Paypal Fraud

D

Digger

Senior Member
I got hit hard yesterday on my Paypal account. Someone charged almost $2000 worth of electronics and other items using my account mostly at vendors I have done business with. Paypal picked up on unsual activity and called me.

Paypal seems to have dont a great job in putting a stop to it and my credit union is working with them to get my money back in 2 business days.

From what I can tell someone hijacked my email and logged into these online stores and said I lost my password. Then they grabbed it on the reply from the store.

I made the mistake of having paypal or charge account on file with these places. So now I am checking all of my credit cards etc as well. So far so good but they may not have all cleared.

Just an FYI since it can happen. I now put a $500 cap on my Paypal account.
 
Another thing you can do to protect your account is to use one of these:

https://www.paypal.com/us/cgi-bin/webscr?cm...rityKey-outside

I just signed up for one after reading your story. I have used one for my eTrade account for a while now, at it makes me feel much more secure. It would be nearly impossible to gain unauthorized access to your account with one of these.

The downside is that you need the key with you, whenever you want to log into your accounts. Other than that though, it's well worth the $5 that they charge you.
 
IVB said:
How did you put that cap on? I can't seem to find it on the paypal site.
Click to expand...


Since I had the problem they agreed to put a cap on it over the phone. It was my fault not theirs but they have been very helpfull.

I dont want to place the blame on cablevision because of the email account but you would think they would have someting in place to prevent this. But I still dont know all of the details so I cant say it was them for sure.
 
Sacedog said:
Another thing you can do to protect your account is to use one of these:

https://www.paypal.com/us/cgi-bin/webscr?cm...rityKey-outside

I just signed up for one after reading your story. I have used one for my eTrade account for a while now, at it makes me feel much more secure. It would be nearly impossible to gain unauthorized access to your account with one of these.
Click to expand...

I also have an e-Trade one, but I would be careful not to get too overconfident. While these keys do help to prevent fraud, they do not eliminate. The bad guys have already figured out ways to defeat these. They just act quicker. They publish a fake web site, you add your info, including your key data, and before you know it, they have already removed money from your account.

One nice thing about e-Trade, is that they let you purchase several of these, so you can keep one at work, one at home, etc. I wonder if PayPal allows this as well?
 
ano said:
I also have an e-Trade one, but I would be careful not to get too overconfident. While these keys do help to prevent fraud, they do not eliminate. The bad guys have already figured out ways to defeat these. They just act quicker. They publish a fake web site, you add your info, including your key data, and before you know it, they have already removed money from your account.

One nice thing about e-Trade, is that they let you purchase several of these, so you can keep one at work, one at home, etc. I wonder if PayPal allows this as well?
Click to expand...

It's true, they are not foolproof, however, the "thief" would have to be pretty sophisticated to comprimise it. I'm not sure how the PayPal one works, but the Etrade one is a RSA Secure ID, which changes its code randomly every 60 seconds. We use them at work for certain trading partners, in order to access their extranets. If you were to use your Secure ID on a non-PayPal website, the thief would have less than 60 seconds to log into your account, before the password was different. It is possible that they could write a script to do this, so that it is done automatically, but once again, that is a lot of trouble for them to go to, when they can gain access to user's accounts who do not use an RSA device much easier.

One bit of advice, when you are getting ready to log into a financial website, check the URL in the address bar. It should always begin with your institutions domain name no matter what. Once again, this isn't a guarantee that you are actually on their site (if someone hijacked a downstream DNS server, it is possible that users using that DNS server could be redirected...once again, very unlikely), but it is one more step that you can take to protect yourself.

Also, never click on links in an E-mail from a financial institution, or other commerce site. Instead, open a web browser, go directly to their site by typing it in yourself, and log in as you normally would.

Good idea on purchasing multiple devices! I'll have to go do that now so that I do not have to carry it with me. :)
 
It should always begin with your institutions domain name no matter what.
Click to expand...

Definitely check the domains carefully.

Many of these fake sites will have something like this in the URL:

http://bankofamerica.phoney.com

That would be incorrect.



Something like this:

http://youraccount.bankofamerica.com

WOULD be correct.


Since we're on the topic, I was fooled by an ATM device not too long ago. Instead of rehashing, I'll paste in an email I sent out to friends:


This is one of those things that I would never have believed would happen to me, or that I would ever fall for - but I did.

Yesterday afternoon I logged into my online personal checking account web site, and noticed 3 withdrawals posting over the past 2 days totaling just over $2000 that I did not make. The 3 withdrawals were made in cities quite a distance apart.

I called my bank to find out what the deal was, and they confirmed that they were actual withdrawals from ATMs using my ATM card and PIN. I told them there was no way - that my card is with me at all times, and no one else has my PIN. They asked if I had any problems at any ATMs recently, and said no. I asked for them to clarify, and they said there have been recent reports of card swipe theft devices being installed at ATMs. I had never heard of anything like that. But then it hit me.

There is a local ATM that I use all the time for my personal and business transactions (for you Milford residents, it's the one near Bugaboo Creek). It's one of those ATMs located in a tiny building with a door on each side. For the past few months one of the doors was broken - it would buzz every 10 seconds or so as if someone were trying to get in, but the door would never unlock even if you put in your card. People trying to get in would have to go around to the other door to get in. A couple weeks ago I noticed that the door was no longer buzzing, and that it opened freely - whether or not your inserted your card. I assume that my bank or someone else had just disabled the lock because it had been a problem.

