posted on November 20, 2001 12:55:48 PM new
My question to all of you and to paypaldamon is, it is true that it is that easy to hack to PayPal?
When I inquire about a shipment, I received the following email from a seller:
<<err, I haven't got it yet,
my PayPal account is: [email protected] [email protected] was setup by a hacker to try to steal funds from
me. PayPal was supposed to delete that account.
-XXXXX>>
My answer to seller was as follows:
<<I wish you had let me know sooner that you didn't receive the payment. I made the payment right after the auction (November 11, 2001), after receiving your emails. I send you a copy of the payment transaction. You should have said something at that time.
I have filed a fraud complain with PayPal as follows:
Seller didn't received funds, I send the money to the email address provided by the first email I received after the auction closed, which according to seller was set up by a hacker with the purpose of stealing funds.
Please transfer fund to correct account so I can receive my merchandise.
I will follow it up with a Fraud complaint with the auction house, the FBI, Cyber Crime Unit and the US Postal Inspectors, since this purchase suppose to be mailed.
I had never had trouble before with PayPal or the inline auction circuit, I had some delays in receiving my purchases, but I have never lost a dime, so I am very familiar with the complaint procedure. I am not very active at Yahoo, or Amazon, however I do a lot on eBay under the same user name.
Hopefully this situation will be resolved promptly, I hope that my complaints will help to straight out your situation.
posted on November 20, 2001 01:05:08 PM new
mmmmm, interesting situation.
I wonder if this is not really a case of Paypal being hacked, but your sending money to a con artist.
If you sent the money to the email given in the initial notice from the seller, then perhaps the email itself was the con with the fake paypal account. You can certainly file for a refund directly with Paypal, stating non delivery as the reason.
Once the refund is granted, then send a new payment to the verified seller.
I take it that this was a large transaction, as only stupid con artists take risks with small amounts.
posted on November 20, 2001 01:29:53 PM new
The seller appears to be in the level. Seller provided mailing address and telephone number and has a nice website, seller appears to be very responsive to my inquires. Seller rating was average.
The purchase plus shipping amount was not very large and it seems that seller was a regular customer of PayPal.
While we were exchanging emails, an email arrived that appears to be one of those automatic check-our emails with the PayPal seller account, which had the same name as the seller account, except it the ISP was different. I noticed the difference, however that is normal and send the payment.
If this is true, it is freighting to continue using electronic payments.
USMarines
[ edited by USMarines on Nov 20, 2001 01:30 PM ]
[ edited by USMarines on Nov 20, 2001 01:32 PM ]
posted on November 20, 2001 01:32:28 PM new
hello, I have used PAYPAL for some time even when it was x-com and to date have never had any problems and when I had questions they got right back to me.So far the best service on the internet auction system. Sorry about your problem with them.
posted on November 20, 2001 01:42:47 PM new
Hi paypaldamon & arcld:
I too been using PayPal for a long time, this is the first problem I encountered, specially of this nature. I always felt safe using PayPal and if a buyer didn't accepted PayPal, I usually didn't purchase from them.
Paypaldamon, I be glad to send you a copy of all the emails and PayPal Transaction Receipt, if you provide me with an email address, I am sure the seller will be also happy to have this situation resolved.
However, if this is true, I need to examine my use of electronic payments, I don't only use PayPal, but I transfer money and pay my bills using electronic payments.
posted on November 20, 2001 08:51:57 PM new
I will save you some time. Here is your answer.
Our investigation has revealed that the seller is at fault; as
a result you are due a refund. However, we regret to inform
you that we were unable to recover funds from the sellers account,
as the seller's account balance is $0. If this transaction occurred
on an auction site, we encourage you to contact that auction site,
as they may provide you with insurance coverage.
We value your business and regret that you have had this experience.
