Anatomy of a PayPal hack

[Flitterkill]

Date	 	Time	 	 Name	 		Type	 	Status	 	Amount	  	Balance
3/8/2010	3:22:15	EST	GamesCampus		Reversal	Completed	50		610.95
3/8/2010	3:22:13	EST	GamesCampus		Reversal	Completed	30		560.95
3/8/2010	3:21:18	EST	Credit Card		Credit to CC	Completed	-50		530.95
3/8/2010	3:21:17	EST	"Outspark, Inc"		Reversal	Completed	50		580.95
3/5/2010	9:50:12	EST	"Electronic Arts, Inc"	Reversal	Completed	21.24		530.95
3/5/2010	9:50:08	EST	"Electronic Arts, Inc"	Reversal	Completed	19.99		509.71
3/5/2010	9:50:05	EST	"Electronic Arts, Inc"	Reversal	Completed	21.24		489.72
3/5/2010	9:49:37	EST	"Electronic Arts, Inc"	Reversal	Completed	19.99		468.48
3/5/2010	9:49:35	EST	"Electronic Arts, Inc"	Reversal	Completed	19.99		448.49
3/5/2010	9:49:33	EST	"Electronic Arts, Inc"	Reversal	Completed	9.99		428.5
3/5/2010	9:49:30	EST	"Electronic Arts, Inc"	Reversal	Completed	19.99		418.51
3/5/2010	9:49:27	EST	"Electronic Arts, Inc"	Reversal	Completed	19.99		398.52
3/5/2010	9:49:26	EST	"Electronic Arts, Inc"	Reversal	Completed	21.24		378.53
3/5/2010	9:49:22	EST	"Electronic Arts, Inc"	Reversal	Completed	19.99		357.29
3/5/2010	9:49:16	EST	"Electronic Arts, Inc"	Reversal	Completed	9.99		337.3
3/5/2010	9:48:51	EST	"Electronic Arts, Inc"	Reversal	Completed	19.99		327.31
3/5/2010	2:27:47	EST	"Electronic Arts, Inc"	Reversal	Completed	10.61		307.32
3/5/2010	2:27:04	EST	"Electronic Arts, Inc"	Reversal	Completed	19.99		296.71
3/5/2010	2:27:02	EST	"Electronic Arts, Inc"	Reversal	Completed	19.99		276.72
3/5/2010	2:26:50	EST	"Electronic Arts, Inc"	Reversal	Completed	9.99		256.73
3/5/2010	2:26:50	EST	"Electronic Arts, Inc"	Reversal	Completed	21.24		246.74
3/5/2010	2:26:45	EST	"Electronic Arts, Inc"	Reversal	Completed	19.99		225.5
3/5/2010	2:26:38	EST	"Electronic Arts, Inc"	Reversal	Completed	21.24		205.51
3/5/2010	2:26:35	EST	"Electronic Arts, Inc"	Reversal	Completed	10.61		184.27
3/5/2010	2:26:34	EST	"Electronic Arts, Inc"	Reversal	Completed	21.24		173.66
3/5/2010	2:26:33	EST	"Electronic Arts, Inc"	Reversal	Completed	21.24		152.42
3/5/2010	2:26:31	EST	"Electronic Arts, Inc"	Reversal	Completed	19.99		131.18
3/5/2010	2:26:29	EST	"Electronic Arts, Inc"	Reversal	Completed	21.24		111.19
3/5/2010	2:26:28	EST	"Electronic Arts, Inc"	Reversal	Completed	19.99		89.95
3/5/2010	2:26:27	EST	"Electronic Arts, Inc"	Reversal	Completed	9.99		69.96
3/5/2010	2:26:26	EST	"Electronic Arts, Inc"	Reversal	Completed	19.99		59.97
