posted on January 25, 2001 07:26:59 AM
I have an update on my Paypal fraud situation, and I think everyone here should read it. I spoke with a representative at Paypal headquarters on Wednesday and I'm relating here what she told me.
First let me recap my situation---I had never had a speck of trouble with Paypal with over 300 transactions and several thousand dollars of money going through the account. I loved the service, the convenience, all of it. That ALL came to a screeching halt on 1/19/01.
On 1/19, I checked my account to see if a $12 payment from a relative had come in. It had. However, at the same time I noticed my account had been restricted. Looking closer I saw that on 1/14, someone had tried to withdraw 499.00 from my account. Since my card only goes up to $300, the withdrawal was denied. 2 minutes later, someone tried again for the exact same amount. It was denied again.
My hair rose on the back of my neck, because no one knows my password, no one uses this computer except me, yet some how someone had breached the security of my Paypal account and a serious problem had been avoided only because of a credit limit.
I immediately fired off a email to Paypal and in the meantime, changed my credit card number, password, removed my bank account and credit info from the Paypal site, and generally spent a whole morning doing damage control. No word from Paypal. I called customer service and told them the situation. The person who answered the phone was in a call center somewhere in the midwest, sounded as if she was 90 years old, and didn't appear to be familiar with Paypal's workings or other pertinent information. She said "Well, they didn't actually get your money, so why are you so upset?" Not believing my ears, I asked her to have Paypal fraud call me ASAP. In the meantime, I called the BBB and also notified them via their site online.
On Tuesday Paypal called but I wasn't home. On Wednesday I called them at a San Jose phone number and spoke to a fraud rep. What she had to say is very interesting. The rep informed me that they don't know exactly how crooks are getting into the Paypal system to do these types of frauds, but that there seems to be a link between people who are defrauded and Hotmail accounts. Somehow crooks are getting Hotmail passwords, Paypal does not know how. And then having the Hotmail password, they are moving over to associated Paypal accounts and trying the password there. if the password on the Hotmail account and on the Paypal accounts are the same, it poses a serious risk! I do have Hotmail and I do use the same password (or at least I used to) on my Paypal account. The bad guys may be looking for Hotmail users on Ebay who accept Paypal, somehow getting their passwords, then trying those passwords on Paypal until they score a hit. One can imagine that a program could be written to simplify this, but it could also just be people trying manually to do this. The details are sketchy to me, but this is the gist of her communication.
I DEMANDED to know why Paypal is not publicizing this risk. She said "We can't, because it's only a theory. We THINK it is happening this way, but it's difficult to prove."
She lifted my restricted account and supposedly now all is well. But this is a serious problem. I hope all of you here will pay attention. If your passwords to WHATEVER sites are the same as your paypal password, change them! Have unique passwords for all your sites. I know it's a pain in the butt, but so was this whole experience, and believe me it could have been a lot worse.
posted on January 25, 2001 07:31:51 AM
Definitely you had an unpleasant experience!
Not to minimize that, but isn't there a limitation of liability of $50 on credit cards for unauthorized usage? In other words if that transaction would have went through, you'd only be liable for $50 (which is bad enough, I know)? Can someone verify this, or haven't I had enough caffeine today?
posted on January 25, 2001 07:41:17 AM
Most if not all credit cards have removed the $50.00 liability limit. Even the ones that have the $50.00 limit rarely held customers to it.
While it may be a pain, I never use the same password twice. Yeah, that makes for a lot of passwords, but EBay, Yahoo, my Bank, PayPal, etc, I use a different password on all services. I've got 2 pages of passwords written down filed away.
I've heard nothing about Hotmail account passwords being hacked, but if it happened that should be on the news.
[ edited by uaru on Jan 25, 2001 07:44 AM ]
posted on January 25, 2001 07:49:16 AM
I wouldn't count on that Liability limit.
If they transfer it as "quasi cash" I think you are out of luck. Also, on paypal, they can draw it directly from your checking account then there is no limit.
But you should use differetn passwords on all of your accounts. Pain in the neck.
posted on January 25, 2001 08:25:14 AM
Isn't this the type of situation that PayPal's Travelers insurance policy is supposed to cover?
It might be a good time for all of us to become familiar with its terms. There are some very short, specific deadlines that must be met to qualify for coverage.
posted on January 25, 2001 09:03:44 AM
since the charges were denied, I didn't get the chance (?) to try out the Travellers insurance. However, I am a bit leery since the tack that both of the reps I talked to was like this:
Me: I don't know how this happened. I have never given my account password to anyone.
