Given that the "fix" involves making the string reported "Possibly Apple, Possibly M1", I am going to say it's a blacklist.

This is very context-dependent. Since it's PayPal we are talking about, it seems reasonable they err on the side of stringent in some cases.

Very likely looking for VMs or other weird signals. Doesn't make it right for a regular user doing nothing wrong.

The problem is they have the ability to get it to begin with. The browser or OS should prevent this.

Not exactly on the backend, but I worked on the frontend (SDKs) at a previous employer whose product offering was fraud detection literally. Over the period of those years, I realised the team wanted "get whatever you can" and then just kept it and used it as needed. A few things I recall - heuristics, some matches with data sources they had of fraudulent actors, et cetera. I am talking about the time when "AI" as we know it was just picking up, and that company was actually calling these systems ML-backed. They pivoted to "AI" as soon as the term became more commonplace, and in the beginning it was just the name change, but I am sure they'd have changed the systems as well, or I hope so.

I can tell you that any kind of "abnormal" combination of system metadata (basically sysinfo) was technically frowned upon by that team, and of course, the system was designed by that team. So, say you had a rooted Android (we had solutions for all devices out there; pretty much) - naughty boy, the system suspected you of spoofing GPS - instant reject, disabling GPS - it was not a mandatory permission in the app (and we asked for it only for some clients) – but it didn't like it, you had changed the default resolution of the system - suspicious, we also captured typing/tapping speed (not only for text entry but also for interacting with the interface) - too fast was considered weird because you were not supposed to have known our interface (because it was interact once or twice in a lifetime or years, kind of thing).

I am speaking more from memory of new joinee intros and rare discussions with the team. The team was kinda "different," so other teams just wanted to avoid them and also wanted them to stay away from other teams. So a lot of things might not sound exciting, might not be accurate either and these are not technical observations anyway.

Another aspect I just remembered. Say you had an app list (oh, we read that too) that matched with known fraudulent actors datasets, you had app(s) that showed you were not well off (we served a lot of instant loan givers around the world), you had an old phone, your OS was very old – all these things were taken into account, along with your PII (which were of course mandatory), when their backend received the data and we gave the final reco/score to the client's system in the API response.

I have Firefox set up to always ask for permission to play DRM protected content. This happens way more often than I ever expected. it seems that a lot of video ads have DRM. maybe that's what you're running into?

Revolut! There are also pretty high referral bonus (around 80 dollars per referral where I come from). You can ”charge” it using Apple Pay or Google Pay, and it’s very convenient.

Cash. Monero.

Apple Pay, Google Pay, Amazon Pay, and various options across the world such as 'Link', iDEAL, Swish, etc. Paypal only still seems to be a major thing in the US where modern payment methods are still very much behind the rest of the world.

My experience in DigiKey (One of the biggest part store) on attempt to pay via PayPal it triggered fraud detection and DigiKey told me to wire up money via bank account. So from paying in few seconds I was waiting on transfer move for several days. Never using PayPal again, what a garbage service.

Shopping on DigiKey via debit card is absolutely without problem.

I finally gave up on PayPal. Years ago, some hardware vendor had a discount for paying via PayPal. I made an account using my real personal info and personal payment cards, and they immediately flagged the account as fraudulent.

I put in a support request and, after some back and forth with support, they eventually, what I think was weeks later, marked the account as legitimate. At least, that's what they said they did. That promo was still going, so I tried it again. PayPal still wouldn't let me pay due to being flagged as fraud. In a follow-up with PayPal, they claimed it would take a few days before I could actually use the account. The promo expired at the end of that day, so I just deleted the account and decided PayPal is a waste of time.