site: https://www.kalzumeus.com financial infrastructure writing: https://www.bitsaboutmoney.com podcast: https://www.complexsystemspodcast.com
My best email is patrick@ the top domain. Open invitation: if you're reading this, I'm happy to receive email about any software/startup/etc topic from you at any time. I generally reply to about 60% of unsolicited email from HNers, and if I don't reply to you, it is only because I got busy, not because of anything you said.
I write a lot. What I write here is unless otherwise stated in my personal capacity, and opinions expressed may not be shared by employers, clients, friends, etc.
- patio11I am quite likely to do a more formal writeup in the next few weeks, unless Zvi beats me to it. (He had, apparently, directionally similar results.)
- As I note frequently, I have a small pile of thank you letters as a result of the negotiation piece. Very few are written by people with an outsized public profile.
How many people do you think would hit that bar in the industry? Hundreds? I have hundreds of letters with numbers attached to them to say nothing of how many people simply negotiate, get the comp bump, and do not feel the need to email me about it.
- Internet fist bump.
- (I worked at a different processing company, which I am not speaking for.)
We're struggling to find the motive or intended outcome by the attacker(s).
The highest likelihood for me is that they're doing card/credential testing. They have either stolen or purchased a large number of stolen credentials. Those credentials are worth more individually if they are known to function. They can use any business on the Internet which sells anything and would tell someone "Sorry, can't sell you that because I couldn't charge your account/card/etc. Do you have another one?" to quickly winnow their set of credentials into a pile of ones which haven't been canceled yet and another pile. Another variation of this attack is their list is "literally just enumerate all the cards possible in a range and try to sift down to the cards that actually exist."
After sifting through to find the more valuable cards, they sell this onto another attacker at higher price of the mixed-working-and-not-working cards, or they pass it to their colleague who will attempt to hit the cards/creds for actual money.
Digital items are useful because people selling them have high margins and have lower defenses against fraud as a result. Cheap things, especially cheap things where they can pick their price, are useful because it is less likely to trigger the attention of the card holder or their bank. (This is one reason charities get abused very frequently, because they will often happily accept a $1 or lower donation, even one which is worth less than their lowest possible payment processing cost.) The bad guys don't want to be noticed because the real theft is in the future, by them or (more likely) by someone they sell this newly-more-valuable card information onto.
This hit the company I used to run back in the day, also on Paypal, and was quite frustrating. I solved it by adding a few heuristics to catch and giving a user matching those heuristics the product for free, with the usual message they got in case of a successful sale. This quickly spoils your website for the purpose they're trying to use it for, and the professional engineering team employed to abuse you experiences thirty seconds of confusion and regret before moving to the next site on their list. Back in the day, the bad guys were extremely bad at causing their browser instance to even try to look like a normal user in terms of e.g. pattern of data access prior to attempting to buy a thing.
Hope some of that is useful. Best of luck and skill. You can eventually pierce through to Paypal's attention here and they may have options available contingent on you being under card/credential testing attack, or they might not. I was not successful in doing so back in the day prior to solving the problem for myself.
Would also recommend building monitoring so you know this is happening in the future before the disputes roll in. Note that those disputes might be from them or from the legitimate users depending on exactly what credentials they have stolen, and in the case they are from legitimate users, you may not have caught all of the fraudulent charges yet. (Mentioning because you said "all of the charges" were disputed.) If I were you I'd try to cast a wider net and pre-emptively refund or review things in the wider net, both because the right thing to do and also because you may be able to head off more disputes later as e.g. people get their monthly statements.
- She does not misrepresent her wealth in her article. At no point does she claim to be scraping by.
A direct quote:
> Initially, I was afraid that I wouldn’t be able to afford my taxes this year, but then my accountant told me I could write off losses due to theft. So from a financial standpoint, I’ll survive, as long as I don’t have another emergency — a real one — anytime soon.
I quote several more bits from the piece verbatim.
- I seem to have set you off somehow, and I do not understand precisely how, but I feel this is important: I did not publicly accuse the writer of anything. (I did heavily imply publicly that I thought that the publication had no real fact checking; when they told me otherwise, after I requested a statement, I swiftly corrected that publicly.)
I had some doubts that the story, as presented, was true. I did what I hear journalists do, and went out and reported the story. Some people apparently believe this was an aggressive action, and some people believe that the original story was strictly true, and I can understand either of those beliefs separately but holding both at the same time seems tricky.
