« Wax Mp3 launches with Magnatune tracks | Main | Magnatune on the iPhone »

June 24, 2009


Michael Kohne

It's possible that the purchases were being done as a way to test the card numbers to see if they worked or not before selling them on to other thieves. The fact that they were doing the same album over and over makes this seem likely (at least to me). There must be something about your web setup, or perhaps your merchant account provider, that made you an attractive target. Perhaps your provider was slower than most at figuring out things were bad? Or perhaps they are slower at pushing things upstream, thus giving the thieves more time with the cards? Or perhaps your web forms were more easily scripted than others?

Unfortunately, you were eventually going to have to go PCI or be dropped anyway, as your provider is almost certainly being hassled quite a bit by his up-stream providers. They really want to get to full PCI because it will look like they are doing something about the fraud problems. They dropped you because they see you as a major headache (not your fault of course) and they can kill 2 birds with one stone: on the one hand they get rid of an account that's being used heavily by the fraudsters, and on the other hand they get rid of an account that still needs to upgrade for PCI compliance. For them it's a win-win. For you it's a lose-lose.

Sadly, while everything that's being done for PCI compliance is necessary (for those who don't know: the focus is to make sure that no one stores card numbers or transmits them in the clear), it's far from enough to make a dent in current credit card fraud. We need something like you've said - PINs.

I hope you can pry your money out of your former processor more quickly than 6 months. That's an absurd amount of time to hold on to your money for the legitimate transactions. You might want to present them with sales data from before the high-rate fraud started and make the case that they should pay you at least 80% of that amount immediately, because it's likely that at least that much will be legitimate. I doubt they will go for it (after all, right now they get to collect interest on ALL of your money), but it's a reasonable thing for you to propose. And if they are acting in good faith, you might be able to get them to cough up at least 50% of that. Which would at least be something.


I'm sorry to hear this, because I've never had a good experience with paypal, even with their visa processing. To the point of blocking paypal.com in my hosts file so I never get sent there without warning (even if I don't complete the transaction, I don't want them collecting my data, ever).

Fortunately I already have a lifetime membership! But I'm certainly not the only person who avoids paypal at all costs. For them, is it possible to to pay the old fashioned way, via check?

By the way, once upon a time there used to be a useful discussion forum. Is that gone forever?


I'm very sorry to hear Magnatune has been targeted in such a way. Is there anything you can do to sue the frauder(s)?

We also had some credit card fraud problems on some game server I was helping to run. Those are really hard to deal with. That together with the new bank rules for credit card payments... we also eventualy made the choice to run everything through Paypal. It sure doesn't please some users, but there were not much choice left!

Anyway, maybe it's a good idea to consider adding some other online payment service (there are many out there, such as moneybookers.com and so on). At least to please those people who have for some reason paypal-allergy.

I'm happy to see new releases. Good luck and keep up the good work!

Christopher Harvey

I am also sorry to hear about this John, but glad that it's on the way to be sorted. Also from myself (and I guess a lot of other Magnatune artists) a big thankyou for keeping the royalty payments on schedule, I'm sure that's appreciated across the board. Let me know if I can do anything else to help.

Best rgds


I hate PayPal with a passion.

Even I understand though in a case like this, when all you're trying to do is give musicians a fair break. I urge everyone in the community to help Magnatune bounce back stronger than ever by supporting John with our wallets as much as our kind words. Show the music industry that community and ethics count on the bottom line. I'll be eagerly awaiting your new lineup John.

Thankyou for supporting musicians, DRM free music and free software in general, even in the face of such adversity. You are a real hero.


I've resisted membership (prefer paying per download) but I really don't want to use paypal for single downloads. I notice the suggested payment for a 1-year download membership is $240 while a lifetime membership is $295, making the lifetime membership a no-brainer. Would it be too much pain to accept snail mail (check/MO) payments for lifetime memberships? I guess I'd buy one. I realize the handling/processing costs would be nontrivial and you might not want to deal with it for monthly memberships, but for a $295 transaction, it might still be ok compared with the exorbitant paypal fees.


John, I have to wonder why you didn't just say "PCI compliance? Sure, sounds good, I'll do it right away" and defer to Visa about whether it would help with the fraud or not.

