PayPal Account Hacked Lessons Learned

[alloy]

After reading about your experience I just transferred $16k out of my paypal linked checking account into savings. I really didn't think about the possibility of being hacked and them transferring money into the account. I figured I'd get a email letting me know, but if they changed my email I wouldn't.

Years ago my paypal credit card was cloned. We never figured out how, but I did a lot of smaller ebay sales then and I saw a $5 charge at home depot in Texas using my card. An hour later a charge was attempted in Madrid Spain for $1700 with my credit card in person. I had just under $1600 in the account and the charge didn't go through for that reason. For some reason I couldn't get online with my computer so I called paypal. The guy at paypal said why do you think your card has been cloned? I told him I'm at home in Washington state and not in Texas. He said well you could be in Texas and trying to con paypal. I told him you could be right, but can I get to Spain with my paypal card in under 1 hour to use it at "Empire Megadoom"? He saw my point and asked me what I wanted to do. I told him lock the account, nothing in or out and when I'm able to get online I'll call back.I didn't lose anything but it was close. If they would have tried a little lower amount to charge they wouldn't have gotten away with it.

So thanks for posting, you just changed my thinking about my paypal account and how much I keep in my checking it's linked to.

 

[G-ManBart]

WOW! You had a heck of a day. Glad it all came together in a good way especially concerning your heart.
But this is an example of why I don't do PayPal. Crooks. I'm funny; I don't understand why law enforcement doesn't nail these clowns. You got after it fast enough PayPal could take action. Did they?

Thanks...it was pretty crazy!

PayPal said they were going to investigate, but couldn't share any information about that with me. I didn't think to write down the e-mail address, phone number and credit card they added to the account. I suspect it wouldn't have done any good, but I would have tried calling them from a blocked line I have access to.

The guy I sit next to worked cyber crime on a federal level for roughly ten years and he said the overwhelming majority of these crooks are based in countries where we have limited, to no extradition agreements. In addition, most of the countries in question have either limited law enforcement resources or they're extremely corrupt and won't go after the bad guys.

 

[G-ManBart]

So my PP is only linked to my CC- isn't that safer? The crooks could try to run up a charge but I wouldn't be obligated to pay it right?
Plus the crooks don't have my 3-digit security code- yet

Yes, I still have a CC linked to my PP and I think that's about as safe as you can get.

 

[G-ManBart]

G-Man - Glad you escaped fairly unscathed (bank account and health)!!



PP to CC is fairly safe; refunding fraudulent charges on a CC is usually pretty easy. I am speculating, but the nature of G-Man's issue would seem to be due to a password which was weak, common, brute-forced, or obtained from an unrelated, compromised service or device. Its unlikely that PP itself was to blame.

Thanks!

The password was considered fairly strong...upper case, lower case, special characters, fairly long, etc. I can't recall exactly, but I think it was one I forgot to change after an auction website I use got hacked and I happened to have the same user account and password. Again, two-factor authentication should have prevented that, so I have to take blame twice there.

 

[markba633csi]

I have read that there have been efforts to beef up the security of our CC system but the companies don't want to. Don't want to inconvenience
the customers they say. So our collective laziness is somewhat to blame

 

[C-Bag]

Crooks everywhere- I'm checking (and possibly closing) my PP account now- I hardly ever use it anyhow
C-bag you talking about US bank?

Yes, they bought Union Bank. It’s really hard to find a bank that isn’t shady. Union was very conservative and seemed stable. Like I said I only kept them as a pass through after the debacle in ‘08. My experience with Union was they were ok but before they went to the chipped card it got scanned and I had to make a claim. It got scanned at a gas pump. The incidence of card readers is getting more and more prevalent. My real savings/checking/business is in a credit union and I don’t use those cards except at their ATM.

 

[7milesup]

I have two-factor authentication on every account I have. I also use Firefox auto-generated passwords. I need to rethink my linked accounts for PayPal.

 

[RJSakowski]

I have used a random character generator I created in Excel to generate my passwords for the past twenty years. I also don't use the same password twice. Unfortunately, this creates passwords that are impossible to memorize so I have a master password list in Excel, password protected, of course.

 

[markba633csi]

Union bank used to be called Bank of Tokyo and I was with them for many years- Mitsubishi. The investment guy even takes me out to lunch on the bank's dime. Hopefully he won't leave.
Now they are US bank. Had a couple glitches with the online site, still getting used to the new owner. We will see.

 

[ChazzC]

Very timely post: I recently received a text from "PayPal" with an authorization code that I had not requested, which indicated that someone was trying to get in using my email address. I send a copy of the text to the phishing email at PayPal and changed my password just in case. I also closed a second account that I used only for my Apple Store account, leaving a credit card linked (easier to get money back from them, and I always get an alert when that card is used for anything).

I also opened a "Balance Account" with PayPal to use when receiving money or sending personal payments, deleting my linked bank account. I did link a bank debit card for adding to the Balance Account, but again, easier to get money back from that than PayPal.

I agree with the idea of using the PayPal App for account management: it adds another layer of security without having to get an Authenticator App.


Thanks!!