Paypal Rep: You must have given your password out to someone. Someone got your password.
Me: Somemone OBVIOUSLY got my password but they didn't get it from me, so they must have gotten it from Paypal. Something within Paypal allowed this to happen.
Paypal Rep: We have internal security. They didn't get it from Paypal. They must have gotten it from you somehow. We don't know how. But it didn't come from a security problem at Paypal. The fact that someone got into your account isn't our fault.
See what I mean? This is the line that they take, so I find it hard to believe that they would find in my favor in any insurance claim. I think they would try to claim that "it didn't happen because of Paypal" and deny me. How would I prove different? I'm at their mercy. I really don't think we have any protection from Paypal, no matter what they say in their terms of service. Their method of resolving this particular case was to blame the victim and blame Hotmail. Never any admission of wrongdoing from Paypal. Not very comforting to know that i am only on the hook for $50.00 if they had succeeded in defrauding me. Even without being defrauded I spent more than $50.00 worth of my time and energy getting this "attempted fraud" under control (changing credit card numbers, passwords, deleting Hotmail accounts, talking to fraud dept, bbb, etc. etc.)
posted on January 25, 2001 09:32:07 AM
I don't think anyone's look for any sympathy here, powderblue.
Brighid868's story is an excellent example why people should use different passwords at different sites. It serves as a warning to anyone who is not aware of the potential pitfalls.
We should thank her for being willing to share it with everyone. It may save someone else some grief.
posted on January 25, 2001 09:34:07 AM
Um, hotmail is not just for people "too cheap to buy a computer". A LOT of people don't want their ISP email being spammed among other things and don't use it for any online activities, including me. I use Yahoo mail. I'm not too 'cheap' to have my own computer, I've owned one for almost 4 years now.
posted on January 25, 2001 09:52:55 AM
I use Hotmail because I keep my regular, paid-for account for my professional, business mail. If I ran all my ebay stuff through there too, with the resulting spam, it would be far too easy to overlook a crucial email from the boss. It has nothing to do with being cheap.
I've been on the Internet for over six years and worked for an Internet-based company. While I have always been very careful to keep business and personal passwords secret, no one ever suggested to me that all the passwords should be different from each other. While it might seem obvious to you, it's not to me. Since I kept them so carefully secret, it wasn't an apparent risk in my mind. Of course, now that the insecurity of the internet has been brought home to me, I certainly am aware of the risk and that is why I started this thread.
My former boss, who was a Ph.D. in Econ as well as an Economics professor prior to starting his dot-com, also used all the same passwords for his various financial dealings online and everywhere else. (I called him yesterday to warn him). I'm sure many other equally intelligent people do the same. So please don't assume this has something to do with intelligence/education, etc. It's standard ops in many businesses I've been in (dot com or not) to set all the passwords to the word "password" or to use some common word as the password throughout the company.
posted on January 25, 2001 09:56:47 AM
A little off topic, but I also have to take issue with certain attitudes regarding Hotmail email addresses.
I've been using Hotmail since November. My reason? We were getting lousy service with Prodigy and wanted to sign up with cable Internet. Problem? RoadRunner was upgrading the network and wouldn't sign up new accounts. They couldn't give an exact date and they kept moving it back every time I called. So we signed up with Earthlink temporarily and closed our Prodigy account. I didn't look forward to having to change my email address across all multiple auction sites, multiple payments sites, etc. TWICE, so I decided to go with a Hotmail account (since you can download into Outlook Express). That way I was able to change it ONCE, and was able to change from Earthlink to RR when they started installing new accounts again with no further change necessary to my email address.
So it's got nothing to do with not being "too cheap to buy a computer" or not wanting to pay an ISP for service either. I've always paid for an ISP and am currently paying for cable, so I'm definitely not cheap!
However, one drawback, Hotmail seems to be down frequently and I'm seriously considering changing to my RR email address for that reason. (What took me 2 hrs. to do on a very bad, slow dial-up connection will probably take less than 1/2 an hour now.)
