How My PayPal Account Got Cracked For $450, or, Online Security’s A Joke

I’ve always considered myself a savvy online consumer. I’m an IT professional, a software engineer and independent consultant. I make all my passwords strong, I don’t click on pop-ups or install suspicious software, I don’t ever purchase anything from shady online dealers or web sites that don’t use secure connections. I thought I was fairly vigilant and smart about how I conducted business online.

Apparently not!

Someone, somewhere managed to get the number of the debit card for my business. They went to PayPal and opened up a “one time use” account with my name and the debit card number. They then used this PayPal account to purchase about $450 worth of virtual goods (gold/items) from various sites that sell World of Warcraft junk, in eight separate transactions at eight different web sites. I imagine that the person responsible is quickly turning these unreal items around for real cash, likely at a discount which encourages gamers to buy fast and not ask too many questions. Highly effective money laundering! (Thanks, World of Warcraft!)

I blame PayPal one hundred percent for this. PayPal should not allow anyone to open new accounts without an in-person verification, even if it’s just a phone call – they must impose more stringent requirements at sign up, especially for so-called “one time use” accounts. I wish PayPal lots of luck in tracking down the malefactor(s) behind this neat little theft… everyone thinks PayPal is “crazy secure” and it’s the gold standard for online commerce, yet it is VERY easily compromised. The security crackers didn’t need any of my bank account numbers or info, they didn’t have to decrypt anything, they didn’t need any of my passwords or “key questions” regarding personal information, or special images that only I can verify by sight – none of the measures that supposedly make online transactions more “secure”. They didn’t have to “phish” me. They just obtained the number and my name, and maybe got my SSN and address from one of the big lists floating around the Internet that crackers trade with each other. Calling the person(s) responsible for this “cracker” may even be an insult to real crackers, considering how little effort they needed to expend. (Thanks, PayPal!)

Luckily for me, I check my bank account online on a daily basis. And also lucky that they decided to make a bunch of transactions all on the same day, making it blatantly obvious what was happening. The bank cancelled my debit card (now I have to get a new one and figure out how to readjust all my billing) and PayPal is aware of the situation, so all I have to do is sit back and wait for my money to be given back to me. Maybe it’s even possible that I reacted fast enough to stop some of those transactions from going through and screw the “cracker” a bit and make the “vendors” selling WoW junk aware that they just got screwed too.

Moral of the story – I will no longer use my business debit card online, will not use it to pay bills, and will not attach it to PayPal. I’ll just use my bank’s bill paying utilities to pay off my vendors and send them checks for the bills; that should even help my cash flow a bit because vendors won’t instantly deduct money from my account any more. Be very, very wary of PayPal folks! They’re the weak link in the chain at this point.