A $50 fraudulent transaction was posted through my paypal this weekend. It was flagged as potentially fraudulent by Paypal but they weren’t able to stop it in time, according to the phone rep I spoke with (something about a fleeting 7 second window).
I did 2 virus scans, including AVG Free and trendmicro online… neither found anything at all. I never click on phishing emails. I have reliable roommates, but just the same I ALWAYS lock my computer when I walk away from it. I do not share passwords with ANYBODY. I have NO IDEA where they got my information!
I have not ever logged in to paypal from any computer other than my own at home.
My very first work password was the same as my paypal password. But that was well over 2 years ago. Since then we are required to change our passwords monthly, we cannot reuse prior passwords, and it’s been different every time. Our work computers are locked down hard (and are constantly monitored for viruses)–my work computer has never been compromised to my knowledge.
I don’t own a laptop and I don’t pirate anyone else’s wireless, ever. I was on a wired internet connection for almost a year at my last place. My current apt I was on our strongly encrypted 2wire wireless for a couple months, and now I’m on to wired (same box, same encryption).
Is your password easy to guess (like a short password with only letters)? Is there a way to get a fraudulent transaction through without knowing the password?
Why did PayPal think the transaction was suspicious?
An email from paypal stating that they had noticed a potentially fraudulent transaction under my account, and had locked down the account (I had to change my password and answer questions about my mom and sister to regain access to it, which I am confident that a third party could not have guessed).
I only use Paypal for the occasional website support or charitable donation. I NEVER pull money into paypal itself, and this person did before they made a payment (so it deviated from my usual MO, plus the IP was likely wildly different so it was auto flagged). Then they made a gaming transaction with it (purchased GCoin from some free mmo called Atlantica with paid microtransactions). I’ve emailed the merchant, as well as my bank and I have an open paypal dispute. So I will get the money back.
It won’t happen again I think. I plan to unlink my checking account from paypal as soon as I have my $50 back. I just want to know how it happened in the first place. My computer is virus free and I am a very savvy internetter. I don’t bite phish. I don’t get it!
Definitely not. Capital letters, small letters, and numbers. It’s 8 digits and no part of the string is a dictionary word.
This is what I’m wondering.
See my previous post. It deviated significantly from my prior patterns of use and I am guessing the IP was “out there”.
Thanks for the heads up Sunspace. I have never heard of the listed sites (Lifehacker, Gizmodo, Gawker, Jezebel, io9, Jalopnik, Kotaku, Deadspin and Fleshbot) and don’t have an account with any of them. All the same, I think it would be a wise idea to try to download the pirate bay list of names and passwords and see if mine was on it. And I’ll commit to changing my passwords on everything once I get home tonight.
Some time ago I did some work using the some of the Paypal API’s. I recall there being a way for the merchant to keep a user’s “token” on file so that it can be used to charge the user in the future. Meaning, the site would not need you (or anyone) to log in with your Paypal credentials, the merchant would simply be authorized to charge you again sometime in the future.
The purpose of this was things like recurring billing agreements; the user needed to have agreed to a recurring payment setup on the Paypal site from the getgo so it was a legitimate use. But I wonder if there is/was any bug in the process that allowed a merchant to do a recurring charge without the user having agreed to it ahead of time. I’ve never heard of such a problem tho, and I think I would have if it was a known exploit.
But I’m just answering the question of whether a password is strictly needed or not in order to get a charge thru. I guess what I’m saying is, theoretically under the right circumstances, kinda sorta no.
Ok, after thinking about it another minute, I don’t think there’s any way recurring billing could be exploited in the way I was considering. Even if a user had unwittingly agreed to a recurring payment or if a token was being fraudulently kept/used, surely the payment would still only be allowed with the same merchant. It couldn’t possibly be used to purchase goods from an entirely different merchant, I don’t think.
All potentially relevant information though, I appreciate knowing it. Very interesting!
I know I will end up getting my money back. I’m just fuming that someone exercised their ability to do this WITH MY CHRISTMAS MONEY GAHHH. I think it’s obvious they obtained my password somehow… I just want to try to nail down the security error I made so I can refrain from repeating it. I appreciate the questions so far
I mean I haven’t used paypal for *anything *since about 8 months ago when I donated to an online friend’s deaf charity. I’m truly mystified.
After reading this email about the potentially fraudulent transaction, what did you do next? Did you visit your account via a link that appeared in that email message?
Are you certain all emails from PayPal really were from them? A common phishing scam is to send a fake PayPal email with a link to a site that looks just like PayPal. When you log in to the fake site, they have your password.
Note this URL does not go to PayPal, it goes to Google: http://www.paypal.com/
This trick is commonly used in phishing scams to send people to malicious sites.
Not to take this overly personally here, but I’m not fucking stupid. I checked the headers to make sure the originating IP passed for paypal (it did, no hard fail or neutral). Then I manually typed the paypal site url into my browser. And then I called the real paypal on the phone to verify it. Yes, there really was a fraudulent transaction on my account before I logged into the account.
But maybe your keyboard was set by a virus program to Russian mode, and you were typing in Russian letters that resembled European letters (like russian r, russian a) but weren’t, so instead of going to paypal.com you actually went to a spoof website in Russia ( раура1.com ) that stole your information!
You could have read the OP (which was cogently grammatical) in which I stated that I do not click phishing emails. You could have read further comments to the post in which I stated I was internet-savvy.
I’ve talked to people who think they’re really internet-savvy and are not. Trust that I am not one of them. I haven’t clicked on a phishing link or had a virus since 2003. I am generally the one (unpaid-ly) diagnosing family members’ computer problems, in fact.
So now we all know one another and can lovingly hug, I hope.
I do. I would figure a paypal compromise would be big news, but I can’t rule that out.
Not saving my passwords in firefox is not a concession I’m willing to make, but I was planning to unhook my checking account from paypal as soon as this resolves anyway.
