Identity Theft at eBay and PayPal

[teejayevans]

Any thoughts?

Close out your checking account, open a new one, will obviously need
new checks, let the bank know what checks you've written so they
can tell which still haven't cleared. If you have automatic deposits or
withdrawals, you need to change (paychecks, VG, etc)

Whenever possible, always give credit card numbers instead of
checking account numbers, since CC are easier to cancel and
reissue. I cancel my CC I used with Paypal when I stopped EBAYing.

TJ

 

[tryan]

Is the lesson here:

1. Close EBAY account
2. Close PayPal account (this one hurts!)
3. Close both.



Not sure I can go without Paypal ... been taking CC orders for the lake house rental. Can easily live wo EBay.

 

[teejayevans]

I've set my laptop up for financial matters when I'm in a secure network or when I tie in directly here at home and have changed all the appropriate passwords on my financial accounts.

I hope I'm not closing the barn door after the horse escaped, but I suppose I'll know in the next few days.

Now I'm getting angry email from eBayers in the U.K. who have figured out that this guy is a thief. Makes me wonder if eBay sent out a blanket email covering everyone who received an email from the jerk wanting to overpay for their computers...his email reads like one of those Nigerian schemes.

Now that my profile has been corrected and shows the correct email address, I'm receiving all the responses that he hoped to get at his own email address.

What a day.

Ask EBAY to close your account and create a new one with the
appropriate rating...
TJ

 

[TexasGal]

Speaking of eBay . . . every time I start my computer first thing in the morning I see eBay. My internet home page is google, but I am automatically taken first to the eBay website. What's up with that? I see the eBay site first and then when I click on internet explorer my usual google homepage appears. eBay seems to be part of my computer's startup now.

I ran AVG even though I supposedly have all of this protection from McAfee and there was a trojan dropper.small (no extensions . . .just those 2 words). AVG also found all kinds of tracking cookies, one of which was eBay, and deleted them even though I had just run McAfee's full protection scan.

So . . what does this tell you about McAfee?

I downloaded AVG's FREE anti-spyware, anti-virus, anti-rootkit.

 

[ERD50]

Great I signed up for PayPal this very morning!

Like many of you, I avoided it for fear of (who knows what). Only made a few ebay purchases previously, and only with people/stores that accepted credit cards. Today, I wanted to bid on something that was PayPal only....

However, I did do a quick look at PayPal on wiki first, and reading the links here, it seems that the real danger is those phishing emails. I'm not worried about that.

I NEVER respond to anything directly; email, phone call, snail mail, guy knocking on the door. Contact the place directly through a phone number or web site or email that you previously KNOW to be valid.


It really torques me when supposedly 'helpful' web sites and journalists say things like, 'look for misspelled words, bad grammar, etc'. The heck with that! Just ASSUME it is fake - contact the place directly.

People should not think of the internet as anything different. If someone called you anonymously, and asked you for the key to your safety deposit box, would you just give it to them? Heck no!. If you wanted to give them the key, you would be contacting THEM. So, don't do it over an email or the internet either.

Keep it simple. Just say no.

-ERD50

PS - I don't know about macros running in a preview pane, but images that are linked back to a server will trigger that server to let them know that they reached a valid email address. They add a code to that request, so they know which email it came from. You can expect a lot of SPAM after that. Keep images off, keep preview panes closed. Enable images only after you are confident of the source, and if you really want to see them.

 

[ERD50]

My internet home page is google, but I am automatically taken first to the eBay website. What's up with that?

Something has control of your computer. You better find out what it is.

If you say Google is your home page, and your computer says, no eBay is (and don't be surprised if it is a FAKE eBay look-alike web page), well who knows what else it is doing?

-ERD50

PS - this isn't quite as much fun to say, now that CFB isn't around, but since the last time I mentioned it, another few months have been tacked on to the years that Mac users have been free of this cr@p!

We may have our day yet, but it keeps coming and going w/o viruses for many, many sun rises.

 

[clifp]

I'll relate my story with PayPal and Phising. Three years ago, while in San Francisco, on my way to Turkey of all places, I noticed a ~$1400 PayPal charge on my checking/brokerage account. It seems that somebody had hacked into my PayPal account and bought a laptop or something.

I was quite worried that with access to my brokerage account via overdraft protection, the guy would do something crazy like buy a house or an airplane.