Verified by Visa sucks and I refuse to enroll in it. It requires yet another obnoxious user agreement and there is no way to get out of it once you've signed up. I buy from newegg.com all the time, they pop a an enrollment screen for it, and I just close the window and newegg processes the order anyway. One time my CC company flagged this and had me check in with their fraud department by phone and I said yes, the purchases were real and that I just didn't want to enroll in Verified by Visa, and they said no problem and unflagged the card. So, I hope Magnatune doesn't start requiring it. It is completely for the merchant bank's benefit and it does nothing for the customer.

Ken Bullock

I too have a PayPal phobia. W was considering buying, but if the only payment is PayPal, I won't be. How about a money order?




Good thing you didn't go down the whole VbV route, it's a royal PITA and ends up alienating payees in a major way. Years ago I signed up for the VbV and Master SecureCode, complete disaster once they bought in the whole password thing. Using the PCI/3-party system works well but in your case, you're absolutely correct, it'd do nothing to alleviate the situation.

I also resisted moving to using PayPal for many reasons, alas I have to admit that since letting people use PayPal my sales have gone up a significant amount *sigh*.

Good luck with the future situation.


Marcus Harrison

It's a real shame and seems completely circumstantial. Personally, I have about as much paranoia about Paypal as I do Google: absolutely none.

Still, it's a real shame that you can't purchase albums strait from Amarok any more... I actually filed a wish at bugs.kde.org for Paypal integration. Looks like now, it's quite necessary.

Oh! But what happened to the days when hacking was just a bit of fun and a joke? Occurrences like these are why I hate people's greed so much.


"what happened to the days when hacking was just a bit of fun and a joke? Occurrences like these are why I hate people's greed so much."

some people want to draw a thick line between harmless fun and organized crime, but there is no easy to draw line with the good guys on one side and "baddies" on the other.

people that do silly things that cause little or no harm exist in great numbers, and criminals don't always need the highest tech stuff when basic-level hacking is enough for them to siphon money off the public. it's wise to remember though, the line still exists, neatly drawn or not. the days of harmless hacking are never gone, and the people stealing your money probably don't even think of themselves as "hackers." they're just taking money from decent people.

as for this unsightly mess, i'm very unhappy to see it happen to a great thing like magnatune, and it will shorten the time before i purchase another album. good luck guys, sorry to hear about it and keep up the great work.


Oh man, this is a little off-topic for this Visa-based thread but it's related to my Magnatune listening while I can't buy albums except by using (ecch) Paypal.

It sounds to me like the between-track voiceovers ("that was track number 4 on the album blah blah...") have gotten a lot louder and more annoying than they used to be. I understand the idea that the voiceover interruptions (besides their ostensible purpose of identifying podcasts) prod the listener into buying the album in order to get away from the interruptions. But it used to be that you could listen to the album while putting up with the voiceover for a while. After two or three listens the annoyance level would build up, but if you've listened to the album two or three times already, it's time to buy a copy regardless.

Now, though, the louder voiceover makes the album unlistenable even for one listen. Result is lower likelihood to ever listen to an unknown album enough to decide to buy it.

It really does take an all-the-way-through listen, by the way. There was an album I downloaded recently, the first of which sounded great if taken by itself. Same for the second track, third, etc. Problem with the album was that all the tracks sounded the same, in fact each track got repetitive after a minute or so. I would have felt pretty disappointed if I'd bought that album.

I guess your data about conversion rates will give you better guidance to optimal voiceover strategy than some random user like me whining, but we do notice these things.


I am sorry to hear of this challenge, John. Credit card fraud is such a huge problem, as this story illustrates.


The way it reads to me is that you choose a 2nd rate payment processor ("and some processors support it (ours didn't)") and are now paying the price for doing so while screwing potential clients in the process

following the horror stories you can easily find about Paypal, I absolutely refuse to use them, for any reason

I cannot claim to be a great client for you, only bought a few tracks (OTOH, never really used the "free" listening option either) but unless you find a way to get credit cards working again there will be no further purchases coming from me


I'm sorry to hear of these problems.

I wonder, why do so many here dislike (or fear?) PayPal? I really would like to know whether I should start to myself.


maybe google checkout could be an alternative for those who don't like paypal?


