Exactly what is Twitpay?

Posted: October 13, 2010 by twitpayjoyce in About Twitpay

Hello!  My name is Joyce Scott and I joined the Twitpay team about 2 months ago.  In that time, I’ve been exploring a very deep and important question: exactly what is Twitpay?  Well, after 2 months, I’ve got a pretty good handle on it, and I’d like to share with you what I’ve learned.

1. First of all, let’s start with the basics.  Twitpay is a software protocol that allows individuals and organizations to transfer money directly over Twitter (and soon Facebook!)  We are PCI (Payment Card Industry) compliant, meaning we are just as safe and secure as any payment processing tool on the Internet.  We can process all major credit and debit cards, as well as direct drafts from your bank account.

2. Right now, we work exclusively with nonprofit organizations, helping them to raise money over Twitter. This means that you can give back to your favorite charities, both through your own donation, but also by encouraging your followers to donate too.

3. Bigger plans are in the works. We are already in negotiations with social gaming developers to provide payment processing for your favorite online games!  We are also working on a social commerce model.  So, before long, you will be able to buy gift cards, electronics, books and more directly over Twitter and Facebook! The beauty is, if you register for one of our services, either giving, gaming or commerce, you’ll already be enrolled when you want to try our other services!

4. It’s easy to try Twitpay. Go to http://rt2give.com/register to sign up for your free account.

I hope that gives you a good overview of what Twitpay is and where we’re headed.  If you have any questions, you can email me at joyce@twitpay.com or give us a call at 1-877-RETWEET!  And of course, please follow me on Twitter @jmarie83!  I’ll be posting here regularly from now on, so please send me your thoughts and comments.  Talk to you soon!

Guest post from Aran the intern

Posted: July 2, 2010 by ivey in Uncategorized

We’ve been fortunate to have Aran (@treybahler) join us in the Twitpay office for a few weeks. Before he heads out, we asked him for his thoughts on the experience.

If you contemplate the activities a typical fifteen year old boy does during the summer, spending two weeks as an intern in an office probably does not appear on that list. Or if so, the idea emphasizes misery and an overall vibe of not wanting to be there, or anywhere within a two mile radius of that particular office for that matter.

Not at Twitpay.

I am currently interning for my second week with Twitpay, where I have thus far had a tremendous experience. The current employees of the company have taught me a lot about what Twitpay does, and the technology behind how their product functions. Furthermore, they have given me the understanding and experience of the working life, which I now see in a much brighter light.

It has been far from dull, as well. I’ve sat through two sales calls, where the company marketed their product to different clients, as well as an interview for a potential new salesman. I’ve also explored the gaming side of Twitpay, helping research possible fees of purchases, and gathered contact information for potential clients over Twitter. Now, where else would you be able to do and useful research over Twitter. Additionally, we would occasionally watch portions of World Cup matches, willing in shots and criticizing officials.

Overall, Twitpay has provided me with a taste of adulthood, offering me a glimpse into the daily lives of an office environment. Although I only had a limited stint of time with the company, it provided a tremendous start of preparation for my forthcoming future should I later decide to study this field.

Thank you, Twitpay.

Thank you, Aran! We’re glad you could join us!

RT2Give now supports credit cards

Posted: April 21, 2010 by ivey in Uncategorized

Today we’re happy to announce the availability of credit card payment options for our RT2Give™ (Retweet To Give) donation service. RT2Give allows socially conscious giving over the Twitter network. Now you have a choice between credit card or checking account for payment options.

While we encourage you to continue to use electronic checks, we’re happy to be able to expand the options available. Adding cards was one of the most common requests we heard from you, and we’re glad we could add it so quickly.

Because Twitpay uses Twitter’s Search API to find payments, we haven’t been able to support users with protected updates. Lately, we’ve also been seeing a lot of people who don’t show up in search results, for varying reasons.

Tonight we added support for both types of users. Just make sure to use “@twitpay” somewhere in your tweet. Also make sure that Twitpay is allowed to follow you, if your updates are protected.

Examples:

  • @ev @twitpay $5 because Twitter rocks
  • twitpay @ev $5 because I love Twitter so much // @twitpay
  • Helping fight Animal Cruelty (@twitpay @HumaneSociety $10)

In other words, use Twitpay like you normally would, but toss in at least one “@twitpay” to make sure it shows up as a Mention.

Just a small step in making sure Twitpay works for everyone.

PS: if you’re waiting for the exciting news…this isn’t it. Not much longer!

+            #### Does it work with protected updates?
+
+            Surprisingly, yes! Make sure @twitpay is following you, and always
+            use @twitopay when you send a payment:
+
+                @ev @twitpay $5 because Twitter rocks
+
+            This also works for users who, for whatever reason, don’t show
+            up in search results.
+
+            If you want to send a payment that isn’t an @reply, you can use
+            the standard format, and add a @twitpay to the end:
+
+                twitpay @ev $5 in public // @twitpay

Welcome to Twitpay

Posted: March 3, 2009 by ivey in Uncategorized

Today, we’re taking Twitpay out of beta and putting it out there for everyone to use. (If you don’t like to read long blog posts: we’re turning on “real money” powered by Amazon Payments. We’re excited. Twitpay is awesome.)

Since our unusual inception at Atlanta Startup Weekend 2 we’ve had an interesting few months. As a company, we’ve faced some challenges, mostly because doing money transfer is a pretty complicated thing to do. There are a lot more regulations to comply with than we guessed over that weekend in November. We’ve also seen some competition, and some copycats. We welcome the former, and are annoyed by the latter, although the job post for “build a clone of Twitpay” was really appealing. Maybe we should have applied for it…

Mostly what we’ve seen is that you want to use Twitpay, just like we do. In fact, the most frequent question (maybe the only question) we get asked is “When can I do real money?”

