How I Got Hacked For $450, or, Online Security Is An Illusion

[mik3cap]

I've always considered myself a savvy online consumer. I'm an IT professional, a software engineer and independent consultant. I make all my passwords strong, I don't click on popups or install suspicious software, I don't ever purchase anything from shady online dealers or web sites that don't use secure connections. I thought I was fairly vigilant and smart about how I conducted business online.

Apparently not!

Someone, somewhere managed to get the number of the debit card for my business. They went to PayPal and opened up a "one time use" account with my name and the debit card number. They then used this PayPal account to purchase about $450 worth of virtual goods (gold/items) from various sites that sell World of Warcraft junk, in eight separate transactions at eight different web sites. I imagine that the person responsible is quickly turning these unreal items around for real cash, likely at a discount which encourages gamers to buy fast and not ask too many questions. Highly effective money laundering! (Thanks, World of Warcraft!)

I blame PayPal one hundred percent for this. People should not be able to open up new PayPal accounts without some kind of in-person verification, even if it's just a phone call - there need to be more stringent requirements at sign up, especially for so-called "one time use" accounts. I wish PayPal lots of luck in tracking down the malefactor(s) behind this neat little theft... everyone thinks PayPal is "crazy secure" and it's the gold standard for online commerce, yet it is VERY easily compromised. The hackers didn't need any of my bank account numbers or info, they didn't have to decrypt anything, they didn't need any of my passwords or "key questions" regarding personal information, or special images that only I can verify by sight - none of the measures that supposedly make online transactions more "secure". They didn't have to "phish" me. They just obtained the number and my name, and maybe got my SSN and address from one of the big lists floating around the Internet that hackers trade with each other. Calling the person(s) responsible for this "hacker" may even be an insult to real hackers, considering how little effort they needed to expend. (Thanks, PayPal!)

Luckily for me, I check my bank account online on a daily basis. And also lucky that they decided to make a bunch of transactions all on the same day, making it blatantly obvious what was happening. The bank cancelled my debit card (now I have to get a new one and figure out how to readjust all my billing) and PayPal is aware of the situation, so all I have to do is sit back and wait for my money to be given back to me. Maybe it's even possible that I reacted fast enough to stop some of those transactions from going through and screw the "hacker" a little bit and also make the "vendors" selling WoW junk aware that they just got screwed too.

Moral of the story - I will no longer use my business debit card online, will not use it to pay bills, and will not attach it to PayPal. I'll just use my bank's bill paying utilities to pay off my vendors and send them checks for the bills; that should even help my cash flow a little bit because money won't be instantly deducted by them any more. Be very, very wary of PayPal folks! They're the weak link in the chain at this point.

Comments

[kitteridge.livejournal.com]

Jeez, Mike, sorry to hear that. $450 is nothing to sneeze at but it sounds like it could have been much worse. Bad, bad hackers.

[mikecap.livejournal.com]

Yes, thank goodness I gave all my money to the government in the form of my quarterly taxes!! lol :P

[purly.livejournal.com]

I wonder if the amount is significant, like it's just under the amount that would automatically trigger something to happen that could get them caught. Because it sounds like whoever did it really thought it through, if they're using WoW to launder money. Just google "hacked $450" and take a look. Seems weird they didn't go for $500 or something more rounded.

[mikecap.livejournal.com]

My guess is that it's mass/organized crime. Essentially, they get a list of credit cards from somewhere, sign them all up for PayPal en masse, and then the ones that "go through" they use to make purchases at various WoW outlets. It could even be a whole army of people doing this overseas, like in India or China or Nigeria. All they need to do is write the right scripts and run them against lists of names and numbers.

[purly.livejournal.com]

I wonder where they got your info from.

[mikecap.livejournal.com]

Everyone's info is everywhere.

[narnarthinks.livejournal.com]

Sorry this happened, very traumatic. Glad it didn't turn out too bad.

