Your object lesson of the day:
If you have a Paypal account, and that Paypal account is linked to your person household account as the backup for 'if you buy something and your Paypal account doesn't have enough money in it'...disconnect it now. Tomorrow at the latest. Don't delay, don't hesitate. Go get a free checking account somewhere, put a dollar or five in it, and use that for your Paypal-linked account.
Here is why:
At about 7:15pm Saturday night I began receiving multiple emails from Paypal, confirming my payment of $31.58 to a company called Burda-IC in Denmark (.de). I thought it might be a phishing mail, so I went directly to Paypal just to make sure, and…it was REAL. In fact, a number of identical "payments" HAD gone to this “seller”, and were still going out. By that point, my Paypal account was empty (3 transactions emptied it), and they were still rolling in - only now they were doing instant withdrawals from my CHECKING account, which is linked to my Paypal account. I tried to disconnect my paypal account from my ordinary bank account, but was forbidden because ‘there are pending transactions’. I panicked. By about 7:30, I got the 1-888 number and flailed through the automated menu until I could get a human. She told me I needed to talk to Security, and put me on hold for 20 minutes. While I was on hold, I called my own bank and got a human, but was told that they couldn't help me or do anything until Monday morning, please call back then(!) I kind of shrieked at the poor woman that my account would be EMPTY by then - and of course the checking account is linked to savings, which would (if the pillaging continued) also be emptied! But she couldn’t help me.
Finally, at around 7:50 (they close at 8pm PST so this timing is actually very important) I was able to get through to a real human at Paypal Security, by which time *19* of these "transactions" had already gone through! The paypal employee saw what was happening and immediately put a restriction on my account so that no further payments could go out, then disputed all those transactions. The money that had been in my Paypal account has been reinstated although I can't touch it yet; the other amounts, which were sucked out of my checking account in about 3 seconds on Monday morning - and could not be prevented, because I could not reach anybody at my bank who could do anything to help me, due to it being the weekend - will take longer to reimburse. However I have emails from Paypal saying ALL those disputes have already closed and the money will be refunded in about 5 business days. Also they are looking into this 'seller' to see if they're doing the same to anybody else.
There are so many terrifying might-have-beens:
...If I had not been at my computer when the emails saying I had sent a payment started rolling in, one after the other... (some people after all don't live on their computer like I do.)
...if it had been half an hour later, or the middle of the night, after Paypal had closed, and I could not call until morning (they're actually open on Sunday but I would not have thought that)...
...if I had gotten an outsourced support person in India or something, whose English was heavily accented, so we couldn't understand each other clearly...
We are required to take Paypal to sell on Ebay, and Paypal must be linked to a bank account or credit card. And of course....linked to a bank account is the only realistic way to make withdrawals - you can't withdraw money from Paypal to your credit card - and who wants to keep money sitting in Paypal to be stolen? Like, uh, this?
I cleared all my cookies, I rebooted, I ran 3 full, deep, separate virus scans that found mostly cookies and ads, but also one virus (VBS:kak-A1) and a trojan of some sort. I never click links to 'paypal' emails I get, but that doesn't mean something stealthy didn't install itself. I have now changed ALL my passwords to something MUCH longer and harder to crack.
I don't know how the hack was done, though I could've fallen prey to a phishing mail. Possibly my password was somehow stolen (though, again thank goodness, I have always used a very different password for Ebay than I do for Paypal, and different again for every bank account I have everywhere). Possibly it was one of those other kinds of hacks you occasionally hear about. I've taken every security measure I know of, now.
It is not as bad as it could be, but it was about an hour of stark terror I do not want to repeat again anytime soon. I just want to pass that lesson on, so nobody else has to learn it the hard way.
If you think it's a good idea, you might like to email your own banks with my idea, born of this mess: To give end-users the option to either reach 24/7 help who can DO something, even on weekends, in an emergency....or to give them a Big Red Panic Button to click, which would freeze all activity on the account until the user can contact the bank during business hours and resolve the problem. I could have stopped almost ALL this if I could have frozen my home account that Saturday night, although it would have messed with other payments. But better to deal with the mortgage company, and explain why their payment was rejected, and arrange alternative payment, than to see your bank account emptied out and THEN have that same payment fail. I know it could cause mischief, but better mischief than theft, grand larceny.