We’re exceedingly happy to say that the answer is “right now.”

As we’ve thought about what’s important about social payments, a few things stayed in the front of our minds: they have to be really easy, and they have to be secure. We got the easy part down on Day 1: just tweet the money and it goes! If you haven’t used Twitpay yet, here’s how it works:

  1. Post a tweet like  “@ev twitpay $1 because Twitter is awesome”
  2. There’s no Step 2!

Our apologies to Jeff Goldblum.

If you’re sending money to someone who will probably send you some back later (settling up your coffee shop tab every day) you may be happy with just keeping track. For most of us, though, there are times when you want to send “real money.”

The standard way to solve this is to say “Well, you give some money to Twitpay, and then later we’ll give it to the person you sent money to.” In fact, that’s what we started to do at first. Something didn’t sit right with us, though. Why should you trust Twitpay with your money? You don’t know us. Even more importantly, in the above scenario, Twitpay effectively becomes a bank. And while the allure of TARP funds is seductive, we’ve heard some rumblings lately that maybe being a bank isn’t the greatest idea right now.

So we decided not to ask you to trust us. Working with Amazon Payments, we’ve built a new version of Twitpay that means we don’t have to be the middle-man for your cash. That’s good for you as a user because you don’t have to trust us with your money, you just have to trust Amazon. It’s good for us as a service because it allows us to focus on adding new features and focus on the core of our business.

So as of 12:01 AM, March 3, 2009, Twitpay is live with real money. And we are also the most secure and trustworthy social payment platform out there. If you have any ideas or suggestions, please visit us twitpay.me and click on the Support link. We look forward to hearing from you.

Stop Sharing Your Twitter Credentials

Posted: December 10, 2008 by dbrown26 in Uncategorized

This post is mainly a response to this: http://www.louisgray.com/live/2008/11/twitterank-can-have-my-password-no.html

At Twitpay, we obviously needed to work with Twitter, and since they don’t yet offer OAuth (or something similar) yet, we explored the options
on how best to do this. There has been a proliferation lately of sites that ask you to provide your username and password to other sites in order to exploit some sort of functionality, usually searching through your address book. While this tradeoff of security for convenience may be worth it in the short term in order to “get something done”, unless you are using a different password for every site you visit (which is not the case for the VAST majority of users), it is NEVER a good idea.

Perhaps we would be best served by giving a couple of more basic email based examples. First, let’s assume you are a new MySpace user (and, to be fair,Facebook has the exact same procedure) and you have just registered for your account. The second step they offer you, after you add a picture, is to enter the password for your email account (GMail, Yahoo, Hotmail, etc.) They also include a caveat that says that “MySpace will not store your email login information.” Well, that’s all well and good but the user has exactly zero ways of verifying that bit of information. So from a user’s perspective, your email username and password are now out in the wild and can no longer be trusted to be safe.

Here is where the situation gets ugly as there a lot of sites getting into this method of “faux authentication”. If someone manages to hack into any one of their systems, the user is at risk. Because even if the site abides by their statement that they do not store the user’s credentials in the database, I bet there is a fair to even chance that at least some of them will have that information show up in the web or application server logs.

If that is the case, then the first thing that will happen is that your account will be used as a spam generator. This is a pain, but it’s not going to ruin your day. The real trouble begins when the attacker begins to farm that email account for information. Unless the user has used that account as a throwaway only for registrations, in all likelihood the attacker can now mine the account for your real name, your address, and enough other information about you to effectively steal your identity. Second, it is probable that they now have access to your bank account and other financial data as the majority of people do not use different passwords for different sites. Their email password is likely the same password as their banking password. At that point the game is effectively over.

This principle also extends past email usernames and passwords as well. The most recent example we can see of this is with Twitterrank, discussed here: http://blogs.zdnet.com/collaboration/?p=163. Most people immediately think, “I don’t care if someone steals my Twitter account” or at least they care very little, because who cares if someone tweets on their behalf in the sort term.

The problem is much larger than that.

First, Twitter has an open security hole documented here: http://brianshaler.com/blog/2008/11/23/twitter-security-issue/. Basically, if some hacker manages to get your username and password and log in to Twitter before you are able to change it, they effectively have permanent control of your account. Changing your password does no good because they have a cookie that establishes them as you.

The second issue here is one of very basic data mining and social engineering. Passwords are a poor mechanism for security in and of themselves, as written about here by Schneier: http://www.guardian.co.uk/technology/2008/nov/13/internet-passwords. And because multiple passwords are difficult to manage, people tend to use the same passwords for every site. So once we have either successfully attacked a site that is storing Twitter usernames and passwords, or have set up a fake application to gather them, it is trivial to figure out people’s emails from that list and to then begin seeing if their email accounts use the same or a similar password. And once we establish the ones that do, we then again have the keys to the castle, as we mine the email for personal and financial info.

If a large number of sites start asking for usernames and paswords, users will get used to providing this kind of information to third parties. Once they are so conditioned, it will be easy to launch scams that ask for these credentials. Each new site that asks for this kind of information contributes to a future situation in which users have been trained to give their password out to anyone who asks for it. Its like environment pollution. Individual sites don’t create this overall conditioning, but it contributes a small part to a bigger problem.

My next post will talk about better ways to handle sites gracefully that do not offer Oauth or something similar as a mechanism to access their data. I can be reached on Twitter @tensigma.