The folks at Ebay were very helpful and quickly reversed the charges. Although, they naturally required good proof that I was who I said I was. Unforunately, not being at home and days away from leaving the country this required lots of running around get things notorized etc.

 

[ERD50]

It seems that somebody had hacked into my PayPal account and bought a laptop or something.

Question - do you think this was the result of a phishing scam? Maybe you don't remember, but did you go to a (fake) eBay account directly from a pfishing email?

If not, that means the hackers have found other ways in, an then I am worried.

-ERD50

 

[TexasGal]

There is a new security key that you can purchase for $5 on PayPal. The key is a digital gadget that you can keep on your keychain. New 6-digit numbers are generated every 30 seconds. You type your user name, password and then enter the security key as shown on the security key and you can get in. That security key code is then gone completely and cannot be used a second time.

When I was checking out the situation for myself on PayPal I saw the offer for a security key.

I can hardly believe that PayPal is asking consumers to pay for their own bad security at $5 for the key, but alas, if I were someone who absolutely had to use PayPal I would do it.

 

[FIRE'd@51]

Speaking of eBay . . . every time I start my computer first thing in the morning I see eBay. My internet home page is google, but I am automatically taken first to the eBay website. What's up with that?

Have you tried setting your homepage back to Google? If it keeps getting reset to eBay, something has probably hijacked your browser. If not, you may have inadvertently set it to eBay by mistake, and you should be OK.

 

[TexasGal]

My homepage was set to google. That is the first thing I checked because I know that I can inadvertently change it. I ran all kinds of spyware removal and now the eBay opening page is gone. One trojan was found and removed. AVG found it when McAfee did not.

 

[chinaco]

There is a new security key that you can purchase for $5 on PayPal. The key is a digital gadget that you can keep on your keychain. New 6-digit numbers are generated every 30 seconds. You type your user name, password and then enter the security key as shown on the security key and you can get in. That security key code is then gone completely and cannot be used a second time.

This enables a form of two-factor authentication. Some Banks are beginning to use them also.

Technical Specifications - RSA, The Security Division of EMC

The second factor could be a biometric.

Two-factor authentication - Wikipedia, the free encyclopedia

 

[Bigritchie]

I would format your computer asap, totally purge everything. It sounds like you could have a keylogger, and anti-virus stuff will not always find it.

 

[joesxm3]

cathing things on the way out - zone alarm

I notice most of you have some sort of anti-virus and maybe a firewall blocking things coming in.

I use a Linksys NAT router/firewall which is a hardware device between your cable modem and computer. This allows 4 computers to be hooked up and blocks incoming traffic.

They make a wireless version which the laptop crowd likes. I do not know a lot about wireless, but the key point is to make sure you turn on the encryption that limits access to only certain MAC addresses (from the network card in your PC). This makes sure that only you can use your network.

The thing that most seem to not be mentioning is the need for a program that catches things trying to transmit out from your computer. The keyloggers and trojans are useless if they cannot phone home.

Zone Alarm has some nice stuff in this area. The URL is ZoneAlarm by Check Point - Award winning PC Protection, Antivirus, Firewall, Anti-Spyware, Identity Protection, and much more.. I have not used it for a while but the guy next to me at work bought their entire package and loves it. They used to have a small stripped doen version for free.

There is another place called Gibson Research. The URL is Home of Gibson Research Corporation. Steve Gibson has been in the business since the early '80's. He has a lot of nice articles on security stuff and a tool called Shields Up that tests your security by probing remotely. I was responsible for security at a division of a large ecommerce company but I still learned a lot from reading on this site.

I hope this helps some of you.

 

[grumpy]

Ask EBAY to close your account and create a new one with the
appropriate rating...
TJ

I recently experienced similar problems on ebay. When I requested them to close my account I was told that if they did so, I could not reopen a new account with the same email address.

Grumpy

 

[ERD50]

There is another place called Gibson Research. The URL is Home of Gibson Research Corporation.
I hope this helps some of you.

thanks. I do remember going to the gibson site before and accesing the 'shields up' pages on their site. My system shows up completely in 'Stealth' mode - apparently none of the ports can be detected from the outside.

I'm behind a D-Link wireless router -I don't know if that takes care of everything or not, but whatever, it says I am 'Stealth'.

-ERD50

 

[joesxm3]

With the d-link and grc showing stealth mode you are pretty well protected from outside attack.

What you are still open for are attacks that you help with by somehow installing programs, email atachments containg programs etc.

