So, Saturday morning I woke up all excited; it was the big Iowa-Iowa State game. I was going to make some chili and chicken wings for the game, so I got up early so I could go to the store and get the stuff.
Before I left though, I checked my email, and saw this email from PayPal:
Dear Christopher Wheeler,
As part of our security measures, we regularly screen activity in the
PayPal system. During a recent screening, we noticed an issue regarding
your account.We have reason to believe that your account was accessed by a third party.
We have limited access to sensitive PayPal account features in case your
account has been accessed by an unauthorized third party. We understand
that having limited access can be an inconvenience, but protecting your
account is our primary concern.Case ID Number: PP-337-279-091
For your protection, we have limited access to your account until
additional security measures can be completed. We apologize for any
inconvenience this may cause.To review your account and some or all of the information that PayPal used
to make its decision to limit your account access, please visit the
Resolution Center. If, after reviewing your account information, you seek
further clarification regarding your account access, please contact PayPal
by visiting the Help Center and clicking “Contact Us”.We thank you for your prompt attention to this matter. Please understand
that this is a security measure intended to help protect you and your
account. We apologize for any inconvenience.Sincerely,
PayPal Account Review Department
Well, I didn’t think much of it, I just figured it was one of those spam emails where they give you a fake link and try to get you to click it so you can enter your username and password, then they’ve stolen it. But then I thought about it for a minute, and… there was no link, fake or otherwise. So I decided to log in to my account and see what was going on.
Now, when your PayPal account is limited, there isn’t much you can do until you proven to PayPal you are who you are, but it does allow you to see the main screen where the most recent transactions and whatnot are. And there was a transaction listed for $950.00 that I most certainly did not authorize. So I got on the horn with PayPal pretty darn quick as you can imagine, told them who I was so they could lift the restriction from my account, after which I changed my password and security questions. The PayPal lady told me to file a dispute, print the page, then take it to my bank.
So Monday morning, bright and early, I went to US Bank to figure out what was going on. They explained to me that normally once a payment is authorized, it’s hard to stop until it actually goes through, but as it turns out, they were able to stop it, temporarily at least, while the bank and PayPal investigated the matter further.
I had a few days of back and forth with PayPal about what was going on, and finally last night, I got this email:
Dear Christopher Wheeler,
PayPal has approved and processed your claim of recent unauthorized use of
your account for the following transaction:———————————–
Details of Disputed Transaction
———————————–Transaction Date: Sep 15, 2007
Transaction Amount: -$950.00 USD
Your Transaction ID: 1YR31890HL5575251
Seller’s Transaction ID: 5A2594646S849513S
Case Number: PP-338-978-294
Seller’s Name: Sxxxxx Cxxx
Seller’s Email: xxxxxxxxxx@yahoo.comAny portion of the payment that was funded with your credit card will be
refunded directly to your credit card. You will see this in your
transaction log as two entries. The first is the refund to your PayPal
account, and the second is the credit to your credit card. Credits to a
credit card generally take 2-3 business days to post and may not be
immediately reflected in the card’s balance.For additional information and to see the status of your claim, please log
in to your PayPal account at https://www.paypal.com/ and go to the
Resolution Center.Sincerely,
Protection Services Department
Boy, was that a relief. $950 is a lot of money to be responsible for, especially when you receive nothing of benefit from it. But I did learn some very valuable lessons from the whole thing:
- Don’t use common, easy-to-guess words as your password. Anything that is either a dictionary word or a name should NOT appear in your password
- Don’t use the same password for multiple websites. It certainly is easier to remember one password that many, but if somebody somehow cracks your password for one site, you’ve opened the door for them at every other place you use that same password
- The longer the password, the harder it is to crack. A longer “easier” password is actually harder to crack than a shorter “random” password
- If you want to read more, check out this site: http://onemansblog.com/2007/03/26/how-id-hack-your-weak-passwords/
That must’ve really made your weekend suck! That and the fact that the Hawkeyes lost to the Cyclones!
Glad to hear you got it all straightened out! Hope the chili was good.
Holy crap! I need to go change some passwords.
If I don’t reply to phishers can this still happen to me?
I guess I forgot to add something to the original post…
From what I read, most of these cases of unauthorized logins and transactions on PayPal are actually not the fault of PayPal. Generally I guess what happens is that these jerks hack into less secure websites and are able to steal passwords from there. Since lots of people reuse passwords for multiple sites, its highly likely that the password they steal will work at PayPal. Also, they steal email addresses and add them to a list.
Then basically what they do is compile a list of email addresses, and a list of passwords, that don’t necessarily match each other, and use some sort of program that tries logging in to these websites with all the different combinations of usernames and passwords, until they get a match.
So, no responding to phishing emails is a good strategy, but there are other ways to steal passwords.
This is a good reminder. Thanks.
That is scary! I’m glad you didn’t lose that money. That would have sucked!
Wow, that is scary! I, too, am glad that your bank and PayPal backed you up and that you’re not out anything other than frustration and time! Wow! This really makes me nervous, lol, if this can happen to you, it can happen to anyone!