Do you have to provide a social security number to signup a paypal account in general? If that is true I would freeze my credit with the 3 bureaus right away. I also have heard this is a reason people use a federal EIN for their business banking so that they do not have to give their personal SSN to vendors.

Here's an identity theft monitor service that is a tad less expensive and more usable than comparable products your bank might offer - http://www.myfico.com/Products/ScoreWatch/Description.aspx

GL.

[agent-hush.livejournal.com]

Thanks for the warning man. I was just considering opening a paypal account so I could start doing online commissions. Now that will not be happening.

[mikecap.livejournal.com]

I'd say it's still fine to use if you create a "dummy" bank account for online transfers. In other words, set up another business checking account (with no debit card, if that's possible) and move money in and out of it via your PayPal only, then immediately transfer to another account that's not linked to PayPal. That way they can never "drain" money out of the PayPal linked account. You just keep the minimum amount of money necessary in the dummy bank account.

My PayPal account and my bank were never directly compromised - the hackers just set up ANOTHER account on PayPal with my same debit card number (that should NEVER have happened, PayPal!! Why would I want two accounts??) and used that as a back door, and my bank just okayed it because they knew I was already linked to PayPal. It was a failure in PayPal's account structures and account set up procedures - they never confirmed the hacker's identity or questioned why I'd have to set up another account for that number.

[neuromancerzss.livejournal.com]

Did your bank request verification when you started using PayPal? I don't remember that happening for me, but I signed up a long time ago.

I don't think PayPal is where you need the buffer, instead it'd just be wise to have an online shopping account for anywhere that only ever has money when you need it. Actually PayPal seems like a rather decent place to make your online money checkpoint since they offer the ability to make unconnected CC payments (many banks also provide this service). The hack happened elsewhere, they just used PayPal as the intermediary rather than using your card number directly (perhaps to cover their tracks with the fake CC number or to attempt to hide from detection with the PayPal name?).

PayPal's account signup requirements are pretty weak, but it's not any worse than most other online transaction sites. In-person verification for single purchases, which is essentially what these were, isn't really tenable. Now yeah, PayPal or anywhere else shouldn't allow duplicate accounts, that's totally and ridiculously stupid, but it's not like they couldn't have just gone and used your card directly and PayPal is at fault for losing your money. Blame the place that actually lost your number because that was the key to getting your money.

[mikecap.livejournal.com]

I have a feeling that PayPal purchases are looked upon as "more secure" by my bank though. When I spoke with them, they seemed to think it was okay that I had eight PayPal transactions because I work with PayPal fairly regularly (I get deposits from Half.com, and transfer money to PayPal for purchasing things all the time). If they had used the card directly, it might have been more suspicious. PayPal has a bit of an aura about it, that it's somehow secure - and this whole thing would have been avoided if PayPal hadn't allowed duplicate accounts for the same card number. I think this in a lot of ways is the reasoning behind the new merchant requirements for PCI compliance - vendors aren't being allowed to store card numbers any more because of this very thing.

[purple-dj.livejournal.com]

I *never* use my debit card. I normally try and disable that feature of the card if the bank will let me. (Some make it difficult.)

I do as many of my transactions through credit cards as I can. This even includes utilities like heating oil and electricity. The only things that get drawn directly from the bank account are the mortgage, the credit card bills, and cash from ATMs.

The credit cards are a firewall on my checking account. Any false transactions should occur against the credit card, and provide a buffer which I can legally fight against without the money disappearing from my balances anywhere, even temporarily.

The only argument I've heard against this is that people say they don't want to run up a debt. In my opinion, that's a fault in the user. If you have self-control, you *don't* run up a balance doing this, you just have to transfer the money an extra time before it leaves your system. If you're paying off the full balance every month, there's no interest. And, depending on what credit card you choose, you can get cash back or rewards.

It's a net-gain all around and I'm confused why more people don't do it.

[mikecap.livejournal.com]

That's also a very valid buffer strategy. At least it's not cash disappearing!

[jessnut.livejournal.com]

Yes, as long as you pay of every month this is a great option that really boosts your credit score also. win-win all around.