Heads up, PayPal users

Vanity | Conservababe

[Conservababe]

After many years of having an account with PayPal, I am sorry to say that I no longer trust them.

In the last few days, someone hacked into my account and added a bank to my list. They then proceeded to deposit money into my account using this bank and then withdrew the whole amount after two days. All this was unknown to me as I have not had activity using PayPal in months. I only caught it because of notification sent by PayPal in e-mail. I suppose I should be grateful for that.

So, I called PayPal and began a long process. They verified that my account had been hacked by someone doing transactions on e-bay. They assured me that the person had no chance of finding out the number of my own account but they had just used my account for money laundering, so to speak. My own little amount in the account was not touched.

I am unsophisticated about finicial dealings but my first instinct was to cancel my account immediately. I was told that they would put a limited access but they could not cancel because they would have to engage in an investigation. I then changed my password and all the security questions. A few hours later, I signed on using my new password to find that I could easily take off the limited access by merely changing my security questions.

Well, that just made me downright mad. I called them again and demanded that my account be closed immediately. Do you know that I finally had to threaten them with calling my State Attorney General, Jay Nixon before they would cancel. Finally, they did.

I suppose now all I have to worry is that someone might have stolen my idenity!

[stylin19a]

immediately alert the Feds...

[FairOpinion]

Thanks for sharing your experience.

If someone hacked into your accout to add a bank, put money in and take it out, I don't see how they couldn't have seen everything else in your account.

I think you did the right thing by canceling your account.

I never used PayPal, so I don't know how it works, whether you actually put in your bank account/credit card numbers to fund your account, but I would keep a close eye on your other accounts, and even consider changing those account numbers, most banks cooperate in closing one account and open up another one with a different number, for security reasons.

[jbstrick]

How did they guess your password? Was it secure enough?

!29#$df<.Jr7%$78()=3Fghf

^^ That is a secure password.

[FairOpinion]

Who to Call to Report a Financial Crime

http://www.fdic.gov/consumers/consumer/news/cnspr03/call.html


If you think you're a victim of a financial crime or if you notice anything suspicious, immediately get to the phone and call:

The police. Get a copy of any police report or case number for later reference.
Your bank, credit card company or other financial institution that may need to know. Close accounts that have been fraudulently accessed or opened.
The fraud department at any one of the three major credit bureaus—Equifax at 800-525-6285, Experian at 888-397-3742 and TransUnion at 800-680-7289. The credit bureau you contact will share the information with the other two and a "fraud alert" will be placed in your credit file at all three companies so that lenders or other users of your credit records can avoid opening a fraudulent account in your name. You'll also receive a free credit report from all three companies so you can look for fraudulent entries. The three companies also pledge to work with you to delete any fraudulent information in your file.
Note: If you become aware of anyone using your identity, also notify the Federal Trade Commission (call toll-free 877-ID-THEFT or 877-438-4338, or go to www.consumer.gov/idtheft). The FTC shares complaints with other law enforcement agencies.

[alloysteel]

Well, here's the thing about PayPal: Even when you demand the account be closed, shut down, abolished, AND terminated, they just place it in a dormant mode. Then six months or a year later, it jumps up to bite you in the gluteus maximus, and you get this mysterious e-mail, asking your "status". I made the error once of replying to this request by entering entirely bogus information (home address, password, but NOT any information about credit or debit cards, real or bogus). That probably stopped the "phisher" about 0.02 nanoseconds, then the barrage starts in again.

Anything from PayPal is now automatically spam.

[Conservababe]

Thanks, I never thought about contacting the Feds. My bank nor PayPal suggested this. I am going to do so right away.

[Old Student]

I would suggest you're a slow learner, but it may just be because you had good experiences up until now. I canceled my account about 3 or 4 years ago, when they changed the agreement to make themselves not at all responsible for anything done to your account without your explicit permission, and removed your right to sue. When I use ebay, I specifically refuse to do business with people who only accept paypal.