You should turn on the option to show full file names (i.e. do not hide known extensions) so you can see things like "mypic.jpg.exe" which is a program and not a picture.

Another little kniw fact is that programs do not have gto have ,exe, .dll etc. They can have any name. If they have a name like badprog.jpg they will run except that if you have an association that naps .jpg to a picture viewing program it will probably not run it, but if there is no association it may default to a runnable program.

Back to the earlier point. With the d-link blocking incoming access and a good antivirus catching what it knows about (i.e. there is a time lag on knowing about new viruses and they can never know about custom attacks) you are ok except for stuff you accidentally install that antivirus does not know about.

That is here zone alarm comes in. It only allows known programs to go out, so it detects the bad program when it tries to contact home base.

Note that going to bad web pages that then divert to home base would probably look as if it is the browser and ould sneak by.

I do this for a living and it boggles my mind to the point that I unplug my financial computer when not using it and unplug all my other ones when I am.

 

[ERD50]

I do this for a living and it boggles my mind to the point that I unplug my financial computer when not using it and unplug all my other ones when I am.

Wow.

What's the old saying? It's not paranoia if they really are out to get you?

Another little known fact is that programs do not have gto have ,exe, .dll etc. They can have any name. If they have a name like badprog.jpg they will run except that if you have an association that naps .jpg to a picture viewing program it will probably not run it, but if there is no association it may default to a runnable program.

Macs have a bit of added protection there, you can't download and run an executable w/o it informing you that the file is an executable and then asking for your password. So, a user *should* (big 'if', I know) realize that something is up if a picture wants to install a program. But, that is still wide open to 'social engineering' - if a person says 'sure' and gives it the password - there ya' go!

Thanks for the tips - ERD50

 

[Nords]

There is a new security key that you can purchase for $5 on PayPal.

So PayPal has a security level that'll avoid most of these fraud issues, but they're only going to give it to people willing to pay for it. Great.

I think I'm gonna un-verify my PayPal account and un-link my checking account from it.

 

[TexasGal]

I unlinked my checking account yesterday. I keep my eye on the credit card registered there and receive regular alerts regarding balances and charges. I also changed my password. I'll probably leave PayPal open until the next thing happens. Then I'm going to give up completely and cancel the account.

Nords, it is absurd that an organization that is supposed to provide a high level of security can only provide it to those willing to pony up $5. Considering how bad their security is they should issue one of them free to every verified account holder and give those holders $5 just for continuing to do business at eBay.

 

[ERD50]

Nords, it is absurd that an organization that is supposed to provide a high level of security can only provide it to those willing to pony up $5.

Those security issues have nothing to do with eBay or PayPal per se.

*Any* place (bank, credit card, amazon, etc, etc, etc) that requires a log in and a password is subject to a 'bad guy' using a key logger or phishing you to a fake web site. At that point, they have your login and password. It is kind of tough for the site to know if that access with login and password is really you or not.

The advantage of the little LCD readouts is that they change every 30 seconds or so. The legitimate site has an algorithm to know the patterns and stays in sync. A 'bad guy' who captures it one time will not be able to use it 30 seconds later.

I don't think you can blame eBay or PayPal for the bad guys out there. They are selling you an additional lock. It would be like yelling at the locksmith because there are burglars.

-ERD50

 

[SamHouston]

Keyloggers are definitely a threat. If SH had a Trojan, it could have been a keylogger.

SH - If you do not mind sharing the info, what did AVG report as the virus found?

By far, the most prevalent approach today is Phishing. It is a form of social engineering attack that tricks people.

Sometimes it is just that people are careless with login ids and passwords and they are stolen in other ways. This is why it is important to periodically change your passwords... Just in case.

Some systems have weak login systems (that do not limit the number of failed login attempts) and can be exploited with a dictionary attack or brute force. That is why a strong password should be used.

As an additional counter measure, I have been toying with the idea of setting up to virtual desktops on my pc with encrypted hard drive partions for each. (The other option is to setup a dual boot computer) Each system would encrypt the hardrive partition and separate login ids and passwords. I would use one system for Financial and the other for general surfing. This would help by limiting the opportunity of attack on the financial side. One would also need to setup a separate email and internet account (but could use the same ISP).

====

Take a look at this new form of threat emerging where a virtual OS Hypervisor can be downloaded and take over your entire computer without you knowing it.