Here is why:
At about 7:15pm Saturday night I began receiving multiple emails from Paypal, confirming my payment of $31.58 to a company called Burda-IC in Denmark (.de). I thought it might be a phishing mail, so I went directly to Paypal just to make sure, and…it was REAL. In fact, a number of identical "payments" HAD gone to this “seller”, and were still going out. By that point, my Paypal account was empty (3 transactions emptied it), and they were still rolling in - only now they were doing instant withdrawals from my CHECKING account, which is linked to my Paypal account. I tried to disconnect my paypal account from my ordinary bank account, but was forbidden because ‘there are pending transactions’. I panicked. By about 7:30, I got the 1-888 number and flailed through the automated menu until I could get a human. She told me I needed to talk to Security, and put me on hold for 20 minutes. While I was on hold, I called my own bank and got a human, but was told that they couldn't help me or do anything until Monday morning, please call back then(!) I kind of shrieked at the poor woman that my account would be EMPTY by then - and of course the checking account is linked to savings, which would (if the pillaging continued) also be emptied! But she couldn’t help me.
Finally, at around 7:50 (they close at 8pm PST so this timing is actually very important) I was able to get through to a real human at Paypal Security, by which time *19* of these "transactions" had already gone through! The paypal employee saw what was happening and immediately put a restriction on my account so that no further payments could go out, then disputed all those transactions. The money that had been in my Paypal account has been reinstated although I can't touch it yet; the other amounts, which were sucked out of my checking account in about 3 seconds on Monday morning - and could not be prevented, because I could not reach anybody at my bank who could do anything to help me, due to it being the weekend - will take longer to reimburse. However I have emails from Paypal saying ALL those disputes have already closed and the money will be refunded in about 5 business days. Also they are looking into this 'seller' to see if they're doing the same to anybody else.
There are so many terrifying might-have-beens:
...If I had not been at my computer when the emails saying I had sent a payment started rolling in, one after the other... (some people after all don't live on their computer like I do.)
...if it had been half an hour later, or the middle of the night, after Paypal had closed, and I could not call until morning (they're actually open on Sunday but I would not have thought that)...
...if I had gotten an outsourced support person in India or something, whose English was heavily accented, so we couldn't understand each other clearly...
We are required to take Paypal to sell on Ebay, and Paypal must be linked to a bank account or credit card. And of course....linked to a bank account is the only realistic way to make withdrawals - you can't withdraw money from Paypal to your credit card - and who wants to keep money sitting in Paypal to be stolen? Like, uh, this?
I cleared all my cookies, I rebooted, I ran 3 full, deep, separate virus scans that found mostly cookies and ads, but also one virus (VBS:kak-A1) and a trojan of some sort. I never click links to 'paypal' emails I get, but that doesn't mean something stealthy didn't install itself. I have now changed ALL my passwords to something MUCH longer and harder to crack.
I don't know how the hack was done, though I could've fallen prey to a phishing mail. Possibly my password was somehow stolen (though, again thank goodness, I have always used a very different password for Ebay than I do for Paypal, and different again for every bank account I have everywhere). Possibly it was one of those other kinds of hacks you occasionally hear about. I've taken every security measure I know of, now.
It is not as bad as it could be, but it was about an hour of stark terror I do not want to repeat again anytime soon. I just want to pass that lesson on, so nobody else has to learn it the hard way.
If you think it's a good idea, you might like to email your own banks with my idea, born of this mess: To give end-users the option to either reach 24/7 help who can DO something, even on weekends, in an emergency....or to give them a Big Red Panic Button to click, which would freeze all activity on the account until the user can contact the bank during business hours and resolve the problem. I could have stopped almost ALL this if I could have frozen my home account that Saturday night, although it would have messed with other payments. But better to deal with the mortgage company, and explain why their payment was rejected, and arrange alternative payment, than to see your bank account emptied out and THEN have that same payment fail. I know it could cause mischief, but better mischief than theft, grand larceny.