Ask HN: Why hasn't x86 caught up with Apple M series?
419 points by stephenheron 2d ago 600 comments
Ask HN: Best codebases to study to learn software design?
100 points by pixelworm 3d ago 89 comments
Stop squashing your commits. You're squashing your AI too
4 points by jannesblobel 1d ago 9 comments
A failure of security systems at PayPal is causing concern for German banks
209 tietjens 142 8/27/2025, 5:28:20 PM nordbayern.de ↗
> European banks have seen widespread unauthorised direct debits from PayPal accounts, the German Savings Banks Association (DSGV) says.
> The German newspaper Sueddeutsche Zeitung (SZ) says payments worth in the region of 10 billion euros (£8.6bn) have had to be blocked, after PayPal's fraud-checking system failed.
[0] I was impeded by cookie popups and adblock/privacy-mode blockers in another language, and neither are direct reports or superior details.
Also requiring acceptance from EU users would be a GDPR violation, I think? But it didn't ask me at all so I can't evaluate it well.
It says nothing other than PayPal is having some security failures and banks are blocking deposits from PayPal. What are these security failures? What is the mechanism of fraudulent activity that is being exploited?
I’m surprised this was upvoted so much… am I missing something? It seems to be a bunch of words saying basically nothing.
And when that balance is working, it kinda works, but when it doesn't...
And incidentally, it's not just PayPal with the fraud problems these days. It's everybody in the banking and payments space. AI is so far quite asymmetrically helping the bad guys more. It's bad out there.
As long as you don't initiate the transaction, you get your money back easily.
The optimal amount of fraud is neither zero nor "let it all through." Their "best interest" is a balance between allowing legit transactions to get through and blocking enough fraudulent ones that fraud doesn't become too common.
Should be moving to a system where setting up payments with a new provider has them request access to charge you, and then on the bank app you approve it. Australia has this as a fairly new system called PayTo, where you can approve and later unapprove individual merchants the ability to charge you.
Individual merchants barely get any information from you this way, and have no way of even trying to charge you more later.
Conversely this can affect customers by the vendor or payment platform blocking transactions that are not fraud.
(The U.S. really is an outlier among developed nations in that its giro system is not widely used, and many residents would not even know how to access it. Hence Paypal's network effect can offer value there. Europe is very different.)
Not at all, not even close! In most cases, that's wrong even today.
Want to sell something online? A book you wrote, a game you made? There's no way for people to pay you via giro and automatically receiving the good on the page where the payment process was initiated.
Giro is not instant, and almost no bank will offer an API that signals that a specific customer has transferred funds successfully. It always takes hours, and the confirmation process is almost always only semi-automatic for the seller.
Visa/MasterCard/PayPal/Twint/Tikkie/Wero have and will provide actual value. Giro was nice 15 years ago, but hasn't kept up.
And even for money transfers between two private individuals, giro is the inferior system - mainly because Euro banks fail at UX/UI. I don't know a single bank that offers an "address book" in their online banking app/website. If you want to send someone money, you better remember their IBAN yourself. And because the system comes with a degree of anonymity, you can't even send people money back! Their IBAN is not part of the metadata of an incoming transfer, the only way to send money back is to contact that person and have them send their IBAN.
SEPA transfers are (at least mine have been) max. 1h until the transfer is complete (some limit this to "banking hours"). Instantaneous transfer is common.
It seems to me like there is great variety depending on what bank you use.
API's are common, and even the same between banks now with PSD2.
Tbh, a banking barcode (or EPC QR if you prefer) displayed on the seller's webpage with unique reference + reading it with your phone and making the payment is that internet payment method via giro. The webshop uses PSD2 open banking to get notified of new transactions and knows when it is transferred.
Mastercard has started to punish banks that support Girocard by default, demanding that banks drop support.
This is not an issue with Giro or Girocard, but with the existing payment monopolies.
And because of that we have leeches like Sofortüberweisung. They basically proxy the web interface of your bank and you'll give them full access to your account, so they do the transaction for you by scraping your banks web interface (and your transaction history) and report success to the vendor.
A reminder that Sofort is made by Klarna, the company that mandated usage of AI and fired 700 employees because of AI.
Banks have APIs you can integrate with, which e.g. KDE's money app used to support in the past.