One thing I don't like about paypal is its tracking of specific purchases when you use their shopping cart. If I buy some CD's with my Visa card, my bank is notified that I spent X dollars at such-and-such a vendor, but they are not told what I bought. If I buy with Paypal, they find out the exact items. While my musical tastes (primarily classical piano music) aren't particularly embarassing or secret, I don't like the idea of anyone operating a giant database with the specific details of zillions of small purchases by millions of people. When I use paypal on ebay, I always pay the dollar amount as "goods-author" rather than "auction number such-and-such" for that reason. The dealers and Paypal customer service said it was ok to do that, but it sometimes leads to some confusion anyway.


I should say, the above comment is from the point of view of someone who hasn't personally experienced any paypal horror stories (though those are common) but am still uncomfortable with it.

One thing I will never do is give them my checking account number, although they are always after it. They love to suck money out of your account in the event of some disagreement. When it's from a credit card, I can always contest it through the CC company and its Paypal's burden to prove that their sucking was valid. If it's from a checking account I'd basically have to go to court.

paypalsucks.com has quite a few horror stories. I don't totally refuse to use paypal (it is sometimes semi-indispensible, and I don't mind it as much for person-to-person transactions) but I generally prefer to avoid it. If I use it with Magnatune it will be for a one-shot life membership rather than individual cd purchases like I'd been doing with Visa. I'd rather have one big transaction than a lot of small ones, to minimize the total number of chances paypal gets to screw something up.

Mostly though, I guess it's a matter of perception. There are two kinds of vendors on the internet: serious ones that take credit cards, and less established ones (typically selling through ebay) who only take paypal. I'll avoid the word "schlocky" but if a vendor only takes paypal and not credit cards, it comes across like they're not really an established business.

Christopher McLean

I feel very sad that you had to endure this. I admire that you kept your sense of proportion vis-a-vis the artists, John. Keep us informed down the line, won't you?


I don't like Paypal but I like Magnatune more :) Yay, I'm even a lifetime member since yesterday, trough Paypal of course.

So did you really think who was targeting you and why? Was it maybe the artist trying to get more money? Seems to obvious. Or music big industry trying to ruin your business model - there is no competition like no competition? A disgruntled employee that you underpayed fo a long time? Or an ex-wife that is upset that you have made your cash after you dumped her? :))

Seriously, you might want to report this to authorities as it looks like an attack on Magnatune and not random doing of a teenager. No one buys same album with stolen credit cards just to upset someone else, these criminals go for real goods so they can profit from it. I think this was aimed at Magnatune on purpose for some reason. I hope I'm wrong.

KH Zirk

sorry to hear that the crooks have found your weak spot and are exploiting it ASAP.I don't what the costs are,but perhaps a superior-top-shelf-1stgrade provider is what is needed.At least until the European-visa is used in the "world-leading" USA Visa
cards.This also might be just an sorry excuse by Visa to skim extra profits from merchants like you(after all they would know exactly which charges are legit and those that were not by the complaints received)in the differences in the fraud/actually made charges and NOT prove to you which is which and NOT pay you the correct amounts.Visa should have long ago put into place enough safe guards to limit such MASSIVE thefts.This is NOT a just now happening freakish event. And don't let them say they can't find these people.ALL net traffic goes thru just a few massive server sites.Tracking the kiddies/pros is a matter of processor power/time study.Bet most of it is Eastern EU/Chinese with a few local script-kiddies.Frankly,I would band with other merchants and hire some high power Legal talent to go after Visa for being so neglectful in their obligations to the merchants who need them to conduct on-line business.....


Please tell us who your old VISA processor was so we can avoid them! Only if you do this will the word get around and we can avoid using them for our own businesses and that will eventually put pressure on them to conduct themselves better. We all need to be accountable for what we do in business, why not them?

John from Magnatune

re: "Please tell us who your old VISA processor was so we can avoid them!"

I don't want to give their name yet because they still have several months of magnatune's money in their bank, and they say they will pay "some proportion of it" in 6 month's time, when they've decided how much of it should be reserved for charge backs. There doesn't seem to be any process by which I can appeal (or even discuss) this hold-back and how much is paid (most of those charges are completely legit) so I want to avoid antagonizing them for now.