3/5/2010	2:26:23	EST	"Electronic Arts, Inc"	Reversal	Completed	19.99		39.98
3/5/2010	2:26:22	EST	"Electronic Arts, Inc"	Reversal	Completed	19.99		19.99
2/26/2010	2:23:25	EST	"Outspark, Inc"		Payment Sent	Reversed	-50		0
2/26/2010	2:23:25	EST	Credit Card		Charge From CC	Completed	50		50
2/26/2010	1:38:59	EST	GamesCampus		Payment Sent	Reversed	-50		0
2/26/2010	1:38:59	EST	Bank Account		Add Funds	Completed	50		50
2/26/2010	1:36:22	EST	GamesCampus		Payment Sent	Reversed	-30		0
2/26/2010	1:36:22	EST	Bank Account		Add Funds	Completed	30		30
2/26/2010	1:26:37	EST	"Electronic Arts, Inc"	Payment Sent	Reversed	-9.99		0
2/26/2010	1:26:37	EST	Bank Account		Add Funds	Completed	9.99		9.99
2/26/2010	1:24:48	EST	"Electronic Arts, Inc"	Payment Sent	Reversed	-9.99		0
2/26/2010	1:24:48	EST	Bank Account		Add Funds	Completed	9.99		9.99
2/26/2010	1:22:30	EST	"Electronic Arts, Inc"	Payment Sent	Reversed	-19.99		0
2/26/2010	1:22:30	EST	Bank Account		Add Funds	Completed	19.99		19.99
2/26/2010	1:18:57	EST	"Electronic Arts, Inc"	Payment Sent	Reversed	-19.99		0
2/26/2010	1:18:57	EST	Bank Account		Add Funds	Completed	19.99		19.99
2/26/2010	1:17:01	EST	"Electronic Arts, Inc"	Payment Sent	Reversed	-19.99		0
2/26/2010	1:17:01	EST	Bank Account		Add Funds	Completed	19.99		19.99
2/26/2010	1:15:27	EST	"Electronic Arts, Inc"	Payment Sent	Reversed	-19.99		0
2/26/2010	1:15:27	EST	Bank Account		Add Funds	Completed	19.99		19.99
2/26/2010	1:13:37	EST	"Electronic Arts, Inc"	Payment Sent	Reversed	-19.99		0
2/26/2010	1:13:37	EST	Bank Account		Add Funds	Completed	19.99		19.99
2/26/2010	1:11:22	EST	"Electronic Arts, Inc"	Payment Sent	Reversed	-19.99		0
2/26/2010	1:11:22	EST	Bank Account		Add Funds	Completed	19.99		19.99
2/26/2010	1:09:10	EST	"Electronic Arts, Inc"	Payment Sent	Reversed	-19.99		0
2/26/2010	1:09:10	EST	Bank Account		Add Funds	Completed	19.99		19.99
2/26/2010	1:07:03	EST	"Electronic Arts, Inc"	Payment Sent	Reversed	-19.99		0
2/26/2010	1:07:03	EST	Bank Account		Add Funds	Completed	19.99		19.99
2/26/2010	1:02:52	EST	"Electronic Arts, Inc"	Payment Sent	Reversed	-10.61		0
2/26/2010	1:02:52	EST	Bank Account		Add Funds	Completed	10.61		10.61
2/26/2010	1:00:21	EST	"Electronic Arts, Inc"	Payment Sent	Reversed	-10.61		0
2/26/2010	1:00:21	EST	Bank Account		Add Funds	Completed	10.61		10.61
2/26/2010	0:57:23	EST	"Electronic Arts, Inc"	Payment Sent	Reversed	-21.24		0
2/26/2010	0:57:23	EST	Bank Account		Add Funds	Completed	21.24		21.24
