ultimate insult from fraudulent ebay seller tries to sell me iPhone 4

[nudone]

i've been away a couple of days without net access, on returning i see that i'm currently going through the process of having a PayPal transaction disputed for me - for an item i certainly didn't attempt to buy, an iPhone 4 at 975 dollars. i mean, yeah, like i've secretly always wanted one.

hopefully it will be resolved quickly. i've no idea how they've done it, the "seller" claimes to be from Algeria and i've meant to have been the winning bidder via eBay. strange that my eBay account displays no history about this "seller" or the iPhone they have fraudulently sold me.

what disturbs me (currently) is that this is meant to be an eBay related transaction and yet it isn't in my eBay records. how on earth is this thief doing it (don't answer; don't give anyone any tips if you already know).

PayPal is obvioulsy thinking along the same lines otherwise they wouldn't have flagged the transaction for investigation. now i just have to wait for the "seller" to reply to PayPal with their version of the story. i'm hoping this doesn't drag out into some kind of Kafkaesque dispute where i have to prove i didn't bid on an item that never passed through my eBay account.

[nudone]

oh, just got an email back from PayPal. not bad service, that was quick - i only disputed the transaction about an hour ago.

hopefull that's the end of it.

(the thought of the iPhone 4 will now leave me even more traumatised than it did already.)

[mouser]

The real question is.. how did someone managed to make a charge go through on your paypal account.
That is the mystery you have to solve.

And just to clarify, i'm sure you've already considered this -- but for anyone else reading, be aware that sometimes a scammer will send you an email pretending to be from paypal, pretending that you have been charged for something, and giving you fake links to paypal customer services, etc.  You need to make sure on all such occasions that if you think you have been wrongfully charged for something, that you NOT use any of the links in the email to go to the site, but open the website manually on your own.

[nudone]

agreed, it's an old routine for us (around here) but any new "netizens" should always log into their online accounts (or anything they have to log into) via the official web address - never a link.

but, yes, it is a worry. how did they access my PayPal account. i only do so, myself, on this machine - which isn't infected to my knowlege (running scans again now). this sale had definitely gone through my PayPal account - it doesn't look like my credit card has been charged. whether that is because PayPal suspected something or whether it just hasn't been charged yet - i don't know.

when i said the seller was from Algeria, it may have been that the item was meant to be posted to Algeria. it's a bit confusing looking at the statement. perhaps this is what automatically flagged it by PayPal. probably the fact that i'd not bid for the item using my eBay account also made it suspicious.

the big problem is: how to prevent this kind of thing happening again. i'm careful online...

...is that still not good enough?

[mouser]

well you need to change your paypal login password immediately, that would be a start.

paypal has an incredibly cool hardware security key that generates one-time-use login codes; it's like a $5 onetime fee and i love mine.
more info:
https://www.paypal.c...lSecurityKey-outside

[nudone]

i think part of the quick resolution was that i had to change my security details before i had full access to my account. so, no worries there.

i use strong passwords for all sensitive/financial websites so, i'm not convinced that my account has been accessed without something tracking my actions somehow. why?..

...i use Roboform, Roboform Online (beta) to access my own online accounts (i don't even know my passwords without checking Roboform first). that, to me, appears to be the only weak link in the chain - i don't ever type out my passwords so i don't believe there's a keylogger at work here - Roboform does everything.

obviously, i've no idea really. i thought i'd made things secure - i may delete the Roboform on-line beta account. I'll be changing quite a few passwords today - just in case there is something i've overlooked.

i know we all want simple answers to this kind of security scare so that it all makes sense, i just can't see exactly where i could have made a mistake - other than to use scanning software that doesn't tell me enough about what could be wrong with my machine, and using an online "secure" service for storing sensitive information that isn't really "secure".

i'm more inclined to believe this is some kind of PayPal scam - like a refund request by the fraudster for something i never bought. i'll have to see if i can make sense of what happened.

[mouser]

yeah i wouldn't assume you are in trouble, i'd just pay heightened attention to my credit cards for the next few months.

[nudone]

(i've just ordered one of those harware security keys. i've already got one for my bank account - seems like a good idea, thanks for mentioning it mouser.)

[4wd]

Paypal has the option to send one time login codes to a mobile phone, (SMS), US$5 cheaper than ordering another gizmo you need to cart around.

That said, I do have one of their Key cards since their SMS would not send me a code no matter how many times I told it to - maybe it had to do with me not being in my home country at the time.
Even though my bank uses the same method, (SMS code), and it works perfectly anywhere on the planet I can get a signal.

paypal has an incredibly cool hardware security key that generates one-time-use login codes; it's like a $5 onetime fee and i love mine.