While individual payment processors do have problems they cause, the real problem is that the whole VISA (and MasterCard) architecture is fundamentally insecure. BTI (before the internet), the security problems cost only a tiny amount and it was easily absorbed for the convenience. Now we have scammers that have the power of millions of zombie Windows computers (every person owning such infected computers should be jailed, IMHO) and millions of email addresses at various web mail services. They don't even need to steal private info anymore ... they can just make it up and run tests. If they get your card but not your CVV, they will run random tests on the thousands of merchants they have exploited this way ... and will figure it out.

Ultimately, VISA and MasterCard need to be replaced by something secure. It will be less convenient. We will have to bear that inconvenience. But we need it so that convenience vs. inconvenience does not create an unlevel playing field for merchants. If VISA and MasterCard were forced to cover all the costs of this fraud (that happens because of the way they designed it), you can be sure they'd now days fix it. But, instead, they impose legal terms on both ends (card holders and merchants) that push the costs onto them, without providing any means (because the design can't) to identify and avoid fraud.

We are victims of what amounts to the entire banking industry's incompetence.


Is there any chance you'll be able to accept direct electronic payment from a bank, similar to what is done for a recurring mortgage or utility payment?

Shawn K. Quinn

Jg -- Paypal does this as well, you just have to sign up for a Paypal account first.

Stuart Gathman

Please offer a way to pay by check or electronic payment. This option can involve a delay, while the check clears and you enter the receipt into your software to trigger an email with the download codes or membership renewal confirmation. Those who want "instant" can use PayPal. A further benefit is that by waiting for the check to clear, there are no Visa, PayPal, or check guarantee service charges.

Another idea: sure, automatic charges are out without PayPal for now. But you still support one-time CC charges via PayPal. Why not allow manual membership renewal? I *could* create a new login each time, but that would get old quickly. Why not let me reuse my login and just make another "one-time" payment?

Asgeir S. Nilsen

Secure electronic payment is a Really Hard Problem for all the required aspects of security (fraud, anonymity, nonrepudiation, nonreplayable, etc..) which has kept computer science and computer security busy for a long time, and will continue to do so.

Mix this with the extremely high threshold of making your way into this market with gigantic, well established actors which do not want their business disrupted, and you can see that it'll go nowhere fast.

For all you Paypal haters out there, remember that we are fighting the evil record companies here, not the evil payment processing industry.


"We are victims of what amounts to the entire banking industry's incompetence."

That seems to be the theme of the past year.

Daniel Barkalow

I was reading the latest announcement email, and noticed that you seem to think that people need Paypal accounts to buy music from Magnatune with Paypal. In fact, the interface to Paypal that Magnatune uses is perfectly fine with doing credit card transactions not tied to an account. This is a big difference, because the Paypal horror stories I've heard are about money stuck in Paypal accounts.

Jim McKenna

Hello, I've just tried to sign up for a lifetime membership only to fall foul,yet again, of Paypal. The 'error' message basically says 'We can't recognise your credit card please try a different card'. They are surely joking? Has anyone from Belgium(that's where I live)managed to buy a lifetime membership for Magnatune via Paypal?
Jim Mckenna

Jim McKenna

So much for Paypal. Payment for a download using a Visa card-accepted. Payment for lifetime membership using the same Visa card-rejected! 'Please use a different card'!Why?
Sorry Mr Buckman,I've been a keen supporter over the years but Paypal is a joke!.
To pick up on a post by Jg: here in Europe it is normal to make bank to bank transfers. Can you give an IBAN and BIC to make this possible?
Jim McKenna


Fantastic! I never had a problem with Paypal in all the years they have been online and find them my preferred way of doing business. Great to hear of this, John. Looks to be a win-win for all.

The only problem I ever have is you folks answering my emails or send email back to me. : ) Good luck!


John, if you're staying with Paypal, would you mind adding their shopping cart interface? I hate Paypal and want to use it as infrequently as possible. That means if I want to buy three albums, I'd rather do it in one transaction than three transactions. Thanks.


was about to buy 3-4 albums for Christmas and then remembered you only accept Paypal now. You just lost sales.

Any progresses made towards accepting credit cards again?
Everybody else and his dog seems to be able to manage dealing with credit cards!. It is incredibly stupid when you reach the point where it would be easier to stream-rip the tracks (which I will _not_ do) than to pay for them ...

The comments to this entry are closed.