things being equal, it's best to ensure payment leaves slowly while income goes in quickly.

Hold on - this is not PayPal's problem. Apple's ingenious idea of security is behind this - they're the one's that gave out Pirillo's account info for someone else to you. Why the hell should PayPal pay for Apple's screwup? This is Apple's problem - but like any/all Apple users they just can't bring themselves to even think Apple is in the wrong. They'll justify almost anything to see Apple as this brighter than life bastion of all they hold dear and in the Apple users mind, Apple couldn't have done them any wrong.

Paypal sucks ... but shouldn't Apple be refunding the money, since it was their security screw up?

So wait, did someone hack into his Paypal account, or did they merely get the password for his Apple username?

This is definitely an Apple problem. They must have changed something because before, when I had lost my Apple password, they sent me the new one to my registered email address, and wiped any payment info that was linked to the account (I had to re-enter a card # to make a payment).

If they stopped doing that, then yes, this is Apple's fault.

security keychain for paypal? is there a link?

Agree with above. Not paypal's problem in this case.

Here Apple was authorized to take money out of a paypal account. Apple was the one who took the money out of the account. From paypal's standpoint it is completely legitimate. Now the fact that apple took the money out and gave it to a stranger is a problem to be taken up with apple.

@vivelafat: I'd always assumed most companies do keep cc info on file, even if they say otherwise (but thanks for the confirmation) -- this is why I'm so in favor of one time use cards. They can keep that info all they want, but try to use it again and it won't work. N'yah n'yah! Not only that, my credit card issuer even calls me if a merchant tries to use it twice, so I can keep tabs on who's monkeying around with my info. One time use numbers aren't a perfect solution, but they're the best we have available right now in the US.

As I see it, Chris Pirillo made two mistakes, no three:

1. Linking his Apple account to PayPal. DUH! Don't use PayPal when there are other alternatives available. If there's a problem, PayPal would rather swallow a jugful of bumblebees than give you your money back. Use a credit card -- one time use, if possible -- most cc companies are easy to deal with when someone fraudulently uses your card.

2. Publicizing his birthday. I think Chris is a nice guy, but some people find him annoying for whatever reason and would love nothing better than to screw with him. This kind of hacking possibly could've been prevented if he'd kept his real birthday to himself and used a fake birthday for his public wishlists and social networking accounts. I'll never understand why people want to make it easier for malicious strangers to f*** with them by scattering their personal info all over the net.

3. Put the blame where it belongs. As much as I hate PayPal and love to see them humiliated, Apple allowed this to happen with their lax security practices and they should be the ones to reimburse Chris. End of story. Let them chase down the person who they issued the iTunes cards to; it's not Chris's fault and it's not PayPal's fault (this time). It's nice that Apple has now fixed the problem for other users, but Chris shouldn't have to eat the cost of their mistake.

He needs to do an EECB to Apple, not PayPal.

This is why my PayPal account is linked to a checking account with no money in it. When I make a purchase, I transfer money into the account. PayPal can suck on that empty account all day long, but they won't get any money from me based on fraudulent purchases.

@Anks329: I partially agree, but they do have a little something called Google Base which went live back in 2005, and now sits around collecting dust. Google is great at starting/buying/acquiring good ideas, only to leave them moldering on the table if they don't take off right away.

@ptkdude: But do you email the original vendor and say you're not buying from him due to his insistence on using PayPal? Otherwise people never learn.

Got to use the PayPal pin number generating key fob.

I've heard a lot on Consumerist about these one-use credit card numbers. What banks are people using that offer these? USAA is usually way ahead of the curve on this kind of stuff but it doesn't appear they are on this one.

Never use Ebay or Paypal. But I agree, this looks like an Apple problem. Which is one of the reasons why I don't use any Apple product.

@RagingBoehner:

Some of the one time use issuers include:

Bank of America, Discover, Citibank and...PAYPAL (lol)!

PS - Love the user name!

I also canceled my Ebay & Paypal accounts about 5 years ago and found out something. I am doing just fine without them.

I also quit smoking 3 years ago and doing fine without them too.

Thinking about quitting peeing standing up...hmmm.

Maybe whoever stole the money out of his paypal account was looking to recoup some of the most that they foolishly lost on that "I Am Rich" app in the iTunes App Store.

Yea, I gave up on Ebay & Paypal a few months ago...they all seem to be retarded or something there...

@RagingBoehner: JEach issuer calls it something different. Citibank calls it a "virtual account number". Discovercard calls it a "secure online account number". Bank of America calls it "ShopSafe". It works the same way though: you either download a program and run it on your home computer (Windows only) or launch it from their website.

It allows you to create a unique, temporary card number each time you're ready to make an online purchase. This number links directly to your real credit card account number but keeps your real card number private from the merchant. The number is used just like any other credit card when you fill in forms - a merchant never knows it's not your real credit card. You can read about them here:

[www.citicards.com]

[www.discovercard.com]

[www.bankofamerica.com]

American Express used to offer this service also, but discontinued it years ago, unfortunately. They claim there wasn't enough customer interest. I strongly disagree; in my case, if AmEx still had it, I wouldn't use any of my other credit cards.

If your credit card company doesn't offer one time use credit card numbers, please write or call them and demand it. Make them put their money where their mouths are when they say that they "take fraud seriously".

@North of 49:
Just go to their website under products and services. $5 fee, non-refundable.

@vivelafat: Part of this is for valid customer service reasons. I had a customer trying to use the AT&T Hotspot, and I had to call AT&T because it didn't work. They could use the card--since she couldn't get to her email to check for a receipt or number--to tell whether it had been charged. The rep could verify in seconds that the card hadn't been charged with no information but the name and credit card, and customers in general seem to expect retailers to be able to find their transaction history on a given card, though we mostly can't. "But I used this card, can't you see that I bought it?"

Never leave a balance in your paypal account. Either transfer it to your bank account or spend the money with your paypal debit card.

Open a second personal and unverified paypal account with only a credit card attached for making purchases. Had the paypal payment been funded with a credit card, then we wouldn't even be having this discussion.

@dweebster: No kidding about PayPal thinking they're a bank. I recently was married and needed to change my name on the credit card I have stored with PayPal. Paypal wanted A COPY OF MY MARRIAGE CERTIFICATE to change the name registered with my credit card, which is issued through a different bank.

Every other online merchant just lets me change the name associated with my credit card. After all, I had to submit documentation to my bank to change the name on the credit card.

Why does Paypal need unnecessary personal information to change the name on a credit card issued by another bank?

friends don't let friends use paypal or ebay

I just deleted my bank account from PayPal. They can't be trusted; this is about the 100th story like this that I have read or heard. I don't use PayPal to collect money -- only to make payments -- so there is no reason why they should have access to my checking account.