To avoid similar experiences in the future, we recommend that you
read our Security Tips on our website located at:
http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/fraud-prevention-outside
Sincerely,
Complaint Resolution Department
--------------------------------------------
I hope you used credit card funds so you can do a charge back.
posted on November 21, 2001 06:52:25 AM new
how did the crook get your email address??
only ebay seller can have your email address at the end of auction??
posted on November 21, 2001 10:49:10 AM new
Thank you, all for your input, the questions you raised and the ideas expressed will help plug this lapse in security existing at PayPal. Special thanks to paypaldamon and PayPal's Complaint Resolution Department for all his help in resolving the problem in a fair and speedy manner. I still believe that PayPal is one of the better services in the Internet, but this incident has uncovered a black hole in security which should be of great concern to Buyers and Sellers. Someone can steal money from Seller extremely easily and Buyers can be scam.
Just to bring you up to date of what has taken place so far.
The past, the present and the future . . .
1.- After the closing of the auction I paid Seller using PayPal and selecting the funding option of a Credit Card, that is the only way I pay because of the protection provided by the use of a Credit Card. (If I experience a problem, I can have my Credit Card company reverse the charge.)
2.- Seller was instructed to mail package using the USPS and Buyer requested and add the cost of a Tracking Number to the postage requested by Seller. In addition, Seller was instructed to email Buyer Tracking Number after package was mailed. (The US Postal Service provides the added security of the Postal Inspectors, which are very good, in tracking down fraud.)
3.- Ten days after payment in the absence of receiving a Tracking Number, I contacted Seller. Seller advise me that she has not yet received payment. (Payment was made 10 days earlier.)
4.- Seller is extremely responsive and cooperative, answer each of my emails timely and has offered to ship the purchase free, because of the hassle Buyer was put through. However, that is not fair, Seller should be paid. Just received an email from PayPal, stating: that they have determined that Seller was at fault and will reverse payment back to my account. They were able to recover money from seller's account.
5.- PayPal's -- paypaldamon and Complaint Resolution Department were also very responsive and cooperative, they has resolved the problem satisfactorily and give me assurances that the transaction will be reverted in 5 days and credited to my account. However they haven't give me assurances that this lapse in security will be fixed by PayPal.
6.- I was planing to file reports with the US Post Office Fraud Claim form, file complaints with eComplaints, Fraud.org and FBI's Cyber Security, FTC.gov and Police and Prosecutor in Seller's City. Once the reports were filed, I will let the authorities do their job and cooperate in the prosecution. However, this is not necessary, because the equitable resolution by PayPal.
7.- As a last resort, I was to notify my credit card company and have that charge reversed. This also will not be necessary, thanks to PayPal.
How could this happen . . .
1.- Seller opens a legitimate account, observing all of PayPal rules.
2.- Someone collects the following information of the account that wants to create a mirror o an alias: Business URL, Email address, Phone Number of the victim. How is that done? When you make a payment at PayPal, the following information comes up without any effort from the user:
Business Contact Information
Business URL: http://www.xxxxxx.com/yyyyyy ---- Which is the Sellers website address
Customer Service Email: [email protected] --- Which is Seller's email address
Customer Service Phone: XXX-XXX-XXX --- Which is the Seller's phone number
No special effort was required from the user to obtain the above information. With that information in hand, Someone can obtain mailing address of business, etc., it is extremely easy.
3.- That Someone, can now open an account at PayPal armed with the above information, can use his/her own or a stolen credit card and can use his own bank account or a specially bank account open for this purpose.
4.- Someone, opens what is called a mirror or alias account. That is one that closely reassembles the first, the name of the account is almost identical, perhaps one or two characters different or the domain name is similar to the original account, the same email address, website or phone number is used as in the original account. This is similar to the email sometime back that some users received supposedly from paypaI.com. However, the last letter is not an "el," but a "Capital I." You probable remember that scam.
5.- PayPal requires account holder to:
Contact and Refund Information. Each user of the Business Service will be required to input its customer service contact information into the Business Account application upon registration. You agree to clearly identify your customer service contact information, including but not limited to your business name, address, telephone number, fax number and e-mail address. You further agree to update such information to keep it true, accurate, current, and complete. You agree to clearly disclose your refund policies on your website.