Our situation was that they had double paid a vendor for a wheelchair we bought from ebay. It took several months to get things straightened out, and if the vendor hadn't cooperated, we might NEVER have gotten our $180+ back. Among other things, Paypal refused to acknowledge that they had paid the guy twice, even with his correspondence to support us. IIRC, in fact, the vendor sent us the money, himself, because Paypal wouldn't. They wanted to deposit it in our paypal account, and force us to keep it there for several more months.

[Philistone]

Interesting. I have a solution for bullet-proofing credit card transactions over the Internet, but every VC I have talked to so far just looks at me and says "PayPal".

Guess I just have to keep looking.

[Star Traveler]

Well, that's not the only problem with PayPal --

http://www.paypalsucks.com/

I won't do business with them. Too many other people have told of how their money was taken and frozen and not handled in a professional manner. They are not a bank, and so they don't even have to handle your money in any rational and "bank-like" manner. They are "frivolous" in their handling of people's money.

Deal with a bank, instead.

Regards,
Star Traveler

[freedumb2003]

^^ That is a secure password.

I know you are just joking but let me add some real-life Security Administrator experience. If you are a clerk and have a password like that, what do you do? You write it down on a little sticky note and slap it on the side of your monitor.

Those rediculous overly-comlex password rules make network admins and novice security administrators feel good about themselves but are counter productive.

Now back to the Steelers' game.

[diverteach]

Question for you. Have you ever recieved what LOOKED like an authentic email from Paypal to the affect that your account was suspended until you provided them with an update of your information?

These emails looks 99.9% authentic from Paypal, but they are not. The only clue is 2 different digits within the URL address string the email links to. Th only other clue would be to know that Paypal NEVER asks for this information.

I've recieved many such emails, but I know better and I could easily see where many would not. Every one that I forwarded to the Paypal fraud department, Paypal would email me back confirming the fact that they were fraudulent.

If you ever recieved and responded to one of these emails, thats propbably how you've been compromised.

[Conservababe]

Yes, you have to give your entire bank account/credit card numbers when you sign on the PayPal. After that, the only numbers seen on the screen is the last four numbers, which is supposed to be protection.

[MizSterious]

Just so you know, this can happen with virtually any online banking account. If there are safeguards, there are hacks around them.

Some of the things I've been advised to do are: always make sure you log out of your account on your banking sites when you're done--and then close the window you were using. Check in with the site(s) from time to time and look at the history. Never click on an url in an email purportedly from the site (PayPal is one of the main targets for "phishing"). If you want to make sure the note is legit, enter the url by hand. Nine times out of ten, any note from those places asking you to log on and give personal information are frauds.

It's not only the banking sites though. Last week I got a note supposedly from my isp asking me to click on the link and re-log in or else my email account would be cancelled. The site I would have gone to if I had clicked was NOT my isp's site, and my isp never sent the email.

The internet is not necessarily a friendly place--you need to take all the safeguards you can, just as though you were walking to a favorite restaurant by way of a rough section of town. There are plenty of would-be muggers and purse-snatchers who are looking for easy marks.

[pabianice]

Check with DNC Headquarters...

[Conservababe]

No, I guess I did not have a secure enough password as it was hacked. I changed it every few months or so, though.

But, for all I know, it might have been someone who works at PayPal itself. How can one protect against that scenario?

[mwyounce]

!29#$df<.Jr7%$78()=3Fghf

^^ That is a secure password.

Not anymore it's not! How'd you get my FR password anyway?!?!?!

[Conservababe]

Thank you so much for all this information. I will follow through tomorrow.

[BallyBill]

I've noticed in the last few weeks the Internet is starting to go to crap again. Things had sort of calmed down for awhile, but the spam and other crap is on the rise again.

I also think some new advertising methods on the web are really causing problems. I run some extra ad blocking software and it has been going crazy lately on some sites that didn't used to be a problem.

[ducdriver]

I got one of those e-mails. It would accept any bogus (or real) information, and lacked the secure url designation (https://) as well. I figured it out just before I nearly sent my real information, and notified Pay Pal. Changed everything, too, just in case. Another thing was that the e-mail did not mention my name, as Pay Pal is supposed to do, and it asked for personal information that Pay Pal has never sought.