Two hacks in one month

[stepford]

I've been an Ebay customer for almost 25 years and never had a problem until last month. I found a vehicle being sold under my name that I hadn't listed. I immediately cancelled the listing and contacted Ebay's fraud department. To their credit they quickly acknowledged the fraud, but still deducted the (over $1K) listing and cancellation fees from my bank account - with the assurance that these fees would be refunded. They were eventually, but it took almost a month.

While I was waiting for this reimbursement I was hit by a 2nd fraud - this time in my PayPal account. Someone overseas ordered several hundred dollars worth of electronics and directly charged my bank account. Fortunately PayPal is more on top of fraud claims than Ebay. They validated my fraud claim within 10 minutes and refunded the charges to my bank account immediately so I never saw a loss.

I suspect that these closely spaced occurrences were both the result of a separate hack of data from my email provider. In the aftermath I changed passwords for all of these services and de-linked my bank account from Ebay and PayPal. I considered removing my accounts entirely, but believe (hope) that operating only through my credit card in the future will provide me with a sufficient extra layer of fraud protection.

The upshot of all of this is that I didn't lose any money, but could have been much more adversely impacted in the short run if the fraudsters had decided to yank more money than they did from my account. Though it will make some of these e-commerce services less convenient for me in the future I would think long and hard before ever giving one my bank information again.

 

[Koolau]

I am pretty ignorant of the ways of eBay, but it sounds like you have created "pathways" within eBay which allow the hacks. IOW you have eliminated steps in the process of sale and payment.

My instinct has always been to provide as little transparency as possible between any two electronically separate entities (like a bank and a "service" - both of which can be pinged electronically.)

I hope I'm not sounding critical. I'm probably a Luddite when it comes to such things. But I'd rather miss out on some convenience and be less vulnerable to hacks.

I recently had my CC hacked, so I know just a bit about what you're going through, but it sounds like your situation requires at least two separate entities, both of which have to be contacted and both of which you have to hope will be responsive to your needs.

Best of luck with all this. Do keep us informed. Please forgive any insensitivity on my part as I'm looking at it from my perspective and don't have a good feel for what you are going through nor do I completely understand the details of your hack.

Blessings.

 

[stepford]

I dont mind criticism (and indeed, probably deserve some). I'm just posting this so others are aware of the risks of bank accounts linked to external entities.

Both EBay and PayPal allow you to both spend and receive money. De-linking my bank account information means I can no longer sell on EBay and, whenever I receive money via PayPal, I have to leave it in my PayPal account for future purchases rather than transfer it to my bank account. This ok for small stuff, but a signicant inconvenience were I to ever want to use one of these services for a high dollar sale (like a car).

I completely agree that allowing these services access to my bank account now looks like too great a risk for the benefit it provided. The only other entities to which I've provided bank account information are a couple of utilities to allow for automatic debit of my monthly bill. I'm now wondering if these too are a risky link I should sever.

 

[Aerides]

Do you have any kind of credit monitoring? With most basic ones, you can get alerts when your email or things are on the "dark web" - which should prompt you to change passwords. Even if your provider isn't hacked, your info can be from other places you've shopped or logged in.

I have my credit cards and banks linked to Paypal (doesn't almost everyone these days?) and you're right, de-linking would be a huge PITA.

eta: free services like credit karma, creditwise, etc., will all do this for no charge, no locking.

 

[sengsational]

You think the bad guys got into your email? Sounds like maybe they did, and ran the "forgot password" thing. Did your original password stop working?

Given the risk of leveraging the email loop, that can be the keys to the kingdom. I shake my head at people that are flip about their phone security because "they don't have any financial apps", but have the email available with a single tap.

 

[freedomatlast]

I use one specific bank account for PayPal and eBay transactions. I sweep any deposits from that account into another account daily so if they try to claw some back for any reason they are SOL. The balance in that account is zero most of the time.

