Mac Musings

Hijacked on PayPal

Daniel Knight - 2002.08.06 -

PayPal is a great idea, giving computer users a fairly easy way to send and receive funds.

PayPal is also a dangerous idea. It is not a bank, is not required to follow banking laws, can restrict your account without any warning, and can reverse transactions months after you've shipped merchandise.

And, as I learned this morning after two days away, it can let a complete stranger hijack your PayPal account. All they have to do is guess you password, authorize their own address, change your password, and remove your old email address(es) from the account.

Just like that, they've not only been given access to whatever balance is in your PayPal account, but also the ability to access any funds in the checking account tied to your PayPal account - in my case, the business account for Cobweb Publishing.

The account was hijacked at around 4:40 p.m. Sunday (EDT), only an hour after I posted a "close Monday" sign on Low End Mac and left for vacation. I suspect the criminal may be a regular site visitor.

I've already emailed PayPal about what happened on Sunday, and I'll be attempting to contact them by phone as soon as I post this. And believe me, I'm going to be standing at the door when my bank opens this morning to put a block on transfering any funds into my PayPal account and make sure no transactions have taken place since my PayPal account was hijacked.

And to the people at PayPal: This is no way to run a business.

To the rest of you: Pick very obscure, very hard to guess passwords. Don't pick a dictionary word or part of your email address. Include numbers plus upper and lower case letters. (My regular password does all of this, but PayPal didn't think it was long enough, so I came up with a longer one that turned out to be less secure. Sigh.)

Convenient as the PayPal service is, they've made it too convenient for thieves to break into accounts. Once I clear up this mess, I plan on closing down my PayPal accounts. I can live with this level of risk.

Update, 7:45 a.m. Phone call got PayPal to put a lock on the account. Have a voice mail into PayPal investigations. Awaiting call back after 8:00 a.m. EDT.