That Someone can uses the Sellers original/legitimate website to fulfill the above requirements.
6.- When items are put up by auction, that Someone knows, he/she runs a search at the auction house by Seller name, bookmarks the different auctions and can keep track of the closing of the above auctions.
7.- That Someone can masquerade as the Seller by log-in to the Auction House as the Seller, he obtains the password by using one the many available software to break into passwords, or if the person is knowledgeable, can write his/her own program. Now, that Someone has the Seller password at the auction house, can retrieve Buyers email addresses and do everything the Seller can.
8.- In addition, that Someone does the same thing at the email server of the Seller, and now has the password, can now, remotely access, Seller email, answer emails, delete emails, etc. That Someone can do everything the owner of the account can do, and since he/she is more knowledgeable, can do more.
9.- Just to illustrate, how easy is to break into a password account, I will give the following example: Suppose we want to obtain the "root or superuser" password of our servers, since our system administrator was in a fatal accident to day. There is a problem in the system that must be corrected, however to make that correction a "root or superuser" password is necessary. You load one of the many programs available for that purpose and in a few minutes you have the root or superuser password. That is legitimate use of the above software, however it can be put to illegal use as easily. Remember that the user name of the Seller is readily available at the Auction House, all that Someone needs is the password.
10.- Now, that Someone, can steal the money from the Seller as he/she receives it, from the Buyer and empty the account at will. In order to conceal from the Seller that payment was made by Buyer, that Someone deletes the PayPal email advising of payments, all this can be done remotely.
How could this be prevented . . .
1.- PayPal should have a method of checking new accounts that they are not mirrors of existing accounts with the purpose of committing fraud.
A simple, database lookup program of existing accounts would prevent the creation of mirror accounts, checking the telephone numbers and mailing and web addresses of existing accounts against new accounts would prevent this from happening.
2.- When one is opening a new account, PayPal should be checked against existing accounts that they are not using the same mailing, web address, telephone number or so closely reassembles an existing account.
There are utility programs readily available in most operating systems that can compare "string" in the new account with the database of existing accounts. If PayPal, was using that safety guard, it would have flag down this account, once the accounts -- the original legitimate account was examined against the mirror or alias account, PayPal could have automatically prevented to have the mirror or alias account to be opened.
3.- PayPal could also compare "strings" of phone number, addresses, credit cards, etc., and effectively close that black hole to fraud and protect Seller and Buyer alike, but that takes additional programing, which apparently PayPal is not willing to do yet, specially with all the red ink it has accumulated, since it inception. However, if they want to stay in business, they must bit the bullet and make it safer for Sellers and Buyers alike.
Who can be that Someone that setup mirror or alias accounts . . .
There are three possibilities:
1.- An outside hacker
2.- An insider, which would not need, to find out all the information that the outside hacker needs and is willing to steal from his employer or associate.
3.- A crooked Seller.
Conclusion . . .
I am sorry to inform you that PayPal determined that the seller was at fault this time, it seem that Seller created the mirror account, to claim not to have received payment and blamed it on a "phantom alleged hacker." I had a feeling that this was an inside job, however I wanted to give the Seller the benefit of the doubt, until the investigation show who was at fault.
After all that was said, I still feel very confident in using PayPal for my auction transactions I believe PayPal gives an additional level of protection, even with their present black hole of security. I can still say, that I haven't lost a dime on online purchases, by following a few guidelines outlined above and my willingness to prosecute wrong doers, regardless of the amount involved.
