Mac Musings

Good News, Bad News, and PayPal

Daniel Knight - 2002.08.26 -

The good news: I received a letter from the MasterCard Card Center on Saturday. They have credited my account the $1,444.00 taken when someone hijacked my PayPal account a few weeks ago.

The bad news: I made a small deposit over the weekend, but the balance seemed lower than it should have been after the return of that money. You guessed it: PayPal has taken more money from my business account to cover unauthorized payments. This time it's $878.55.

And now there's enough in the account for the other disputed amount, $887.36, to clear if/when PayPal tries to clear the transaction again. I somehow wouldn't be at all surprised if PayPal takes it, too.

So much for PayPal locking my account and canceling all of these unauthorized transactions. Time to file more paperwork with the bank, update my file with the Internet Fraud Complaint Center (run by the FBI and the National White Collar Crime Center), set up a new business checking account, and clear out what little remains in my current account, shred that box of laser checks, get a new debit card, and change any payments on the current card to the new one.

So much for paying the bills or cutting a paycheck.

And I still don't have access to my PayPal account to find out exactly who "lilbb@spils.com" sent my money to.

PayPal Insecurity

Over the weekend, I sent some funds using my personal PayPal account, which I changed to a more secure password 4 weeks ago. When picking the person to send the money to, I was surprised to find lilbb@spils.com listed, so I searched for any transactions involving that email address.

What I discovered is that lilbb@spils.com is still the primary address on my business PayPal account. The folks at PayPal have not removed the address from my account.

I also made some more interesting discoveries about the way PayPal works. I decided maybe it would be best to remove some email addresses on my other account, and when I deleted the first one, PayPal asked me to verify this by entering my checking account, debit card, or social security number.

Wow, I thought, maybe they've learned their lesson about security.

But when I attempted to add another email address, no such request. It does show the new address as unconfirmed, does send out an email telling me about the change, but that seems to be it. PayPal doesn't require any further confirmation - but they do ask you to contact customer service if you didn't authorize the change. Of course, by then it may be too late.


You have added <email address> as a new email address for your PayPal account.
 
If you did not authorize this change or if you need help, please contact customer service at:
 
https://www.paypal.com/ewf/f=ap_email
 
Thank you for using PayPal!


I also changed the primary email address on my PayPal account, since I won't pay Apple to keep my mac.com address, and I also removed that address from my PayPal account. I did this in a completely separate session, yet PayPal didn't ask for the same kind of proof they did when I removed the first email address.

Account Links

Once you've created a PayPal account, you don't have to keep it linked to a credit/debit card and/or bank account. Removing a credit card from your account means that you can't make credit card payments via PayPal - and that could be a very good thing just in case your account is ever hijacked.

Removing a bank account not only eliminates the ability to electronically transfer funds between your bank account and your PayPal account, it also turns your account into an unverified one. Although that protects your bank account, it also puts in place a credit card charge limit. For personal accounts, that means that you can't accept any funds sent via credit card.

It also means that you'll have to wait 1-2 weeks for PayPal to send a check when you want to remove funds. There are serious disincentives to disconnecting your PayPal account from your bank account.

Summing Up

I understand how lilbb@spils.com managed to hijack my account - guess the password. That's all it takes. Nothing more.

Once you've done that, you can change the account password(s), add your email address, and then make your address primary. Just like that, you've hijacked a PayPal account. Now spend the money quick before the owner reads the email about the new address being added.

Four weeks after the hijacking, I'm beginning to wonder if I'm ever going to get my account back. At least my bank has been able to get back the money taken fraudulently, but PayPal hasn't done much more than keep trying to cover more unauthorized transactions by taking money from my business bank account.

And that's bad news indeed.