I did not believe that New York Magazine was complicit. I harbored the suspicion that they might be incompetent. This suspicion was exacerbated by unambiguous evidence of them being incompetent, in failing to detect that a 17 year old claiming to have made $72 million trading stocks, and then doubling down on that story because their fact-checker had passed it.
You have made, in this thread, several claims that I am wildly miscalibrated with respect to banking procedure. I do not believe I am. For example, I seem to be able to make confident predictions like "Oh, if the teller window is on the second floor, that narrows the selection of bank branches sufficiently to be probably uniquely identifying given any other piece of information" and be proven retrospectively right on those predictions.
If you would like to take issue with my other claims about banking procedure, pick the one that looks fishiest to you, and then propose odds.
- You can put theses in the third paragraph but you can't force everyone to actually read them.
- I still get a kick out of this photo: https://x.com/patio11/status/332651272878575616
- Tiny correction: in 2010, I invented a thing parallel to something many well-educated Americans of my acquaintance believe with respect to the centrality of their experience, for the Falsehoods essay.
In 2012, a clerk actually asked my wife and I, when we got married, whether it wouldn't make more sense for me to change my name. Then he wouldn't have to spell Patrick McKenzie on the wedding paperwork, and, approximate quote, "I already have to get one name change form out for her so filling out a second one is no trouble at all."
- (Correcting record: four witnesses.)
- (Fixed.)
- This is occurring against a backdrop of e.g. hearings of the U.S. Senate Banking Committee. I regret to inform you that the broader issue is of great interest outside our circles.
One of the three witnesses the Senate Banking Committee chose to call requested, the following day, a retraction from me… for reasons.
I certainly did not see this ever happening when I started selling bingo cards on the Internet, but here we are.
- Appreciate the note. The production configuration still thinks it is in Tokyo, and I did all my reviews on a laptop that knows it is in Chicago. Will fix.
- They literally have no computer system that can tell them the difference between you and a hedge fund manager, and so an email to IR fairly reliably gets the white glove treatment. I used to send them on behalf of, cliched but accurately, Kansan pensioners to banks, in at least one case justified by “I am a shareholder because my IRA holds SPY, which holds your common. It was therefore with great displeasure that…”
(Obviously one can still email IR without actually owning a share, but I both prefer not lying and also enjoy the aesthetics of capitalism, which are extremely invested—ba dum bum—in seeing someone who owns one share as a shareholder.)
Anyhow: bored person, near top of org chart, with access to escalation group if that exists, who earns six figures and really wants you to come away from the experience satisfied. Exists in almost every publicly traded company in America.
- I could have quoted the roadshow verbatim in support of the point, but it felt tangential. The point is not “Chicago is on the precipice of a pogrom.” It is “political elites in Chicago’s African American community believe the community is impoverished in part because of extractive practices of vice entrepreneurs, and required as a condition of their political assent that Chicago keep equity ownership of a vice business in their community.”
The point is a true one; this _really is_ what some community leaders believe. This belief _really is_ why Chicago is doing this program.
> “Tonight is about a new opportunity on how to participate, about not just being a consumer but to be an owner,” Ald. Ronnie Mosley (21st Ward) said at the pulpit in front of the crowd of a couple hundred people.
https://thetriibe.com/2025/01/chicagos-black-residents-can-i...
There is much more support for that having actually been the sales pitch and political compromise there and elsewhere on the record.
And yes, this is a belief with a long and storied history in American politics.
- Congrats! Thrilled for you and the team.
- Does your envisioned product allow someone to direct deposit a paycheck? Then congratulations, it is a credit account, because a) we expect to spend paychecks including very soon after receiving them but b) payroll companies sometimes screw up payroll and can in some cases pull the money back.
- Japan had a similar policy, with respect to legal immigrants it had made a point of recruiting, in the immediate wake of the global financial crisis. They'd buy (largely) Peruvian/Brazilian factory workers of Japanese descent a plane ticket and approximately $3k of compensation (IIRC) in return for them surrendering their work-compatible visa.
It was controversial, from a number of angles.
https://www.nytimes.com/2009/04/23/business/global/23immigra...
- Depends on the country and weight class of the financial institution, but among e.g. U.S. money center banks, branch bankers have been successively de-skilled for the last ~3.5 decades or so.
It is still nominally a white collar occupation but has, indeed, suffered in terms of prestige, compensation, and socioeconomic makeup of workforce versus other middle class mainstays, against a backdrop where the upper edge of the middle class is doing exceptionally well for itself.
Citation available if I Google for the academic papers but the handwavy version is “I write about this sort of thing for a living so uh self-cite for the moment.”