The actual underlying transaction system is extremely well designed and reliable, it's just missing the nice APIs that other payment systems have.
All three of my banking apps offer adresse books.
why couldnt i sent money back? I see the sender and the IBAN
I can even in some cases cancell payments
where are you at?
me france germany italy and switzerland.
Are you from the states or canada? The parent talked about europe.
Bank transfers were not instant though, they usually took a work day. This is changing with the introduction of instant transfers, which become mandatory to support this year, and are also not allowed to be more expensive since this year also.
I wasn't even aware such a thing existed? Or do you mean Zelle, which seems to be some sort of hybrid system... It's not quite a giro system as found in most of EU, more like "PayPal, but built by BofA and CapOne"
If I need to pay a friend, it’s Venmo or PayPal in the US. In theory Zelle too, but I don’t know anybody who uses it.
On January 9 2025, EU made it compulsory to have receipt of transfers instant and in October 2025 - sending too should be available at the same cost as the normal transfer. There's nothing stopping from implementing bot send/receive instant transfers in January 2025. Yet, some of these banks only enabled instant receipts in January and will make the sending available exactly on 8th October 2025, 1 day before the deadline. What a business mindset to have!
It's a bit complex for a comment, but the TLDR is:
* funds in transit (called "positive float") are held in the banks account, and can be used by the bank to earn interest
* liquidity management - there are a bunch of considerations here, but the longer settlement periods enable banks to do "deferred net settlements" (just paying each other the difference between all transactions in a batched way) and also helps balance sheets in other ways, making it easier to meet reserve requirements, smoothing out intra-day liquidity, etc
The delay also means systems have more time to catch fraudulent transactions, and to block them before they happen.
For example, during Covid when interest rates where negative - some major German banks like Commerzbank charged interest from customers when their balance exceeded an amount like 50000€. Now that the interest rates have gone up - they are not even close to passing on those high interest rates. The same Commerzbank now asks for 50000€ in assets otherwise they charge a 4.90€ subscription charge from their customers.
So yeah there might be technicalities but nothing stops those technicalities being addressed until the law does.
So you're only paying for your second or third account.
Portugal got mbway, Austria used to have paybox, there is iDEAL, sofort.com and generally besides the local country systems with de-facto European banks you get "SEPA Instant Credit Transfer" nowadays - however IBAN is "harder" to share than lets say the phone number your friends already got.
Here you could do "cash on delivery", credit/debit card, account transfers (yes even across banks, it not as big an issue as US banks makes it) or you could send stamps (not a popular options).
There was never a need for PayPal or PayPal style services. These days it's safe to assume that people have a debit card (or MobilePay in the case of Denmark).
But now, you can generate one-time use cards, which are safer than assigning a card on your PayPal account.
The other thing, is that you can do chargebacks more easily, when you buy on eBay, but this comes at the cost of higher fees (which is basically insurance)
Other than that, it's a platform that cannot be trusted
Charge backs was also always fairly easily done via your bank. Though you did have to call them, so yes PayPal was/is easier. I don't know, the trust in PayPal was always really really low.
Let’s say direct bank transfers are not counted. What alternatives are not based on Visa/Mastercard on global scale?
Each country had a local solution. Direct transfers, or better direct debit, was the common way in Germany. You literally just entered your bank account number and that was payment, the seller would debit it from your account. Zero authentication, and it worked - never had a fraud issue (in the background, I assume sellers checked the delivery address against some database before accepting this, as the seller would ultimately be on the hook for any fraud).
Aside from manual bank transfers (seller ships when the money arrives 1-3 business days later) there were also two systems based on direct bank transfers. One (Sofortüberweisung/Sofort) was essentially institutionalized phishing - you give a third party your banking credentials, they log into your account, snoop around a bit, wire the money to the merchant using your credentials and confirm to the merchant that your account has enough money and the wire is happening. The other was a similar service but by the banks, so you'd log in directly at your bank to authorize the transfer.
Most other European countries had other local systems that covered this need, but there was nothing global. Globally, your best bet for small amounts is unfortunately likely still PayPal unless your counterparty accepts crypto. For bigger amounts, there is Wise and similar services (note that I've had a horrible experience with Wise - KYC asking for things that didn't exist, luckily before they had my money to hold hostage). Wiring directly to accounts with Revolut also works reasonably well.