-mouser (August 16, 2010, 10:20 AM)

Also, it isn't a onetime fee, it's US$5 per Key - they have a life of around 2 years.  Whereas the SMS to your phone shouldn't cost anything.

Don't forget to activate it for use with your ebay account too.

ultimate insult from fraudulent ebay seller tries to sell me iPhone 4

You can also log in a little faster by entering your normal password followed by the code at the password prompt, (eg. password123456).  This works for Paypal and ebay.

[app103]

There is something really screwy going on at paypal lately.

Recently, someone I know clicked the donate button on my website and donated $25 to me. Paypal immediately flagged it (less than 60 seconds after he made the donation) and asked me to provide info as to where I had shipped the goods he had purchased.

When I explained that this was not a buyer/seller transaction and that it was a donation made through a paypal donate button on my site, and that there were no goods involved, so nothing to be shipped, that the software is there on my site and a user can download it free of charge, use it as much as they want, and donate if they feel like supporting its development...and then the donor himself called paypal and gave them hell about the whole thing for not letting me have the money he donated to me, the end result was that paypal never listened to what either of us had to say, refunded the money to the donor, and punished me with an additional fee for the whole mistake, telling me in the future not to sell goods to people without obtaining a shipping address. I have not been able to get this issue resolved and they continue to occasionally record transactions made through my donate button as purchases for goods that need to be shipped, rather than as donations.

[nudone]

thanks for the tips, 4wd. i didn't realise it could be used for eBay too. (i won't be carrying it with me though. i just want to make sure my account isn't being accessed by other people.)

app, don't know what to say. PayPal has always resolved things sensibly for me - so i can't really complain. it does sounds odd that you can't "donate" what are all the DC transactions classed as. maybe mouser can enlighten us more.

[app103]

app, don't know what to say. PayPal has always resolved things sensibly for me - so i can't really complain. it does sounds odd that you can't "donate" what are all the DC transactions classed as. maybe mouser can enlighten us more.

-nudone (August 16, 2010, 03:31 PM)

It's not every donation that is getting mislabeled this way. And so far none of the DC transactions to me have had this problem. But it is something that makes me very nervous when I cash out credits now, since the penalty fee paypal charged me was based on the amount sent to me, and it could have been a lot more if the original donation was bigger.

I lost $1.28 because some kind person tried to donate $25.00  to me. They got their $25.00 back in full, paypal made $1.28 because they kept the money they made from taking their cut of the initial transaction, and then rather than refunding that fee from their pocket, they took it out of mine. Otherwise the donor would have only got 23.72 back. I ended up with a smaller balance and a warning when it was all over. Something wrong with that...seriously wrong.

[Renegade]

@app103 -- That is extremely wonky. Have you tried calling PayPal? They actually do answer the phone.

[app103]

@app103 -- That is extremely wonky. Have you tried calling PayPal? They actually do answer the phone.

-Renegade (August 16, 2010, 05:40 PM)

No, I haven't actually called them (I hate phones) but the donor did during this "dispute" and got nowhere with them.

[Mark0]

the big problem is: how to prevent this kind of thing happening again. i'm careful online...

...is that still not good enough?

-nudone (August 16, 2010, 10:12 AM)

I think it have nothing to do with passwords & credential of your PayPal account.
If I'm not mistaking, a PayPal user can send a "request for money" to another PayPal user simply knowing his PayPal id, that usually equal to his email address. So probably this scammer simply sent thousands of similar requests around, like your typical spammer. And that may also explain why PayPal quickly fixed the situation (the scammer was already known).

[biox]

The whole thing is an interesting read and good luck to nudone.

Pardon the slightly off topic question. What other choices are there to create a 'donate' button on a website but NOT using PayPal?

[nudone]

Mark0, i think you are right. i don't believe my account was accessed - i expect the damage would have been far greater if that was the case.

thanks, biox. everything seems fine anyway. i wasn't expecting things to be resolved so quickly - i was expecting my story to be more exciting and troublesome than it turned out to be.

i wonder...

are there a PayPal set of guidelines that are clear and simple to understand? something that clarifies the "donation" definitions so that people like app can refer to - and refer PayPal to when they decide to make up their own arbitrary rules.