posted on January 25, 2001 10:05:25 AM
Well--I don't have a PH.D or am I a dot.com millionaire---but I do know that I should have different passwords. Go figure
I guess it is a street smart thing and not a book smart thing
posted on January 25, 2001 11:28:23 AM
What I really wanted to say is being lost here. It's not specifically about Hotmail passwords although that is extremely important. It's not specifically to warn people to have multiple passwords although that is important too. The point is that there are crooks out there who are preying specifically on Paypal accounts and getting access through probably MULTIPLE illicit means. I thought this was important because most of the complaints I have seen before are about Paypal's policies or changes thereof. This is about a group OUTSIDE of Paypal. The rep I spoke to didn't seem at all surprised by my situation, which leads me to think this is not at all unusual, meaning you should be extra vigilant in monitoring your account---check it daily for non-authorized charges and attempted charges, if you're not already. I had never had even the smallest problem with Paypal before this, and I've been called a Paypal cheerleader by some here in the past. So clearly I am NOT someone with an ax to grind against Paypal, I'm just sharing my experience.
posted on January 25, 2001 11:30:45 AM
brighid868 -
Have you reported this to HOTMAIL? As leaky as security is with Microsoft products, I'm not surprised that there are leaks.
posted on January 25, 2001 12:04:53 PM
I once saw a script posted on the web for hacking Hotmail passwords. I didn't try it, but it was tempting, just for fun. So I believe it.
posted on January 25, 2001 12:51:58 PM
Damon -
Have you informed Hotmail that they appear tom have some sort of a security breach?
And despite your claims to not ask for "personal identification", a friend of mine is SEETHING that y'all have frozen his account and are asking for all kinds of personal identification to be faxed as soe sort of "proof" ... your service reps don't know him from Adam, so what would that possibly prove?
posted on January 25, 2001 01:04:09 PM
Hi abacaxi,
The fraud department will contact any agency that looks like they have been impacted. I can't discuss fraud investigations in general in a public forum. This would apply to any fraud investigation.
The requests for information are when an issue comes up with an account. I don't know the details of your friend's case, but information will be asked for if there is a potential discrepancy or issue.
posted on January 25, 2001 01:21:07 PM
Just so everyone is clear, I did NOT click on any links, nor did I enter my password & screen name anywhere but on the Paypal main page.
I was asked this at each step of my reporting and I have always answered a resounding NO. It sort of seems that Damon is implying I might have (without really saying that I did of course) to explain this embarassing (for Paypal) situation.
If I HAD clicked on those links or put in my password/screenname combo somewhere else, it would certainly explain something about this attempted fraud problem I'm having.
HOWEVER, it's not applicable to this issue, because I did NOT click on any links NOR did I enter my password/screenname combo anywhere but on Paypal's main site.
NO, I'm afraid this is a DIFFERENT, ADDITIONAL problem.
Whether Paypal had anything to do with the crook who tried to defraud me, the fact remains that Paypal tried to shrug off the problem UNTIL I made a fuss. If I weren't the squeaky wheel calling the BBB and calling their Fraud department, I most likely never would have gotten a response.
Again, the CS rep's original response to me was:
"Why are you upset? They didn't get your money, so it's no big deal."
Is this the best they can offer the callers who report attempted fraud?
I am not disputing the fact that you have had an issue. I am, however, suggesting that this information was gleaned in another manner. This is why extreme caution is needed when entering any web site that you do not know and why I would recommend making sure that passwords are not easily intuitive or one that you use anywhere else.
posted on January 25, 2001 07:42:40 PM
This situation here has nothing to do with the Paypal service !
The problem was the user using the same password for everything ! Which in my opinion is completely idiotic !
Paypal had nothing to do with some hacker figuring out your password. The fault lies on the user that has the same password for all their accounts. You do not have to be a brain surgeon to know NOT to use the same password for all your accounts (personal or financial).
posted on January 25, 2001 08:09:00 PM
cix, what part of "Horrible Customer Service" do you not understand?
I've already stated that CROOKS got my password, not that Paypal HANDED IT OUT ON STREET CORNERS!
HOWEVER, Paypal IS responsible for handling problems within its system (and this is a problem which happened within their system even though they did NOT perpetrate it) in a professional, responsive manner. That was NOT what happened, until I contacted the BBB and made multiple IRATE phone calls. Judging by my original phone call to customer service, it was a situation that wasn't going to even be NOTED!
THAT is bad customer service. THAT is why I am posting here. How many other people who are NOT squeaky wheels get completely ignored?
VISA is not at fault if someone steals your card and charges it up, YET, they are VERY concerned, and VERY solicitous, when you call them up and report a fraudulent charge made to a card in your possession---PRESUMABLY, to find out how they can prevent it from happening again. I talked to my credit card company about this very topic on Friday and believe me they did not just shrug it off the way the Paypal rep did. I expect the same level of customer service from Paypal when a similar event occurs on their territory, so to speak.