2/26/2010	0:54:52	EST	"Electronic Arts, Inc"	Payment Sent	Reversed	-21.24		0
2/26/2010	0:54:52	EST	Bank Account		Add Funds	Completed	21.24		21.24
2/26/2010	0:52:34	EST	"Electronic Arts, Inc"	Payment Sent	Reversed	-21.24		0
2/26/2010	0:52:34	EST	Bank Account		Add Funds	Completed	21.24		21.24
2/26/2010	0:50:48	EST	"Electronic Arts, Inc"	Payment Sent	Reversed	-21.24		0
2/26/2010	0:50:48	EST	Bank Account		Add Funds	Completed	21.24		21.24
2/26/2010	0:49:08	EST	"Electronic Arts, Inc"	Payment Sent	Reversed	-21.24		0
2/26/2010	0:49:08	EST	Bank Account		Add Funds	Completed	21.24		21.24
2/26/2010	0:47:33	EST	"Electronic Arts, Inc"	Payment Sent	Reversed	-21.24		0
2/26/2010	0:47:33	EST	Bank Account		Add Funds	Completed	21.24		21.24
2/26/2010	0:45:55	EST	"Electronic Arts, Inc"	Payment Sent	Reversed	-21.24		0
2/26/2010	0:45:55	EST	Bank Account		Add Funds	Completed	21.24		21.24
2/26/2010	0:44:16	EST	"Electronic Arts, Inc"	Payment Sent	Reversed	-21.24		0
2/26/2010	0:44:16	EST	Bank Account		Add Funds	Completed	21.24		21.24
2/26/2010	0:39:58	EST	"Electronic Arts, Inc"	Payment Sent	Reversed	-9.99		0
2/26/2010	0:39:58	EST	Bank Account		Add Funds	Completed	9.99		9.99
2/26/2010	0:38:08	EST	"Electronic Arts, Inc"	Payment Sent	Reversed	-9.99		0
2/26/2010	0:38:08	EST	Bank Account		Add Funds	Completed	9.99		9.99
2/26/2010	0:36:21	EST	"Electronic Arts, Inc"	Payment Sent	Reversed	-19.99		0
2/26/2010	0:36:21	EST	Bank Account		Add Funds	Completed	19.99		19.99
2/26/2010	0:32:16	EST	"Electronic Arts, Inc"	Payment Sent	Reversed	-19.99		0
2/26/2010	0:32:16	EST	Bank Account		Add Funds	Completed	19.99		19.99
2/26/2010	0:30:34	EST	"Electronic Arts, Inc"	Payment Sent	Reversed	-19.99		0
2/26/2010	0:30:34	EST	Bank Account		Add Funds	Completed	19.99		19.99
2/26/2010	0:29:05	EST	"Electronic Arts, Inc"	Payment Sent	Reversed	-19.99		0
2/26/2010	0:29:05	EST	Bank Account		Add Funds	Completed	19.99		19.99
2/26/2010	0:26:53	EST	"Electronic Arts, Inc"	Payment Sent	Reversed	-19.99		0
2/26/2010	0:26:53	EST	Bank Account		Add Funds	Completed	19.99		19.99
2/26/2010	0:23:57	EST	"Electronic Arts, Inc"	Payment Sent	Reversed	-19.99		0
2/26/2010	0:23:57	EST	Bank Account		Add Funds	Completed	19.99		19.99
2/26/2010	0:20:41	EST	"Electronic Arts, Inc"	Payment Sent	Reversed	-19.99		0
2/26/2010	0:20:41	EST	Bank Account		Add Funds	Completed	9.85		19.99
10/10/2009	13:24:51	iTunes Store	        Payment Sent	Completed	-0.99		10.14
10/6/2009	4:36:26	EST	iTunes Store	        Payment Sent	Completed	-0.99		11.13

