huh? €481 to Transavia France, €282 to Bravofly, €454 to Cheapoair, €88 to Hotels.com and another €470 to RoomsXXL.de. The payments from my PayPal account suggested that I had a nice holiday ahead, only I knew nothing. A little later it turned out that my entire PayPal was hacked, I couldn't even log in anymore.
Frank, 52 years old and working in IT as an engineer, thought he had it right. “I had updated all PCs to the 'most secure Windows ever' and used strong passwords on all major websites. I am also quite critical when it comes to suspicious emails and my own privacy. When my bank called that my credit card might have been fraudulent, I was convinced that my credit card had been scammed. I had recently been to the US and you really have to hand in your card there every time. The bank then canceled the fraudulent transactions and blocked the card for transactions outside Europe and via the internet, that should be enough. However, when I checked my PayPal a few days later, I was shocked to see that airline tickets and hotel rooms had been booked for almost 1,800 euros.”
What is PayPal?
If you regularly buy online, your payment details will soon be known at a large number of webshops. Not when you use PayPal. PayPal is an intermediary between you and the webshop. You pay PayPal and PayPal pays the webshop. PayPal works easiest when you link your bank account or credit card directly to your PayPal account. You can then spend almost unlimited money. Convenient, but also a risk. If you don't want that, you have to deposit money into your PayPal account before you pay with PayPal. You then lose the flexibility of always being able to shop.
PayPal is owned by eBay, the major American online auction site that also owns the Belgian 2dehands.be and the Dutch marktplaats.nl. PayPal is active in more than 200 countries. If you open a PayPal account in the Netherlands, you enter into a legal relationship with PayPal Europe. PayPal Europe has a Luxembourg banking license and is therefore also allowed to provide payment services to Dutch citizens.
Security
PayPal takes security very seriously. For example, it offers its customers purchase protection in case a product is not delivered or does not meet expectations. The company is also keen on 'unauthorized transactions'. Besides trying to discover it with a large team of security specialists, you as a customer must immediately report this to PayPal if you notice that something goes wrong. You prefer to do this by logging in to PayPal, but there is also a toll-free telephone number. Unfortunately, it is only manned Monday through Friday, from 8 a.m. to 4:30 p.m. Not really the 24-hour economy that we are used to by now, and also not useful when you discover that your account is being looted at the weekend.
Frank was lucky, he could call right away. “The helpdesk has launched an investigation and has blocked all transactions. I received an email of every disputed payment with the details of the transaction. It gave me a good feeling, this was handled professionally, that's how it felt. Mind you, at the time I still thought my credit card had been scammed… something which later turned out not to be the case.”
Someone hijacked my paypal
A day later Frank receives an email from PayPal: his password has been changed. Since he hasn't, he immediately tries to log into his own PayPal, but alas. The password is incorrect. “And just as it dawns on me that someone has kicked me out of my own PayPal account, a second email arrives from PayPal, confirming that a new email address has been added to my PayPal account. An e-mail address completely unknown to me! Someone has full control over my PayPal account and since it's Saturday now, I'll have to wait eight hours until Monday before I can even notify PayPal. Panic set in for the first time.”
“Slowly it becomes clear to me: this is not a matter of a scammed credit card. My PC must have been hacked or at least my email. From another computer I log in to my webmail and change the password. There, an e-mail arrives with the request to confirm a hotel reservation. The e-mail is part of a considerable correspondence from the hotel with… me! I contact the hotel and report that someone else sent those previous emails, not me. In the meantime, it appears that they have already been informed via PayPal that the booking in question was not correct.”
They even had my passport and driver's license
In the email exchange with the hotel, Frank reads that the criminals have previously sent the hotel a passport as confirmation of the booking. He contacts the Amsterdam-based booking agency. And indeed they have previously received a copy of a passport and driver's license. Curious, Frank asks if they want to return the 'previously provided' scan of 'his passport'. To his surprise, it turns out to be his passport! The criminals searched Frank's webmail and there is indeed a message with this scan as an attachment, once used to take out a mobile phone subscription online.
“Since I suspect my PC has been hacked or infected with malware, I download a free antivirus and use it to scan all PCs of all family members. Since the transition to Windows 10, I've only used Windows Defender, but that clearly wasn't enough. Sophos Home finds a lot of malware, and luckily clears it all up.”
