Online payment service PayPal has had an exploit on its hands for at least 16 months and counting, and seems to have no resolution for it. A tipster forwarded us screenshots of the fraud, which involves a dummy subscription service to PayPal's sister company Skype, all part of the eBay corporate family. Using the fake Skype subscription, several small charges are made against a PayPal account, all in the same dollar amount.
The first mention of the exploit by a media outlet seems to have been an article in The Register back in June, but complaints on consumer boards like Complaints Board show the problem going back even farther, and a tech column in the Orange County Register appears to show the same problem back in June 2007, with PayPal and Skype reps saying at the time it was the first they'd heard of the problem.
As you can see from the screenshots we received, the phony subscription includes what appear to be Chinese characters in the Billing Description field, and all links are dummy links in the sections for logging back into the PayPal account and reporting errors. In addition, the email address for the "seller" is listed as "unavailable." PayPal was quick to reverse the charges, but our tipster also had to cancel the credit card account, and PayPal offered no explanation for the problem.
A request made by The Industry Standard to eBay regarding the issues did not receive a reply.
Comments
this absolutley astounding news and shows however secure paypal claims to be there still always are loopholes
I was charged 4 debits of 100 Euros each, in succesion, on Nov 2., all within two minutes of each other. This amounted to $522 plus change. I immediately called PayPal and my bank. PayPal assured me that I wouldn't lose any money.
Today, Nov 4th, my bank accounted showed 4 debits from checking for $130.53 each, as Intant PayPal Transfrs.
This is pretty serious stuff! My bank will refund the money, thankfully, and we'll see what PayPal does. I've had a Paypal account for eight years, but will close it for good when all the money is accounted for.
I had the exact same thing happen to me, 10 amounts of 10 euros each were taken from my PayPal account, on friday 31st October. Luckily I was logged into my webmail at the time and saw them all come through at once. I called PayPal and spoke to a french person who basically told me to fill in the online form. So I did, they took 7 working days to getting around to this and eventually amended the transactions. I had to cancell all direct debits with payPal and change my Debit card. (got a new one). Changed passwords on the payPal account also.
So again it happens just on Monday... I ring payPal and again they want me to complete the online form (transaction dispute) I told them that I would not and wished for them to sort this out over the phone.. get the typical no fussed response. So i've cancelled my paypal account altogether... I do not trust payPal anymore now because of this.
ps. I work in the IT industry and none of the machines I have used have spyware not trojans on them so it's from inside PayPal or eBay somewhere.
Thanks
Graeme
Sorry to hear about your problems, Graeme. I've had all but one of my fraudulent charges resolved. Today, 13/11/08, I get an email from PayPal saying I am in debt for $130.53, and that I need to resolve this by adding funds to my account.
I called PayPal and asked how, when I didn't have any money in my PayPal account, did $130.53 get transferred to Skype? The rep at PayPal said the the money had been "fronted" to Skype in anticipation of my bank account sending the same to my PayPal account. Very Interesting!
The PayPal rep told me that I needed to send an email to Skype to try and resolve this. I explained that I would not email Skype, and that Ebay owns both PayPal and Skype, and that they need to settle this affair amongst themselves. At this point the PayPal rep said that they would take care of the matter and email me when it had been resolved.
When it is resolved, I will be closing my account at PayPal. I have had an account with PayPal for eight years. They have some serious issues they need to deal with.
Good Luck,
Tom
This happened to me on Friday. PayPal says Skype must of realized it was fraudlent as refunds are pending. However, the number of refunds exceed the number of purchases, so I'm wondering if I may even make money out of this. The total charges are over $500.
My bank has the charges pending and I am to call back in the morning to have them returned.
When I mentioned this article, the paypal rep tried to tell me I was victim of a phishing scam or I have a virus/spy ware. Given I work in the software industry and consider myself to be pretty tech-smart, I really doubt that. I was pissed they would suggest this was something that happened because of my action/lack of action.
I've filed a complaint with my state's attorney general's office and our local news station. I'm tempted to close my account, but given their dominance in the market - I'm not sure of a good alternative.
ME TOO!!!
I logged on my PC this morning just in time to see seven emails from Paypal notifying me they had paid Skype - for seven different charges.
"This email confirms that you have paid Skype (billing@skype.net) €100.00 EUR using PayPal. The exchange rate for this purchase is 1 USD = 0.771576EUR. "
I had never even heard of Skype. So, I signed onto my PayPal account and called them at the same time. After 40 minutes and three transfers, I finally spoke to someone in the 'Resolution Department' who said that they had software that had determined that the charges were fraudulent and that they had refunded all the monies to my PayPal account - in other words, I had approximately a $30 credit before the changes hit - and I had a $30 credit after they refunded.... BUT BUT BUT charges of approximately $750 had been passed on to my banking account. And they said there was NO WAY they could stop those charges from going through. AND, by the way, even though their own software had detected the fraud and done the 'refund' - it wasn't a REAL 'refund' - that would occur over the following 3-5 days. I asked that my account be closed (which is something you would think they would suggest to YOU) but they said they couldn't do that as I now had 'transactions pending'. So much for 'help'.
I then had to call my bank - and the bank suggested that I wouldn't be secure unless I closed my checking account and opened a new account. I have had that checking account for thirty years. Now I'm faced with having to contact everyone that is currently 'direct depositing' into my account. I have to re-enter all the info in the 'direct pay' for every bill that I pay. And, I lost all the online data, i.e., transaction data and check data that was connected to that account. And since it takes approximately 3-5 days for a new account to get setup - I lost access to the money in my old account.
Fraud is ugly. And hopefully if it happens to you - PayPal won't be on the 'other side'.
