Mac Musings

Good News, Bad News, and PayPal

Dan Knight - 2002.08.26 - Tip Jar

The good news: I received a letter from the MasterCard Card Center on Saturday. They have credited my account the $1,444.00 taken when someone hijacked my PayPal account a few weeks ago.

The bad news: I made a small deposit over the weekend, but the balance seemed lower than it should have been after the return of that money. You guessed it: PayPal has taken more money from my business account to cover unauthorized payments. This time it's $878.55.

And now there's enough in the account for the other disputed amount, $887.36, to clear if/when PayPal tries to clear the transaction again. I somehow wouldn't be at all surprised if PayPal takes it, too.

So much for PayPal locking my account and canceling all of these unauthorized transactions. Time to file more paperwork with the bank, update my file with the Internet Fraud Complaint Center (run by the FBI and the National White Collar Crime Center), set up a new business checking account, and clear out what little remains in my current account, shred that box of laser checks, get a new debit card, and change any payments on the current card to the new one.

So much for paying the bills or cutting a paycheck.

And I still don't have access to my PayPal account to find out exactly who "lilbb@spils.com" sent my money to.

PayPal Insecurity

Over the weekend, I sent some funds using my personal PayPal account, which I changed to a more secure password 4 weeks ago. When picking the person to send the money to, I was surprised to find lilbb@spils.com listed, so I searched for any transactions involving that email address.

What I discovered is that lilbb@spils.com is still the primary address on my business PayPal account. The folks at PayPal have not removed the address from my account.

I also made some more interesting discoveries about the way PayPal works. I decided maybe it would be best to remove some email addresses on my other account, and when I deleted the first one, PayPal asked me to verify this by entering my checking account, debit card, or social security number.

Wow, I thought, maybe they've learned their lesson about security.

But when I attempted to add another email address, no such request. It does show the new address as unconfirmed, does send out an email telling me about the change, but that seems to be it. PayPal doesn't require any further confirmation - but they do ask you to contact customer service if you didn't authorize the change. Of course, by then it may be too late.


You have added <email address> as a new email address for your PayPal account.
 
If you did not authorize this change or if you need help, please contact customer service at:
 
https://www.paypal.com/ewf/f=ap_email
 
Thank you for using PayPal!


I also changed the primary email address on my PayPal account, since I won't pay Apple to keep my mac.com address, and I also removed that address from my PayPal account. I did this in a completely separate session, yet PayPal didn't ask for the same kind of proof they did when I removed the first email address.

Account Links

Once you've created a PayPal account, you don't have to keep it linked to a credit/debit card and/or bank account. Removing a credit card from your account means that you can't make credit card payments via PayPal - and that could be a very good thing just in case your account is ever hijacked.

Removing a bank account not only eliminates the ability to electronically transfer funds between your bank account and your PayPal account, it also turns your account into an unverified one. Although that protects your bank account, it also puts in place a credit card charge limit. For personal accounts, that means that you can't accept any funds sent via credit card.

It also means that you'll have to wait 1-2 weeks for PayPal to send a check when you want to remove funds. There are serious disincentives to disconnecting your PayPal account from your bank account.

Summing Up

I understand how lilbb@spils.com managed to hijack my account - guess the password. That's all it takes. Nothing more.

Once you've done that, you can change the account password(s), add your email address, and then make your address primary. Just like that, you've hijacked a PayPal account. Now spend the money quick before the owner reads the email about the new address being added.

Four weeks after the hijacking, I'm beginning to wonder if I'm ever going to get my account back. At least my bank has been able to get back the money taken fraudulently, but PayPal hasn't done much more than keep trying to cover more unauthorized transactions by taking money from my business bank account.

And that's bad news indeed.

Join us on Facebook, follow us on Twitter or Google+, or subscribe to our RSS news feed

Dan Knight has been using Macs since 1986, sold Macs for several years, supported them for many more years, and has been publishing Low End Mac since April 1997. If you find Dan's articles helpful, please consider making a donation to his tip jar.

Links for the Day

Recent Content

About LEM Support Usage Privacy Contact

Custom Search

Follow Low End Mac on Twitter
Join Low End Mac on Facebook

Favorite Sites

MacSurfer
Cult of Mac
Shrine of Apple
MacInTouch
MyAppleMenu
InfoMac
The Mac Observer
Accelerate Your Mac
RetroMacCast
The Vintage Mac Museum
Deal Brothers
DealMac
Mac2Sell
Mac Driver Museum
JAG's House
System 6 Heaven
System 7 Today
the pickle's Low-End Mac FAQ

Affiliates

Amazon.com
The iTunes Store
PC Connection Express
Macgo Blu-ray Player
Parallels Desktop for Mac
eBay

Low End Mac's Amazon.com store

Advertise

Open Link