PayPal Community

Robert_in_OZ · ‎Aug-09-2010

I have twice been the victim of funds being stolen from my account using the 'mass payments' feature.

The first was about 6 months ago where 4 mass payments were sent to various email addresses totalling $860.

I received a PayPal generated email confirming that a mass payment had been made, I rang PayPal immediately and was on the phone to a PayPal consultant plus logged into my account when the other three mass payments were made.

PayPal refunded the stolen money, I can only assume that they froze the funds in the recipients PayPal account because I contacted them so quickly.

After the theft I changed my password and security questions and ordered the PayPal security card key which generates 6 digits to get into PayPal. I also ran a full system scan with my Norton security software as the consultant said that it might be a key logger that somehow got my password.

I have always been very careful as to where I go on the web; for emails I have mail washer which cleans my email before it leaves the server and arrives on my computer so only emails that I expect are downloaded. I would say that I am paranoid about security.

Yesterday, six months after the first theft another mass payment was made from my account for $100, luckily I withdrew $1200 to my bank account earlier in the day otherwise I am sure that it would have all gone.

I reported the incident to PayPal within 25 minutes of it happening assuming that it would get sorted like it did 6 months ago, not so, I received an email today along the lines of:-

PayPal s Fraud Team has determined the transaction(s) you submitted do not represent unauthorised account
activity because they are consistent with your account s transaction history. As a result, we have refused your Unauthorised Account Use Claim

I have 3 questions that I hope someone here at the forum can help me with:-

I feel I have received a system generated email rather than an email specific to my claim. How can a mass payment from my account be consistent with my accounts transaction history? The only mass payment made from my account in the past was during the initial theft 6 months ago.
How did someone get into my PayPal account to setup a mass payment?
Why can't PayPal tell me what I need to do to stop this ever happening again rather than send an email telling me that it is me stealing my own money? An email that you can’t even respond to or ask questions about improving security?

Ideally PayPal should allow us set up an automatic 'withdraw to bank function' so only small amounts can be subject to theft.

I am hoping that someone here can shed some light on my problem.

Robert_in_OZ · ‎Aug-13-2010

Well, this is going to surprise anyone reading this post.

Yesterday afternoon I had a small mass payment of about $20 sent from my PayPal account, so I once again changed my password and security questions using a virtual keyboard. Then low and behold 59 minutes later another small mass payment of amount $6 was sent from my account.

I then rang PayPal again (must be about the 20th time in the 4 months that this has been going on for), and once again I was told that it was from my own computer and that someone in my household/office was getting into my account.

I then demanded to speak to someone that is familiar with mass payments that are initiated through an 'external API call'. I had spent 10 minutes doing some research on Google and came across this link about a hack http://etutorials.org/Misc/paypal+hacks/Chapter+8.+The+PayPal+Web+Services+API/Hack+96+Issue+Payment...

Now, I didn't really understand any of it but I picked up enough information to have the PayPal consultant think that I knew how people can hack into paypal through sending information to paypal to initiate a mass payment without logging into paypal.

An amazing thing happened, I was transferred from the Asian call center to PayPal in the USA and had a wonderful person called Ami who along with a security person in PayPal look into my account and to confirm that all these mass payments were in fact made through an API call.

So in the space of about 1 hour I had all these transactions refunded and was advised to change/delete any API certificates I had in Paypal and to also change my paypal email address.

So, there you have it, this is a security breach that not one PayPal consultant in the call centers was aware of. I think PayPal are great once you can get through all the barriers.

Hopefully the consultants will now be made aware of this issue so people don't have to go through what I have been through.

View solution in original post

surplusdealdude · ‎Aug-10-2010

How did someone get into my PayPal account to setup a mass payment?

Kids, wife, babysitter, friend - it's happened before.

I would guess that Paypal has identified your IP as the origin of the mass pay, so it happened in your house.

Another possibility - if you have WIFI, and it's not set to 'Private", then anybody within the range of the WiFi signal can get onto your account once you've opened it. They will share your IP for that, since the signal to the internet is going out through your box.

If you have WIFI, make sure that it's set to private.

jn6pgatour · ‎Aug-10-2010

I haven't heard of that security card key before. So it generates a new key every time you access Paypal? Also, do you still have to enter your preset password as well?

Just yesterday I am fairly certain that my account was hacked into. My password wasn't the best, but it is now. I'm sure you've already done this, but make sure you have a long, totally randomized password with special keys, numbers, and a combination of upper and lower case letters. Hackers are worse than zombies as far as I am concerned. I guess the only thing worse would be "zombie hackers." lol.

surplusdealdude · ‎Aug-10-2010

lol.

Yes, I have a security key and it works fine.

Best idea Paypal ever had, IMO.

Robert_in_OZ · ‎Aug-10-2010

My computer is connected by ethernet and the wifi that other computers are conected to use WEP encryption.

I can only guess it was some form keylogging, but I would have thought that the PayPal security card was enough protection if someone had got into my account as the only way they can progress is by answering my security questions.

Then there is the point that you make that PayPal must have identified my IP address as the user of the computer at the time.

Can someone access my computer remotely so only my IP address is displayed to PayPal?

It is all very confusing and PayPal can't offer an explanation...

surplusdealdude · ‎Aug-10-2010

Can someone access my computer remotely so only my IP address is displayed to PayPal?

Yup.

They're called "zombie computers";

http://en.wikipedia.org/wiki/Zombie_computer

Robert_in_OZ · ‎Aug-11-2010

You won't beleive this, at 2am this morning while my computer was off and I was fast asleep another mass payment was taken from my account for $82.00.

Not a lot of money but the frustration of it happening again is creating concern because nobody can pinpoint the security problem.

I am perplexed as to how this can happen with passwords, security questions changed two days ago plus the barrier of the PayPal security card. I also had my computer ports checked for external attack.

I also started using a virtual keyboard to enter my password in the event Norton did not detect a keylogging program on my computer.

Even if someone had my password how can they get past the PayPal security key card? My security questions are so random and obscure... Can someone crack the number generator on the security key?

I am at a loss...

surplusdealdude · ‎Aug-11-2010

Not every transaction on Paypal is recorded instantly - there is a glitch where some of them don't get posted for up to 3 days.

Have you called Paypal security on this? If not, I think you should do so right away.

I'd like to see which IP is being used this time.

surplusdealdude · ‎Aug-11-2010

BTW, the security questions can be hacked if you have a keylogger on your computer - it will have recorded the answers that you entered.

And the way around the security card is to answer the questions.

Robert_in_OZ · ‎Aug-13-2010