USMarines
[ edited by USMarines on Nov 21, 2001 11:03 AM ]
posted on November 21, 2001 11:14:12 AM new
this reminds me of another thread,a seller received an email from the buyer and the buyer made payment and gave shipping instruction,
it turns out that this is not the high bidder?????
posted on November 21, 2001 09:24:50 PM new
The whole problem could have been avoided if you, USM, had taken what are standard or even minimal protective measures. You sent payment to a third party knowing there was a discrepancy between the seller's ID and that of the party who contacted you. At the very least, you should have sent a follow-up letter to the seller asking them to verify the second email account. This scam has been around for a long time and is easily preventable. 'Glad everything worked out.
posted on November 22, 2001 06:39:50 PM new
Hi Twinsoft:
There was no discrepancy on the email accounts. The email I received asking me to make payment to PayPal was the same as the one I had previously received from the seller.
While I was making payment, the seller website and telephone number were shown, which were the correct address and number, as shown on her original email.
After I made payment using PayPal I send a copy of Transaction Receipt to seller, using the above email account. I know that PayPal also does that. However, as a courtesy I always let seller know that payment was made.
I only discovered that the seller PayPal account was different 10 days after I made payment. While inquiring why I did not received the Tracking Number I requested and paid for. Seller said that she was not paid, and that I had paid to an account set by a hacker to steal funds from her.
At that point she give me her PayPal account, for me to verify. The PayPal account she now give me, was slightly different from the account I made payment to.
I asked seller why she didn't say something before now. Seller claimed her account was hacked and didn't received my email advising her that payment was made nor PayPal's email.
I suspected Seller, however I wanted to give her the benefit of the doubt, until the investigation was completed.
Seller had two accounts with PayPal, the account names were almost identical. Seller method was to ask Buyer to pay to the first account. Later after you didn't receipt your purchase, she blamed on a "phantom alleged hacker." She claims the hacker created that account and stole the payment from her. She said, she didn't received payment, since her real account was the second which is almost identical on name. PayPal investigation confirmed that both accounts were hers and recovered the funds. I hope that answers your question.
posted on November 22, 2001 07:27:09 PM new
how much money is involved here??
is this considered a smart plot????
or is this a way to borrow your money for awhile?????
so what happens to your seller>does paypal take legal action?do you and paypal report her to ebay??
posted on November 22, 2001 09:25:51 PM new
Okay, Rudy. I get it. Hard to believe anyone could be stupid enough to pull this kind of a scam when the evidence is so readily available. I would send a report to the seller's local police dep't.
posted on November 23, 2001 07:10:36 AM new
most sellers are more than happy to bid good bye to their merchandise once buyer forks over the payment.
sellers do not get gold star by hoarding inventory,this seller of yours must not have the goods and using two accounts,she thought she can take your money and not deliver,she must not have the goods on hands and have no intention of acquring them with your payment.
i wonder if there is a way to make sure seller have good and will ship immediately.
i know amzn requires seller to have goods on hand and ship in 2 days as most buyers use credit card for payment
I doubt, if the authorities would follow up on my report, since no money was actually lost. My total payment was recovered by PayPal. To PayPal's credit, they were very quick and effective.
Seller was selling about 15 items in a Dutch auction. Seller's total receipts would have being under $1,000.00. It seems such a small amount, for someone to take a chance of a stiff jail sentence. Since federal and interstate commerce laws would be broken, if Seller was to succeed. Now, since no money was lost, the only charge that it could be filed, would be conspiracy, which the authorities are reluctant to follow through.
I have no idea, if PayPal prosecutes those type of situations or just cancels the accounts. The auction houses, do very little, on my passed experience. The ones that are very effective are the US Postal Inspectors and the FBI Cyber Squad. However, if no money was lost, this case would not have priority.
That is the reason I always request that my purchases be mailing using the USPS. An added level of security.
The real questions is -- is PayPal implementing some type of security guards to prevent this type of scam? The setup of mirror or alias accounts, by hackers, insiders or sellers themselves, such as in this case. It is hard to believe that a seller be that stupid!
posted on November 23, 2001 09:49:46 AM new
since buyer did not suffer financial loss,it wont do any good reporting her to the police.
i think buyer should leave feedback and report to ebay and have her NARU'd.