 

 

What you are seeing is not my (or GC's) paypal account. However, the person whose account this is is three feet away from me right now.

 

As Leslie went to purchase something on eBay, she had problems paying with paypal. Something about needing to confirm her identity or something. No big deal. Seems a reasonable thing.

 

And then, she realized something had happened.

 

The log you see above shows her PP history over the last year minus about 8 entries in 2009. She rarely uses it and the last entries for the iTunes store were back in October 2009. She had an account balance of about ten bucks.

 

Where and how she got hacked is a damn good question. Was her iTunes hacked? Was her PP brute forced somehow?

 

Beats me. We won't know until things get settled out in a week or so. Part of the confirming your identity thing involves getting a phone call (automated) from your home landline (or whatever is your first primary phone contact). I recommend making sure your phone is actually charged as once you click the button to have this phone call sent, if you miss it ( ) due to an uncharged phone, you have to actually do a snail mail dance that will take a bout 5 business days. This would all be over with had that phone been charged...

 

What PP did though shows the power of automatically flagging activity that doesn't match the norm. Over the course of about two hours on Feb 26th, her PP account started to payout to the above joints, pulling funds out of her bank account. At that point, PP essentially shut the account down. For most of the bank account funds, those were back at the end of a week. For the credit card, another few days. (you will see one last pull from the CC attached to the account).

 

All of this was done without her knowing. Why? Her PP is tied to an email account she checks once every week or so. All the warnings and the like were there. Without any input from her (though the option was there had she read the emails sooner), PP took care of everything. The second half of the above log is the completed reversals back into her PP account, although she can't stick the stuff back into her bank account yet. Part of the confirming identity thing was obviously changing the password so we do have access but just can't move money in or out until things get fixored in a few days.

 

To reiterate - the $600 you see at the top of the log is what is in her PP account now, waiting to get back into her bank account (and yes, that's how much was taken over those two hours...)

 

For all the crap PP gets, this was good on them. PP cannot gauge intent so if you do get hacked or let your password get loose, all they can do is wait for an obvious pattern to emerge before taking action. And they did - which was pretty sweet. Naturally if you know what is going down or actually monitor the email account PP is hooked to you can let them know, etc...

 

Was it a person manually working the account? Was it a bot? Don't know but if they had just stuck with small pulls once or twice a day, and to different places, I wonder if they wouldn't have gotten away with it. As it is, all those EA bits - was it downloadable content or games? If that was the case then perhaps they did...

 

Recommendations for you:

 

1) When you attach a bank account, why not make an effort and create a separate checking account at your bank or credit union. It's not that hard. That way you control how much (if any) pp can pull from your monies.

 

2) Your credit card cannot really be managed but it is a credit card. You're covered. (And of course, her CC funds were already returned)

 

3) Don't leave much in the way of PP account balance. I wonder if this would have had a very different outcome if she had more than $10 in the account.

 

4) Allow me to introduce you to what is used on my (and GC's) paypal account:

 

 

In order to access your account, ever, once one of these guys is tied to your account, you'll need to push the button on the key to generate a code to let you in. Fraud and hacking are for all intents and purposes not gonna happen. $5 to get one from PayPal.

 

Leslie will be getting one the moment her account is fully unlocked

[mookie]

She should be getting her account closed instead IMO.

[dragonfly]

My PP account got hacked once. Someone wanted IMVu stuff or whatever it was called. Anyway, I contacted PayPal and they refunded me quickly too. I closed the account I had until I needed to PP some money for the Haiti relief... Not fun.

[JackieChan]

Yikes. Scary when something like that happens to someone.

[MrDuke]

Fk,

 

Gimme a link to that thing. Is it a biometric reader or just a piggy back authenticator?

 

Thanks!

[Flitterkill]

https://www.paypal.com/cgi-bin/webscr?cmd=xpt/Marketing_CommandDriven/securitycenter/PayPalSecurityKey-outside

 

Also, everything is resolved. After the failed phone contact, another option is to micro charge your CC and then pull the security code they send along with the charge (you have to have actual access to your credit card account online so if someone steals your CC this won't work to hijack your account either).

 

Took just under two days for the process to work through.

 

She has now updated many things on her account: passwords, email accounts, etc. And - naturally, has already ordered one of the keys - link at the top of this post.

 

Each key has a serial number which probably ties to the number generator in the key itself.

 

You register the serial number of the key to your account, and then when you need access to the account, you generate a number that will code match the serial (with whatever algo they use) by pressing the button on the key. Probably the same thing as those World of Warcraft keys