[bob99]

I signed up with PayPal over the weekend.  Finally had a reason I wanted to use it for.  For now, until I am comfortable with it I signed up using a pre-paid MoneyPak card bought locally instead of a credit card or bank account.
When I set up the account I selected to have PayPal provide me with a verification code via text message to complete the transaction.  You then have to enter the verification code within 60 seconds after you receive it or request a new one.  Seemed simple enough.
I requested one and a message popped up on the computer screen saying that there was a communications problem, try again in a while.  Did this 2 or 3 times with the same pop-up.  It also said I could circumvent the text message verification process by answering some security questions.  I went this route and it was interesting.  There were 3 security questions. As I remember, the 1st asked me some question about some site I had recently had some association with.  None fit so I said none.  But the next two questions are the ones that now make me wonder.  the 2nd question listed three different street addresses and asked if one pertained to me.  Sure enough one was the address I had before I moved here... 14 years ago.  I clicked on it.  The last question was a list of vehicle model and year.  One of which fit...my wife's car.  Clicked on it, I passed the test and the transaction went through.  Not long afterward up popped the 3 different text messages I'd requested with different verification codes.
Based on the two questions having accurate info on me, I'm guessing PayPal has credit report access. Even though I haven't as yet provided them with a bank account, credit card, ssn or any other account info of this type.
Possibly whoever tried to make the purchase on nudone's account, did some type of security question workaround and got lucky with their answers??
I'm not crazy about the questions they asked me and used for a security verification.  The way some credit reports and other types of info can get out or found on the internet these days these are questions & answers that could probably easily be found with the types of crooks that do this type of thing for a living.
Anyone else tried the security questions workaround?

[nudone]

it is true that the "security questions" i've been asked to select and answer are never that difficult to guess - that is, by someone who knows me, knows my history. i'm not sure a total stranger could guess them; perhaps it is best to simply concoct a set of fantasy answers to your own security questions - that way, there will never be any history of them for someone to find (or guess).

i'm still inclined to believe that my paypal account was not accessed by an intruder. if that was the case then i would expect them to have made more of an effort to rob me - 900 dollars isn't much of a theft when they could have edited my whole profile and bought many more online goods.

i think what happened is more to do with paypal having some kind of automated system for taking payments - so it simply didn't check with me. perhaps that's naive to say and i should just accept there was a hole in my security setup. i doubt i'll ever know.

[bob99]

The thing in my case is I had not set or been asked to pre-set up any security questions they used.  And if I had, I would not have used, or for that matter even thought of using, a 14 year old previous address or year & make of my wife's (joint titled) car.  And I know I've never used either of these two things as a security question anywhere before.  So I'm wondering where & how they had access to the information.
I noticed there are a lot of various topics shown in their Q & A forum.  I'll have to see if I can locate anything there.
On the amount of money that was trying to be accessed, I've read before in some cases if outsiders get access to an account of some type, or many accounts of a number of people, they make relatively small purchases.  Small purchases can slip through easier.  And a bunch of small purchases can add up to more $$ than wiping out one big account.
Anyway, it's always something to be careful of.  In your case I'm hoping it was just a fluke.  I've know two people that have gone through the identity theft process and it took then a long time to clear up.

[nudone]

ugh. i'd not considered identity theft. ouch. ouch. ouch. that's going to give me nightmares if i spot something else amiss with my accounts.

it does sound like PayPal must have access to some database history on you (on us all, if that's the case). with "confidential" information being passed around these days, to anyone that pays the right price i guess that's how PP have done it - as a "security" feature for our benefit, of course.

the small purchase to keep activity hidden by an intruder makes sense - so, i'm thankful that PP does have a system in place to detect even these small transactions, if they appear odd.

[Stoic Joker]

it is true that the "security questions" i've been asked to select and answer are never that difficult to guess - that is, by someone who knows me, knows my history. i'm not sure a total stranger could guess them; perhaps it is best to simply concoct a set of fantasy answers to your own security questions - that way, there will never be any history of them for someone to find (or guess).

-nudone (August 18, 2010, 03:25 AM)

As long as you can keep your fantasy life straight, yes that is a good plan (That I've used to an extent).

The thing in my case is I had not set or been asked to pre-set up any security questions they used.  And if I had, I would not have used, or for that matter even thought of using, a 14 year old previous address or year & make of my wife's (joint titled) car.  And I know I've never used either of these two things as a security question anywhere before.

-bob99 (August 19, 2010, 10:40 AM)

The DMV has a website for online renewals - this site has a search function.

90% of hacking is Social Engineering. You start with a name, do a property search, now you have a list of addresses.

What schools are in that district? (oops!)

What are their mascotts? (oops!)

Does the school's website have a section for the faculty (most do)
Does this section show the how the faculty has changed over the years (not uncommon)

Approximate the age/year target went through school, cross out the ones that look like a bitch, how many choices for "Favorite Teacher's name" are there now? (shit!)

On the amount of money that was trying to be accessed, I've read before in some cases if outsiders get access to an account of some type, or many accounts of a number of people, they make relatively small purchases.  Small purchases can slip through easier.  And a bunch of small purchases can add up to more $$ than wiping out one big account.

-bob99 (August 19, 2010, 10:40 AM)

Bingo!