Day 1 (15th December 2008)
I have never been the victim of fraud over the internet till today. After coming back from lunch I received an email congratulating me on a purchase of a World of Warcraft Farmbot for about £25. Even I am not nerdy enough to purchase some WoW farmbot, whatever the hell that is, so I phoned PayPal to warn them that there had been some fraudulent activity on my account.
Obviously the first thing I wanted to happen was the account to be frozen. I was worried that at any minute further purchases would be made on my account. The person I spoke to at PayPal did not seem to appreciate this and just wanted me to fill in an online ‘Resolution’ form and wait 10 days for them to contact me. I spent over 40 minutes trying to get the account frozen but PayPal said that they could not do this and that I had to wait. I was told the only way to freeze the account was to close it, this at first seemed fine to me, however I was told that if I did close the account I would not get my money back even if I were successful in proving this withdrawal was fraudulent. It was rather interesting to be told ‘If I were successful in proving it was fraudulent’. No innocent till proven guilty here, more guilty till I could prove myself innocent! This was not getting any better.
Quite how this hacker managed to get into my account I don’t know. The password was a 16 characters high entropy affair courtesy of GRC. It’s certainly not something that could either be guessed or brute forced. I doubt they managed to get in using the ‘forgot your password? Answer these questions’ method. The questions and answers I had set up were totally random, ie I think I had ‘What is your favorite car?’ and the answer was bluetree. So they could not have guessed that. These passwords and security questions are only written down in my cell phone in an encrypted file so I am pretty sure the information was not taken from here. The only other way it may have happened is if some spyware on my PC stole the details. This again is pretty hard to believe as I am pretty careful what I load on my machine and frequently run anti-virus scans.
I changed my password and questions on PayPal after speaking to the less than helpful PayPal rep. I also found there was an option to have a different 6 digit code sent to my cell via SMS each time I attempt to log on. So now as well as having to enter my username & password at the sign on page of PayPal a six digit number would also have to be entered, this number changes at each login and is sent direct to my cell phone. Any attacker now needs to get hold of my cell & know my login info to gain access. This bit of two factor authentication, Something I know (the password) and something I have (my Cell) should make it much more secure. This is also something PayPal should be telling there customers about, ESPECIALY after there accound has just been hacked.
Still fearing that at any second my account could be systematicaly syphened dry of all funds I called Barclaycard; who PayPal draw money from. Barclaycard could not block payment just to PayPay so I had to cancel the entire card, rather a pain just before Christmas. However much better to have no credit card for a couple of weeks than have some German WoW playing bastard steal god knows how much money from my account.
Next I filled in one of PayPals ‘Resolution’ questionares.
I am rather appalled at PayPals reaction to fraudulent activity. I would have expected them to lock the account immediately. Having someone suggest I change a password and wait 10 days is not the proper response. I shall update this blog as to what happens next.
Day 9 (24th December)
I receive an email saying:As part of our security measures, we regularly screen activity in the PayPal system. During a recent screening, we noticed an issue regarding your account. We have reason to believe that your account was accessed by a third party. We have limited access to sensitive PayPal account features in case your account has been accessed by an unauthorised third party. We understand that having limited access can be an inconvenience, but protecting your account is our primary concern. For your protection, we have temporarily limited access to your account. We will review this access once you have completed all the steps we have requested. You can view these steps in the Resolution Centre of your PayPal account.
A ‘recent screening’? Did my call 9 days earlier not get through to anyone? What about my filling in of there resolution centre questionare? Did I not make myself clear enough? What part of ‘Fraudulent withdrawl on my account’ did they not understand?
15 minutes after I got fucked by an elf I flagged it with PayPal, approximately 216 HOURS later a ‘recent screening has reason to believe my account has been accessed by a third party’ !!! That’s the kind of speedy reaction I would expect from a potted plant, not a body entrusted with money.
Day 10 (25th December)
Happy Christmas! 10 Days later and finaly my account has been ‘restricted’. Something I had asked them to do, repeatedly over 40 minutes, on day 1, something that there rep said could not be done. If I had not cancelled my card I am certain that a hell of a lot more money would have vanished into the pockets of an elf.I shudder to think what would have been possible if I had the PayPal account tied to my current account.
Day 23 (7th January 2009)
£25 credited back into my credit card from PayPal. Joy. Account still locked, they are going to send me a snail mail letter to unlock the account. I am in no rush to get it activated, once bitten and all that.
Day 68 (21st February)
Finally got that letter from PayPal to unlock my account. Good job I was not in a hurry to use my account. Mind you at the end of the day I was just glad to get my money back.