Last Thursday night I was sitting at home watching the TV when my iPad on the arm of the chair went “Bing”! The email notification said something about a
Paypal transaction which (being a cautious sort of chap) I thought was worth checking. I'm used to seeing phishing emails, and Google Apps has a very good spam filter, so this particular email was worth a second look.
When I opened the email a shiver ran down my spine. It was a notification from Paypal that £689 had been paid from my Paypal account to someone whose
email address meant nothing to me. What was worse, this email looked genuine. I immediately fired up my laptop, logged on to Paypal and there it was
staring me in the face. £680 had been paid out of my account using the card that I had hooked up to it.
The crafty beggars had timed the transaction to go through just after 10 pm when the Paypal phonelines closed, so I reported the unauthorised transaction
through the Resolution Centre. Paypal sent through an email to confirm that my dispute had been registered and I sat back and crossed my fingers.
To their credit, within 2 days I received confirmation from Paypal that my £689 would be credited back, so with a big sigh of relief I was able to think
of the lessons I had learnt from the experience.
How was my account hacked?
I’ll never know for sure, but the only two possibilities that make any sense are that:
I’ll never know for sure, but the only two possibilities that make any sense are that:
- I had a password stealing trojan on my PC or
- Another site where I used the same password had been hacked and they tried out all of the usernames and passwords on Paypal.
If you ever have the misfortune of suffering a Paypal hack, you will need to cover both of these options. The only way to make sure that any trojan on
your PC is no longer there is to back up your data and re-load your PC from the Windows CD. Is there anyone reading this who doesn’t have the Windows CD
for their PC? If so, please go back to wherever you got the PC from and find out how you get one. It’s your ultimate “Get out of jail” card.
You then absolutely must change all of your critical passwords (eBay, Paypal, Amazon etc). It may be a pain, but if you have already been hacked, you have
no choice. Paypal force you to change your password as part of their “disputed transaction” process anyway.
One of our engineers quite rightly gave me a hard time about my passwords, and I spent an amount of time this weekend working out a new system. Your
Amazon / Paypal etc passwords really should be unique, and you need to avoid standard words and phrases that can be cracked pretty easily anyway.
Use something such as the first letters in song lyrics that you can remember together with special characters. Having been stung once, I damned if
I’m going to give anyone another chance of nicking my hard earned cash and neither should you. You can see the system that I have now chosen to use here. I hope it helps.
Just had the same thing happen to me a few days ago for "Facebook ads" - $299.00AUD. Fingers crossed Paypal sort my one out as well.
ReplyDeleteI hope they sort out your rebate soon, Martin. They certainly have a nerve hacking your Paypal account to promote dodgy advertisements which I assume will be in someone else's Facebook account that has been hacked using the same principle.
DeleteMe too ... and i suspect an application for checking gmail like gmail notifier, gmail manager, poppeeper or anything else had security vulnerability. Be careful if you use one of those application.
ReplyDeleteNow i will never use such application again.
Wondering why google doesn't have a light weight desktop application ... an official desktop application to check gmail without opening browser.
Don't confuse this with phishing attacks. I received a mail saying 'Receipt for your Paypal Purchase', although when I logged in there was no such purchase.
ReplyDeleteThe emailer had simply been hoping that I would click the link in the fake Paypal email and end up on their site where malicious software might have been installed.
I never clicked anything and forwarded the email to spoof@paypal.com
See here for more info:
https://www.paypal.com/us/webapps/helpcenter/article/?articleID=94034&m=SRE