Just because you and lots of other people use a different password for every single account you have does NOT mean people who don't are idiots. I have at least 25 password-protected accounts online. Some people have more. I'd wager I am NOT the only one on this message board who has not made a unique password for each and every one, though I DOUBT anyone would admit it after the rude comments written here.
The rep ADMITTED to me that there is a problem with Hotmail accounts!! And that problem is being exploited by persons via PAYPAL! So that makes PAYPAL involved whether they want to be or not! Get it? Got it? Good.
Do you think I should just shut up and let more people get ripped off?
posted on January 25, 2001 08:31:59 PM
Free web-based e-mail is convenient, but I would recommend staying as far away from places like Hotmail, Yahoo, and their ilk as possible. When exploits for those services are discovered, they become circulated like wildfire. There are plenty of free web mail accounts out there that aren't as well known, and are run by people who actually give a #*!@ (Hotmail is just a spam vehicle for M$, they care not about you.)
The password lesson is a good one, but I think your experience with Hotmail and PayPal is also worth sharing (thanks for sharing it), as this behavior is typical of a lot of similar companies.
One last note about Hotmail, et al:
http://desperado.port5.com/harvest/index.html
Latka.
True story (only tangentially related, but I think it fits here): The bus I used to take to work every day was scheduled to run every 6 minutes, but in reality it would only come every 20-25 minutes. After I, and several co-workers called and mailed a bunch of angry complaints, they finally decided to fix the problem. They changed the schedule. It now says that buses arrive every 20 minutes.
posted on January 25, 2001 08:45:28 PM
Actually, the password 'matching' wouldn't be the only way for someone to gain access to PayPal accounts once someone was 'inside' an email account.
1) If someone saved their email giving the PayPal password in that email box.
OR
2) Once inside they could do a 'request password' from PayPal and wait a few minutes for the password to arrive to the hacked email account.
posted on January 25, 2001 09:06:50 PM
I just wanted to say thanks to brighid868 and others in this thread for posting this information. I never would have known about it if I hadn't seen it here. Thanks.
posted on January 26, 2001 03:58:03 AM
brighid868,
Thanks for updating us. I am another happy PayPal user and am very unhappy to hear how your complaint was handled. What a hassle for you.
Many many people I know in organizations and in personal life use one password for all accounts. I've done it for years.( And no, I am okay with saying so here in spite of the rudeness. I know who and what I am and rudeness diminishes a person(s) opinion soooo much it is easily ignored.) Since you have brought this to our attention I have changed all my passwords. Thanks so much.
posted on January 26, 2001 09:13:40 AM
thanks folks for your encouragement.
lotsafuzz's post made me think with great concern about how many emails I have inside my email mailboxes that contain sensitive information (not necessarily passwords, but other types of information.)
it's scary to know that information that's just sitting there could make you vulnerable.
i never thought of email as a way to get my identity/info/private data because it never occured to me that anyone would bother. i have crappy credit & hardly any money & a bunch of health problems and it never occured to me that anyone would WANT my identity or info. i guess i have to operate with the idea that there is no privacy there---that someone else could be reading my mail at any minute.
call me stupid if you want, but I never entertained that notion before.
i've already stopped using Hotmail but there is no way to delete a Hotmail account that i have found. And I have no faith that any other mail service is any more secure.
posted on January 31, 2001 03:37:21 PM"i've already stopped using Hotmail but there is no way to delete a Hotmail account that i have found. And I have no faith that any other mail service is any more secure."
Have you written to Hotmail and asked them to close the account? I think they probably would do so. (If you don't log in for a certain amount of time, it will automatically close.)
Have you contacted Hotmail security in regards to what Paypal has told you? I think they would be most interested. And if that is where the problem is, they really should be informed of evry possible detail.
Your statement regarding the security of any email account should be shouted from the rooftops. They can be breached.
I'm also very surprised that our moderators are allowing some of these posts.
posted on January 31, 2001 04:24:53 PM
Might I make a suggestion as to passwords and having one for everything you sign up for. I use a program called Gator, basically it will store any password and user id that you want it to. I have always used a different password for everything I sign up for and I had a little index card that I would mark it down on. Now, all I have to do is go to whatever sight I want to, and Gator pops up on the screen and I login and it drops in the correct password. The only thing I don't use Gator for is anything financial, like banks or Paypal and eBay, anywhere my money would be impacted. Who knows how safe even Gator is, therefore, only message boards and the like are in there. It is very helpful for having multiple passwords and now I don't need that little index card,(although its there if ever I should need it).Just an idea.