 

[Slotracer]

I have a checking account at an online bank, used specifically for eBay and for when I need cash from an ATM. That is the only account I have at that bank, and I don't keep much in it.

 

[bbqcoder]

It sounds like you had poor account security. Each online account (especially financial ones) should have a unique, strong password that is not reused anywhere else. Financial ones should have extra security added such as 2FA.

 

[aja8888]

I've been an eBay account holder since 1998 (or thereabouts) and have sold and bought mucho stuff. Years ago, my eBay account got hacked and I got lucky and didn't lose anything and it was detected early enough for me to shut that down. Right after that, I closed my PayPal account and the one my DW had. I still have an active eBay account with a changed user name and password but never use it. The current password is very long and complicated.

It's a really bad internet world out there.

 

[stepford]

It sounds like you had poor account security. Each online account (especially financial ones) should have a unique, strong password that is not reused anywhere else. Financial ones should have extra security added such as 2FA.

I may very well have had poor security, but each account did have unique strong passwords. I had even set up 2-factor authentication on them. This is actually where I think the vulnerability may have been. One of the accounts, when the phone is unavailable, allows for a secondary method of identification via email. Email hacked = open door.

FWIW I only access my primary financial accounts through a dedicated Linux OS (my 'surfing' browsers, phone and my Windows OS's never see them). PayPal and Ebay are the two exceptions to this as I frequently use them for e-commerce. Their connection to my bank account was enough of a link to leave me vulnerable. I like the ideas of freedomatlast and Slotracer above and will likely open a dedicated bank account at a separate institution to allow for e-payments in the future.

Again, I am entirely willing to accept criticism here if it helps others avoid this situation.

 

[Koolau]

I dont mind criticism (and indeed, probably deserve some). I'm just posting this so others are aware of the risks of bank accounts linked to external entities.

Both EBay and PayPal allow you to both spend and receive money. De-linking my bank account information means I can no longer sell on EBay and, whenever I receive money via PayPal, I have to leave it in my PayPal account for future purchases rather than transfer it to my bank account. This ok for small stuff, but a signicant inconvenience were I to ever want to use one of these services for a high dollar sale (like a car).

I completely agree that allowing these services access to my bank account now looks like too great a risk for the benefit it provided. The only other entities to which I've provided bank account information are a couple of utilities to allow for automatic debit of my monthly bill. I'm now wondering if these too are a risky link I should sever.

We have only linked to CC companies for auto-payment. I don't like it but as along as it w*rks, it's been handy.

 

[audreyh1]

I don't use EBay. It seems like it became the purview for lots of shady sellers long ago. I'm sure there are many honest ones, but I often see things like inflated prices showing up for an item like from Costco. I see this on Amazon as well, and I don't buy from third parties on Amazon either unless it's direct from the manufacturer.

I use PayPal heavily for buying online from all but a few trusted vendors, but we have no direct bank account link on our PayPal accounts, only a couple of credit cards.

 

[walkinwood]

Sorry to hear this.
Can you elaborate on the email hack that you think may have caused this? Did the hackers gain access to your email without your knowledge? Did that account also have 2-factor authentication?

I think the email account is a very vulnerable link in securing our online identity. As you mentioned, a lot of sites allow you to use that as a secondary for 2-factor authentication. I have 2-factor authentication using an authentication app (Like google authenticator) for my email account. Still, I'm uneasy about its security.

 

[dave65]

I had a couple of credit cards from different banks used for fraudulent purchases in the last week or two. The most likely explanation was malware on my laptop. I wiped it clean and reloaded Windows.

 

[timbervest]

Our bank accounts were hacked twice in a month. I get text alerts when there is unusual activity on the accounts or online charges to our cards. Also have 2FA so I was getting some of those that I didn't request. Then someone tried to change the email on my wife's bankaccount. Froze that. Finally, someone wrote a fake check on my account to drain it. Got it sorted out but had to change bank accounts. Banker said that copies of our statements were "circulating on the dark web". New accounts, 2FA, and diligent monitoring. It's the wild west out there.