Well at the time I didn't think much of it, but this last Saturday I went to the ATM and noticed a different card swiper to get in the door. Again, I didn't think much of it but do remember that it wasn't quite flush with the door while the old one was. I assumed that they had replaced the card swipers to fix the door lock issues, swiped my card, went in and did my transactions.

After getting off the phone with my bank, I swung by the ATM and saw that the 'new' card swiper was no longer there - it was back to the original one that is flush with the door. I then drove to my local branch to discuss and mention that ATM, and filed a police report.

I'm now convinced that the 'new' card swiper I saw was some sort of theft device, maybe in conjunction with a camera placed at the actual ATM to record my PIN.

If ANYTHING ever looks out of the ordinary at an ATM, stop and think - and don't swipe your card if it seems suspicious. I know I will be extra careful from now on, and hopefully someone else can learn from my mistake.
 
I never should have allowed online stores to store my account information. Also somehow my email was hacked. I leave my important emails on the email server of my provider so I dont lose them when my hardware fails. Thats another mistake.

You never think it will happen to you.

On a positive note my credit union could not be any nicer about it. Talking to them today I should have all of my money back tomorrow or Wednesday. Also Paypal gets a kudos for noticing it. Very little hassle at all from either one. A few easy forms to fill out and a police report and that was it so far.

If the guy who was doing it did not try and order pornographic material with paypal they may not have noticed though.

The little information they did provide is that all of the merchandise is/was being shipped to a phoney address. And all via the same carrier they said. So I believe they feel that the carrier driver is in on it.

Lastly......... I have BOT's or something on my computer that I have quarintened for the moment. I may need to wipe my hard drive also.
 
I really like using my Virtual Credit Card numbers for all online transactions. I got my card from Citi, but I think there are others. Not all Citi cards have it, but their website shows which ones do. That way the number I give them cannot be used at another store and the number expires the next month (by default). You can also set dollar and time limits for each number you give out.
 
Digger said:
I never should have allowed online stores to store my account information. Also somehow my email was hacked. I leave my important emails on the email server of my provider so I dont lose them when my hardware fails. Thats another mistake.

You never think it will happen to you.

On a positive note my credit union could not be any nicer about it. Talking to them today I should have all of my money back tomorrow or Wednesday. Also Paypal gets a kudos for noticing it. Very little hassle at all from either one. A few easy forms to fill out and a police report and that was it so far.

If the guy who was doing it did not try and order pornographic material with paypal they may not have noticed though.

The little information they did provide is that all of the merchandise is/was being shipped to a phoney address. And all via the same carrier they said. So I believe they feel that the carrier driver is in on it.

Lastly......... I have BOT's or something on my computer that I have quarintened for the moment. I may need to wipe my hard drive also.
Click to expand...

Two years ago we had a similar problem with someone taking out $400 in vegas. I explained to my credit union that we have never been to vegas and we could show work records etc. They just had us do a police report and an affadavit and we were done. No hassles.

Fraud is so bad the banks are good at fixing it. Sad huh.
 
WayneW said:
I really like using my Virtual Credit Card numbers for all online transactions. I got my card from Citi, but I think there are others. Not all Citi cards have it, but their website shows which ones do. That way the number I give them cannot be used at another store and the number expires the next month (by default). You can also set dollar and time limits for each number you give out.
Click to expand...

The Virtual Credit Card Numbers are thew way to go, but not many banks support them. They seemed to be more popular a few years ago, and I haven't seen them much lately.

They really need to do something about these fraud problems as they are getting out of control, and really no matter how careful you are, you can be fooled because they just keep coming up with others.
 
Email account and password are sent in clear text for most client-server connections (POP3, IMAP). All anyone has to do is sniff the network, or spoof or make a DNS change (DNS is THE most hacked service on the net) to redirect your email pop3 access to their own server and do a pass-thru (called a man-in-the-middle attack) to gain your credentials. Heck, if they do that, they don't need your credentials, they can get your emails and T them off for whatever use they want.

Secure email requires a certificate - a key - or more correct, a pair of keys - to encrypt email sent from you to a specific person, and most people and companies do not go to the trouble of creating them because you need a different key for everyone you email.

Of course, if there's an insider, no telling what they can get ahold of.
 
Yep... Best wipe your drive. Once you get "Owned", you have no idea what might be lurking in your PC. Malware code is so polymorphic today that many AV vendors are usually a few cycles behind. They try and detect it on behaviours, but even then, many pieces of malware go undetected.

Switch to browser other than IE helps somewhat. There are less attacks against Firefox. Same goes for an email reader... instead of Outlook, use Thunderbird or something. Lots of things get in today by what we refer to as "Drive-by-Downloads". This is where you merely have to visit a site, it exploits some vulnerability and you're done for. If you switch to/use Firefox look at the plugin called "NoScripts".

Stayed Patched, Keep you AV et al up to date, Surf safe.
 
I just checked my bank account and my money is already back (just in time for the mortgage company to take it away).

All things considered it was fairly painless.
 
You must log in or register to reply here.

Similar threads

pete_c
Data Breaches week of Week of August 8th, 2021
Replies
5
Views
490
LarrylLix
L
T
May have to throw Elk-M1 away. Consider before purchase.
Replies
14
Views
10K
upstatemike
upstatemike
pete_c
Key Reinstallation Attacks
Replies
12
Views
1K
pete_c
pete_c
pete_c
15th of February, 2014 - Kickstarter hacked. Change your password now
Replies
7
Views
781
George M
G
L
Changing from Next Alarm to Alarm Relay with Elk
Replies
13
Views
3K
tadr
T
Back
Top