PayPal's help desk
Monday morning Frank contacts PayPal to stop the ongoing abuse and get his own PayPal back. A new problem arises. There is no longer a PayPal account under his email address. And although he has the details of the bank account linked to 'an account', that does not match the email address used by the hackers. Nerve hours followed with lots of phone calls with sometimes very bad English speaking PayPal employees. According to PayPal, a new account has to be opened and Frank has to send his passport and a bank statement several times for that. “Something I had just resolved never to do by e-mail again. To my horror, I see several larger payments to PayPal in my Dutch bank account in the evening. Immediately call the bank, which fortunately is always available. Together we conclude that these are direct debits from PayPal, to my bank account that is still linked to PayPal. I have the bank cancel the direct debits. I don't know how PayPal will respond to that, but it's after 5 p.m., so they are unreachable again."
A day later, Frank has access to his (new) PayPal account again. Immediately after logging in for the first time, he removes the link between his bank account and his PayPal account. He has the same done for the hijacked account. “Luckily I saw that email that PayPal sent when the email address was changed. Otherwise it would have been much more difficult. That was really lucky, because the hackers immediately delete every email they receive for you or send on your behalf.”
PayPal advises
We asked PayPal about the advice it gives its customers to use the online service as safely as possible. This was the answer:
1. Always check the sender's address at least twice when you receive mail from PayPal. If it's not from an address that ends in @paypal.com, @paypal.nl, or @e.paypal.nl, it's probably fake.
2. PayPal always uses your first and last name in communication.
3. Never open your PayPal account via a link in an email from a merchant. It could be false.
4. Check the URL of each merchant's website. It should always start with // to make sure it's safe.
5. Never open an attachment in an email from an unknown person. PayPal never sends attachments with its messages.
6. Never share your personal and financial information and be vigilant for e-mails that request it.
7. If you are selling, always check your PayPal account for payment before sending anything to the buyer.
8. Look out for unusual offers such as getting paid more than you ask or when the buyer lives abroad.
Revenue model
Make PayPal more secure
Frank suspects that the hackers who hijacked his PayPal are making bookings everywhere and then canceling them. The money is then transferred back to the PayPal account and they pass it on to their own account. “It is still not clear to me whether only my e-mail was hacked or whether there was really a keylogger or something on my PC. I had pretty strong passwords, but the same ones for a long time and like everyone else, about the same everywhere. If you have had the same e-mail address for a long time, then a lot of sensitive information will be stored in your e-mail archive unnoticed. If you then search back, you have always sent your credit card details or scanned and sent your driver's license or passport. All things you would never send together… but they are quietly waiting there in the Sent Items!”
You can make PayPal more secure by not linking a bank account or credit card. You then have to put money into the PayPal account every time you pay. Thanks to iDeal, this is easy, but that way you keep more control. If you want more convenience, you can choose to leave a small fixed amount on the PayPal account as standard for smaller impulse purchases.
In principle, PayPal's security is based entirely on knowing a username and password. That is simply not enough for important matters, the Dutch banks do not use an extra factor for nothing, such as a unique code that you generate with a separate card reader or a code that is sent to your phone via SMS. PayPal also supports two-step authentication, but doesn't really promote it. If you want to make your PayPal account more secure, go here and log in with your PayPal account. Here you can register a phone number, to which a six-digit code will be sent every time you pay with PayPal. This is necessary to be able to pay with PayPal. The hacker must therefore also have your phone to be able to abuse your PayPal account.
school
It will take another three weeks, but in the end PayPal will correct all fraudulent acts and transfer the credit that was still in his original PayPal account to his new one. “This can happen to anyone. It has been a good learning experience for me. From now on I will use unique strong passwords everywhere and two-step authentication whenever possible. And services that don't support that or aren't secure enough for some other reason, they just lose me as a customer.”
Response PayPal
While PayPal was presumably not the source of this hack, the company does play a prominent role here. We therefore asked PayPal for a response. “We ask anyone who suspects fraudulent acts to inform [email protected] and we will immediately start an investigation. Users can also submit their fraud report to our customer service team by phone at 0800-2659293 or online through the PayPal Resolution Center. PayPal advises its customers to always use very strong passwords to secure their account. In addition, users can activate two-factor authentication for added security. PayPal has a dedicated team of security specialists who monitor all PayPal transactions 24 hours a day and their priority is to protect PayPal users from fraud.”