For transfers within the Euro zone, a regular SEPA bank transfer is easiest, with the only "downside" that you need to ask for the destination IBAN rather than just a phone number or similar that some of the other systems support.
EU scale there are tons of solutions: iDeal (expanding to EU from NL), Klarna, sofort..
Also: https://wero-wallet.eu/fr/utilisateurs
The predecessor of Wero (iDeal) has been in use in The Netherlands for almost two decades. Nobody has credit cards here and everyone does online shopping with iDeal
I am amazed on how this practical solution can't be implemented for age verification instead of all those ID uploads etc.
What really replaces Paypal in my everyday life is Revolut.
Of course nobody's using Wero now because the whole thing isn't really online yet, just a pilot program on a few websites with a few banks.
P.S. lives in Germany 5+ years and can attest its banks and online banking are generations behind its neighboring countries. A travesty.
Dealing with fraud is a red queen game: The fraudsters can keep trying until they find what gaps are there in your system, and will sometimes communicate with each other: Part of our defense system involved infiltrating some of those spaces and seeing the guides that were being sold to try to commit fraud in our platform. Meanwhile you will still have a false positive rate, and getting it all the way to zero means crazy fraud. Most people just don't get to see how much fraud is stopped before they know it exists. This isn't just for financial institutions: You'd be surprised by how much credential stuffing is attempted at, say, any very large streaming site which charges a subscription.
Without looking in, it's hard for me to say exactly how successful their security team is, but being as big as they are, and having probably thousands of people whose only job is to do fraud on their platform, winning has to be pretty hard.
I've had one since shortly after their merger from the old X.com https://en.wikipedia.org/wiki/X.com_(bank) .
Per discussions on this thread, the singular reason people have tolerated their horrid service over the years they've been an effective monopoly in many locales.
This is correct. For some reason, many people (merchants surprisingly!) love PayPal and only accept payments through it, especially those outside the US and UK. Sometimes "guest payments" aren't an option, and that means you either get a PayPal account or don't purchase the product/service.
They blocked me claiming suspicious activity occurred in my account (just a low traffic personal account). Ignoring me wanting to know what suspicious activity was it and if it needed, or actually already was, reported to the authorities.
Unluckily this deletion does not hold well, occasionally with weird merchants only offering PayPal payment - credit card through PayPal - the paying fails using my old email used in the purchase and was used with PayPal before. They keep forcing me to log in. But can't! It is deleted!
I did not trust their sloppy ways then, the feeling is stronger now.
Until that is solved, I'd argue that the benefits are not worth the costs.
Federal government provided electronic money accounts and transfer systems, along with federal government provided identity verification APIs, where the fraud requires defrauding the government. Basically, a government utility. They do it with passports, why not with digital travel?
Obviously, this has to go hand in hand with constitutional inalienable rights to protect people's access to electronic money accounts and identity verification.
Though extremely innovative (for its time), it's been a slipshod org since inception and slipshod is a property you decidedly do not want in a payments processor.
This is literally their business model, which is why they are able to get away with so many shady practices. Until very recently they held a practical monopoly on web based international payments.
Merchants are definitely selling email lists.
When my argument is kinda weak I love throwing in some hyperbole to spice it up.
yup, my paypal got locked after using it for over 20 years. Customer service refused to help and wouldn't even tell me why it was locked. I still get messages from paypal that they "couldn't get process subscription for X." won't delete my data either.
Scummy behavior from them on multiple levels.
Gave up on it after a while and now try to avoid it as much as I can. Good riddance.
The sheer volume of PayPal and direct debit transactions in Germany magnified the impact of the outage compared to other markets.
With millions of potentially fraudulent debit requests appearing simultaneously, German banks chose to freeze all incoming PayPal direct debit payments. This was a necessary step to protect their customers from what appeared to be a massive, systemic fraud event.
Makes sense Germany would be particularly impacted, seems like the UK to agree was as well. It is restored now though.
Many of these payments (or would-be payments) are automated, so MFA doesn't play a role. i had automated payments get blocked yesterday for the first time ever and thought it was just my problem until seeing this thread.
[1]:https://blog.documentfoundation.org/blog/2024/04/04/german-s...