This past week, a group of script kiddies found a way into my Paypal account. My Paypal account was tied to one of my bank accounts, and they promptly ran up over $500 in charges. How did it happen? Still not 100% sure, but it wasn’t through a phishing scheme. I’m savvy enough to quickly identify the all-too-common Paypal phishing schemes, and routinely report them when I receive them.
What tipped me off was when I got an email receipt from Paypal for a $160 purchase from Jelsoft. I own two Jelsoft vBulletin licenses, neither of which is up for renewal, so that made me tilt my head to the side and go “huh?”
I immediately checked my Paypal account and discovered ten transactions had been made. I got on the phone and called their customer service number. While on hold with Paypal, I forwarded a copy of the purchase receipt from Jelsoft back to them, explaining that someone has fraudulently used my Paypal account for the purchase.
The customer service representative at Paypal was very helpful, staying on the line with me while I went through the process of filling out the online dispute form — something that is desperately in need of a process redesign. She explained the process and reassured me that I’d get my money back.
Sure enough, the next day, the refund process had begun. However, this process is broken. The criminals who stole from my account were able to instantly transfer and spend money from my bank account. I got the money returned, not to my bank account, but to my Paypal account within a couple days. Unfortunately, I don’t use my Paypal account often enough to warrant keeping funds in there. What I really wanted was to move it back to the original bank account. I learned that to do so takes 3-4 business days. Unbelievable. My money was held hostage for a week.
I learned a few things from the experience.
- If you use Paypal, you may want to reconsider tying it directly to a bank account, or at the very least, use a secondary account with limited funds to protect yourself from potential losses.
- Pay attention to your email. I caught it fairly early, but it could’ve been a very different situation if I hadn’t been alert to my inbox.
- Use strong passwords. I’ll admit, my password wasn’t the greatest. That’s all changed.
- Use unique passwords. Don’t use the same password for every website and service that you sign up for.
I know that these tips aren’t anything new to you, nor are they new to me. I personally hate the fact that I’ve got a million different passwords to remember, but I’ve learned the hard way that convenience and security are mutually exclusive.
Update, my money is back in my account as of this morning — exactly seven days later.
Update, my money is back in my account as of this morning — exactly seven days later.
I suspect they used a brute-force attack with a dictionary, possibly on a forum. They had found a way into the templates for BBB and added a traffic counter (that in turn added a pop-up advert). I USED TO use the same password for a lot of things. Paypal was probably just one of the things they attempted.
Now I’ve got unique, stronger passwords.
I suspect they used a brute-force attack with a dictionary, possibly on a forum. They had found a way into the templates for BBB and added a traffic counter (that in turn added a pop-up advert). I USED TO use the same password for a lot of things. Paypal was probably just one of the things they attempted.
Now I’ve got unique, stronger passwords.
Ok, thanks Jeff.
That background makes me somewhat more comfortable (oh, you complacent fool, Ian! ;)) about my own setup. 🙂
Ok, thanks Jeff.
That background makes me somewhat more comfortable (oh, you complacent fool, Ian! ;)) about my own setup. 🙂