PayPal in trouble over Weapons of Mass Destruction (sort of)

When you think of “detection” in the context of computer security, you probably think of dodgy data such as spam emails and malware downloads.

But for US companies that process financial transactions, such as PayPal, you also need to be able to detect dodgy customers.

Apparently, for example, if someone called Kursad Zafer Cire opens an account with you, you’re not supposed to let him buy or sell anything.

That’s because KZC is an SDN, blocked by OFAC on the orders of the USDoS under the WMDPSR.

To interpret:

  • KZC: Kursad Zafer Cire.
  • SDN: Specially Designated National.
  • OFAC: Office of Foreign Assets Control.
  • USDoS: United States Department of State.
  • WMDPSR: Weapons of Mass Destruction Proliferators Sanctions Regulations.

Yes, you really do get SILEACs, or six-letter acronyms!

Over a period of two-and-a-half years, PayPal allegedly allowed the aforementioned KZC to process 136 transactions to the value of $7,091.77.

We don’t know what KZC bought or sold, or whether they were eBay transactions, but PayPal let him do it.

Ironically, it seems that PayPal’s detection filters did flag KZC’s name several times over the years for being on the blocklist, but the transactions were approved anyway.

That sounds like an obvious and egregious blunder, but names alone are a terrible way to “detect” badness, prone to both false positives and false negatives.

Imagine, for example, if we relied entirely on filenames for virus detection.

If ever the file NOTEPAD.EXE were infected on my computer, and that name added to the blocklist, you wouldn’t be able to run the perfectly clean NOTEPAD.EXE on your computer.

And what about the malware sample we received as MALWARE.EXE, but which reinvents itself as it spreads by making up new names like AKZIQQA.EXE or JANGOFL.EXE?

Would we have to block every possible file from AAAAAAA.EXE to ZZZZZZZ.EXE? (That would handily block NOTEPAD.EXE at the same time, of course.)

Blocklist troubles

Egregious, if rather amusing, examples of human-name blocklist false positives in recent history include a US Marine called Daniel Brown, and US Senator Ted Kennedy.

Brown was returning home, in his Marines uniform, from a tour of duty in Iraq when he was delayed for being on a government “no-fly” watch list.

It seems he’d originally been put onto the blocklist because his army boots triggered an explosive residue alarm when he was travelling in uniform on flight inside the US the previous year.

Somehow he stayed on the blocklist, even after the problem of his boots was resolved.

(I don’t know/but it’s been said/Army boots/are made of lead.)

Senator Kennedy kept getting delayed because, or so he was told, a suspected terrorist once used the alias “T Kennedy.”

Ironically, of course, the Senator himself is “E Kennedy,” because his real name is Edward, for which Ted is just a shorthand.

Back to Kursad Zafer Cire: it seems that eventually, in 2013, PayPal decided to ask the chap to prove himself, which he did by sending a copy of his passport.

That passport allegedly showed a date and place of birth that aligned with the details on the SDN list.

Nevertheless, PayPal let that transaction through, only blocking KZC next time he used PayPal, some two months later.

No matter how much you argue that the “detection” should have been considered obvious once KZC’s passport had arrived, there’s still the problem that KZC’s record with PayPal would by then have shown five previous “detections,” all of which were overridden and assumed to be false alarms.

The final reckoning

Perhaps, in the scheme of things, PayPal’s mistakes were understandable, given the volume of its business and the comparative modesty of KZC’s transactions at an average of $50 each.

Nevertheless, PayPal’s WMDPSR violations, relating to the $7k transacted by Kursad Zafer Cire, were deemed egregious and reckless, apparently justifying a penalty up to $17,000,000 on their own.

Added to that were a bunch of less serious mistakes under sanctions laws relating to Iran, Cuba, Sudan and General Terrorism, adding a modest $18,443 to PayPal’s total possible penalty.

In the end, without “an admission or denial by PayPal of any allegation made or implied by OFAC,” PayPal agreed to cough up $7,658,300.

In case you’re wondering, the settlement figure comes out at nine-twentieths of $17,018,443, rounded up to the nearest dollar.

That’s 55% off, if you like to see things in terms of discounts.