ME TOO (2)
Beat you all.....
Got call from my credit card comp ... Could I verify £602 from my paypal account and $720 .Taken at 4.00am european time .. ..........."Errr NO I was in bed"
These were just the OBVIOUS transactions a further $500 was shifted in and out converted to foreign currency.
Within hours the worst had been reversed by paypal
Of course I agonised whether I'd compromised my account but no way was that possible ( hadnt used it for months and just delete phishing emails) got AV ,anti spyware, been doing this for 10 years .
Then I googled "paypal compromised account" arrived here ..... Now I feel somewhat better(although much more concerned)
but i'm still left with $720 that some kind person used to buy an unlocked apple Iphone from the states for delivery to bangalore india (as you do !!). Paypal have 'phoned the buyer' to request proof of authenticity ( How can it be authentic its MY money !!!!!!)--wish I could have been there for that one !
Although none of the payment were for skype I KNOW they are leaky.
MY WIFE TOO on XMAS Day!!!!
3 lots of 10 Euros to Skype.
PayPal sent her an email telling her of the account compromise:
"We have reason to believe that your account was accessed by a third party."
"For your protection, we have limited access to your account until
additional security measures can be completed."
I spoke to PP and they said they'll reverse the transactions.
I got 3 e-mails this morning telling me that my Paypal account had been billed for payments to Skype. One of the e-mails was in English, the other two consisted mostly of characters that showed up as question marks in my e-mail client. Two of the payments were in the amount of 59.50 euros, the third was for 3.95 euros. I have never used Skype, I've barely even heard of it, and I rarely use my Paypal account (it never has a balance). I had to block my debit card and have the bank send me a new one. Skype apparently realized that the charges were fraudulent, as I was notified by email that they had refunded the two larger charges, but as yet they have not refunded the third, smaller charge, and I can't close my Paypal account until they do. Paypal says they are looking into it, and they helped me fix my account (the language had been changed to Chinese I think, and an automatic payment plan had been set up with Skype, unbeknownst to me), but I don't plan on using Paypal again. If this kind of thing has been going on for over a year and a half (with their sister company, no less) and they still haven't put a stop to it then why would I trust them? In fact, why would anyone trust them?
This just happened to me too. What a scam! I filed complaints with my state attorney general's office and the California BBB. Here's the BS answer I got:
Company's Final Response - Posted 02/15/2009
As you are aware, the two transactions made to Skype were returned to the funding source on February 8, 2009. PayPal communicates to customers via email and the Resolution Center. It appears that someone responded to a spoof email and clicked on a link within a spoof email on January 27, 2009. It is important to be aware of spoof emails and protect your passwords and financial information. Again, please accept my apology for any inconvenience that this situation may have caused. If you have any further questions, comments, or concerns, please feel free to contact us at executiveoffice@paypal.com. Sincerely, Carrie Executive Escalations PayPal, an eBay Company
They actually blamed it on me!! Said we clicked on a spoof email...or "someone" did. We didn't!! It's a lie! I encourage everyone to complain and complain LOUDLY.
Someone's got to start listening sometime....
This is still going on. Happened to me today. Got an email from service@intl.paypal.com all written in Chinese describing the charges. Logged into the Paypal website, and sure enough, there was the transactions. I have filled out their online form, and will see what happens next....
This is pure BS that this happens still!
Yep still going on, My husband recieved 10 emails from paypal, 10 charges paid to skype for 10.00 (us dollars) each. We are now out 100.00 and still waiting for paypal to give us our money back! This is infuriating, we have never used skype and he hasnt even used his paypal in years. Our bank isn't any help either they want to charge us 30.00 for them to look into it and don't even guarantee we will get our money back.
I don't know about skype but I do know that something is wrong with PayPal's security. On Monday I received an e-mail from PayPal (which I haven't used in months) stating that from time to time they review accounts and have reason to believe fraudulent charges were made to my account. Well, low and behold, there were 5 withdrawals from my checking account in one day for purchases I did not make. A few were to a company and other payments were made to someone with an asian name. They started small with $10, then $30 and finally $115 before my account was frozen by PayPal. I definitely feel that the breach was either through PayPal and/or E-Bay and I have closed both accounts - never to use either again. I have had to open a new checking account and get a new credit card. This whole situation is a nightmare and one that PayPal takes no responsibility for.
I now have a fraudulent charge from my account. I never even heard of this company & I don't know who they are. Now I will have an overdraft fee from another item that will be taken out - I only had money in bank to cover this. Now that this comp. has taken out there isn't enough to cover the other. I am so angry right now. The bank has stopped my card. Nothing can be used on it.
This is still happening, today I found 5 Skype charges that I did not authorize in my PayPal account after a call from Master Card. These were all done electronically using my PayPal debit card number.
Like others, I've not clicked on any spoof emails, I've never joined or done business with Skype. I've been a PayPal member for over 8 years and a card holder for nearly as long.
There were also other charges, one to Match.com which didn't go through as Skype charges cleaned out my PayPal account.
I've been told that I have to wait until the Skype charges show as completed to dispute with Paypal.
Master Card has canceled my debit card and PayPal is sending a new one.
What a crock!!!
I just got charge $20 for two Skype transcations that I did not authorized in my PayPay account. The money was automatically taken from my checking account since it was my debit card that was stored at PayPal. I am currently disputing that with PayPay. I tried to go the Skype's website and see how I can complain. It is very difficult since they don't even post a contact email. Now I am very hesitant to use PayPal at all!
This is still going on as of Feb 5th 2010. My paypal account was charged 100 euros for a Skype payment and they told me someone must have my password which I doubt. How is this happening and why has it been going on so long without paypal/skype doing somthing about it?
Post new comment