Black Hat 2007: Rootkit hunters caught in cat-and-mouse game

Undetectable hypervisor rootkit challenge « rdist: setuid just for you

If I recall correctly, the Trojan Horse was called command.exe. Four of them were placed on my hard drive in different folders, all on September 3, the day that my data was compromised at eBay.

 

[SamHouston]

Sam, I am so sorry to hear that this happened to you. Some malicious hacker charged a very expensive Dell laptop to me back in 2000, and in my opinion this sort of "financial rape" is despicable and very harmful to one's psyche as well as one's pocketbook. I got my money back but felt violated.

In my case it was not phishing or carelessness with passwords, and was most probably caused by a Trojan horse that accessed my computer almost immediately through my first cable internet connection. Afterwards I started using Norton Internet Security and I have had no further incidents. This is probably due to luck as much as Norton, and when I pay my annual fee it is an act of faith rather than logic (a religious/spiritual donation? Wonder if I could deduct it . Just kidding!).

Also I do not buy much online, and I have been afraid of getting Paypal. I am the only person you have ever "met" who has never bought or sold anything on Ebay and that is the one and only reason for that.

I still need to figure out how to change my laptop's Linksys wireless connection to my desktop computer from WEP to WPA, though. Either that, or I may just take my desktop computer out of the system completely and ditch the wireless. It seems like an accident waiting to happen.

Thanks for your kind words. I appreciate that.

Home networks are full of leaks, I think. Just yesterday I was sitting in the middle of a soccer park that has a few homes backing up to the fence at one end. The nearest homes were at least 50 yards away from the table I was using to get some quiet writing done on my laptop. I noticed at one point that my laptop was indicating that a wireless network was within range and out of curiosity I tried to log onto the internet from my table under the trees. I was able to log in successfully, although it was a fairly slow connection, but didn't use the connection other than to check email real quick.

I can't believe that so many home networks are left open to the public that way.

 

[SamHouston]

Ask EBAY to close your account and create a new one with the
appropriate rating...
TJ

TJ, eBay seems to have taken care of the problem and my "rating" is unaffected so far because I haven't received any negative feedback as a result of the hacking job.

I've also spoken with the bank and had a new account number issued to me...new checks, the works, etc.

Also, I've personally emailed everyone that received one of the bogus eBay emails to explain what happened. Surprisingly to me, I've only received one reply for my trouble but, at least, no negative feedback has appeared.

 

[TexasGal]

I don't think you can blame eBay or PayPal for the bad guys out there.

ERD50,

I am not hearing every single day or week that my bank is being hacked or someone is using any of my credit cards. The frequency of news (media, posters here, others I know) for eBay and PayPal is not in their favor. No, I don't have any statistical information to back it up. It is just my gutometer.

I am basically a trusting person. I do business online all time and I have no inclination right now to close my bank accounts or credit cards. It took a lot to bring me to the point of removing my checking account from PayPal and even to consider closing the account is a big step for me. But time after time of hearing bad news, including the originator of this thread, just moves me in that direction. I can't tell you how many other similar stories I have heard.

PayPal implies "look you can trust us whereas you probably cannot trust some retail websites so just file your bank and cc info here, and we'll take care of the transaction for you". Uh, I don't think so. Not any longer. I am close to being done with PayPal and I refuse to spend $5 for a gadget that they should provide free for all verified account holders in view of how much bad press they have received because of frequent stolen identity. If my bank can't keep my identity safe, then I'll close my accounts there, too.

I am fairly certain that engineers, statisticians, CPA's and other heavy-analysis types will suggest that I do not have any "facts" to back up my statements pertaining to eBay/PayPal security. But, folks, I am just a regular ordinary plain old consumer, and I don't like PayPal any more. When my gutometer tells me a lack of trust is valid, I go with my gut. I don't have to crack out the spreadsheets and do charts and graphs.

The OP here might have opened the door to identify theft on OP's computer (trojans for instance), but that does not erase the increasing feeling I have been developing that PayPal is not secure. We might be talking about 2 different things here. My personal computer security is my responsibility. If a hacker gets my info due to inadequate computer security and uses PayPal to rip me off, that is my problem. But if I were in charge of your financial information on my computer and didn't keep it secure, you would be right to fire me. It is fairly obvious the bad guys have it in for PayPal so I think PayPal is responsible to offer me another layer of security free if they want me to continue doing business with them.

IMHO . .