Any idea how they got into your paypal? Do you use the same email/password combination for multiple sites? Do you have two-factor authentication on your paypal?
Post deleted
Last edited by stevecross; 7th August 2022 at 16:59. Reason: silly comments
Any idea how they got into your paypal? Do you use the same email/password combination for multiple sites? Do you have two-factor authentication on your paypal?
I think once they've got through to payment, there is no manual check on the name or delivery address as that is entirely up to the customer. Most importantly, get two factor authentication on anything important...that's the one where you get a SMS code sent to your phone number that you need to enter in order to get onto paypal.
You talk about security layers but did you have a half decent password? Was it a unique password? Do you have two step verification turned on?
https://www.paypal.com/us/smarthelp/...-login-faq4057
I am not the OP, but this thread got me worried, so I have now enabled 2 step verification on my PayPal account. Thanks for the tip!
A few years ago I had three activities on my Amex for boutiques in Hollywood totalling several thousand pounds.
I noticed two days after the activity and contacted customer services. They told me immediately that they themselves had flagged the activities as suspicious and put them on hold. Now I had made contact and confirmed it wasn’t me they would reject them, which they did the same day. They also cancelled my card and issued a replacement, though this isn’t relevant to the OP as it went through PayPal.
Now, I get notifications on my mobile every time my card is used, even if it’s a regular payment or via PayPal.
As others have already said, make sure 2FA is set up on PayPal. You should already alert PayPal to the fraud as well and boost security on your Amex.
Change your password. If you use Chrome use the suggested password from Chrome, if you use Safari use their suggested one. If you use Safari then on iCloud Keychain.
If you prefer use a password manager like BitWarden, Lastpass or 1Password.
You won’t have been hacked or anything, just a reused password.
As has been said before, you need to set up 2 factor authentication for all your online payment stuff - otherwise you remain vulnerable to this happening again.
When you look long into an abyss, the abyss looks long into you.........
IMHO Amex are one of the better cards at sorting out this. Now you have informed them the payments are invalid they should reimburse you. Do let us know how you get on. You can even raise a Section 75 claim maybe ? https://www.which.co.uk/consumer-rights/advice/can-i-claim-on-my-credit-card-when-something-goes-wrong
“ Ford... you're turning into a penguin. Stop it.” HHGTTG
Depends…
“
Paid on credit card via PayPal
There are some transactions where the company that deals with your credit card payment is not the same as the one that provides the goods or service - such as Paypal.
If you use your credit card to pay for something through PayPal and the funds go direct to the seller, then as long as the company you're buying from has a 'Commercial Entity Agreement' with Paypal you may still be able to claim under Section 75 for any misrepresentation or breach of contract.
PayPal offers its own buyer protection scheme, called PayPal Buyer Protection, so it's worth checking if you'd be covered by that if you have a problem with your purchase.
”
“ Ford... you're turning into a penguin. Stop it.” HHGTTG
Have you contacted the police or action fraud?
This seems extremely strange for PayPal to have stopped providing 2fa requests and payment alerts, to me this smacks of a larger issue.
As a minimum in addition to the steps you’ve already taken I’d log back into pp & re confirm all the account details are correct including email & mobile details & make a small payment to a friend or relative to confirm all is correct. IE 2fa is requested just for peace of mind.
I’d also check my phone was working correctly inbound/outbound texts & calls with wifi turned off, there are many cases where scammers manage to convince mobile providers to switch the service to another handset. I’d also check my mobile mgt portal to ensure my contact detail are in changed.
It might sound unlikely & I suspect all will be okay but if it were me I’d have a hard time accepting that these details were untouched until I verified for myself.
I have 2FA on and I get a text for any new log ins.
That said PayPal customer service is dire so this thread has served as a reminder to close the account as I rarely used it and it was probably just a liability.
Good luck solving you problem. Certainly seems strange how they managed to defraud you.
No offense, and I'll apologise in advance if I have got any of this wrong but from what I understand in the thread, you have used the same password to secure multiple sites. One of these sites has had a data breach and someone has trawled that list, found you, the easy target, who failed to secure a high risk site with 2FA and took advantage. You did the digital equivalent of leaving your house keys under the mat. Once 'inside', they can turn off notifications.
Notifications aren't 2FA. I cannot log into my paypal account without a screen that requires a 6-digit code that has been sent by SMS to my phone.
The financial system is automated...there are billions of transactions happening every day and whoever fulfilled the order for the goods also has an automated system. The payment was made in your name from paypal, funded by Amex...it really doesn't matter that the scammers supplied a Mickey Mouse order name, there probably isn't a human in the loop to check that, being impractical on the scale of transactions/orders that happen. Those transactions were obviously not large enough to trigger any automated fraud detection, probably in part because you have a platinum card.
Unless I have misread what you have said, I think there is a reason why you got targetted and blaming paypal or amex's fraud detection is ignoring the fact that there were quite a few 'holes in the cheese' prior to the final safety net to make this happen. Automated fraud detection against billions of transactions is a weak barrier in a long line of barriers to prevented a credit card scam happening. I think it's lucky that there are people in debt, paying slightly more on their interest rate than they technically should be, so that Amex refunds it, because it wont come out of their pockets.
Now on the other hand, if you are saying you had 2FA on the paypal account...that is you receive a SMS message with a 6-digit code prior to logging on each time, then I take much of that back...that would be concerning!
I think three lessons from this are:
(1) Never use the same password twice. Use computer supplied/stored passwords like Apple Keychain or equivalent that you don't even need to know. At bare minimum, use a common part of a password and add a letter or number at the end of the password that changes depending on the site. For example...if p@$Sw0rd is your main password (not recommended btw!), use 'p@$Sw0rda' for amazon, 'p@$Sw0rdp' for paypal etc.
(2) If a website has a 2FA option, activate it.
(3) Regularly check haveibeenpwned for data breaches.
Last edited by Christian; 7th August 2022 at 12:24.
The money doesn't really come out of Amex's profits...they know this will happen and its all built into the scheme of charges levied to everyone. That's why people pay 23% interest rates on a debt and an annual fee of £575 for a platinum card.
There is more security than a password...it is called 2FA. Using the same password across multiple sites is highly foolish. If you haven't enabled 2FA and you have reused passwords, you've just thrown away your two strongest barriers to fraud there.
Large companies that conduct thousands of transactions in a day tend to have few humans in the loop. Nobody is there to individually check names and addresses. There is no real barrier to fraud at that point in the chain due to it being impractical.
From what I understand, yes. But it seems to have been justified because it was safe for 20 plus years and it was a half decent password. The password can be safe for 50 years before a data breach, at that point if you've reused it, the password could be 50 characters long random letters and the scammer just copies and pastes it...having a half decent password is meaningless.
Automating the check of order name and address...how would that work every time I place an order and get it sent to my work address or a relatives house? There must be thousands of people doing this daily through paypal. You'd need an army of people to be following up every time the computer flagged this up.
OP...it's similar to you writing your PIN number and attaching it to your bank card then complaining that someone stole it, withdrew your money and the bank didn't check that it looked like you when they did it.
I agree we are all susceptible to online fraud, but I'm going to do everything I can to avoid it, like not reuse passwords and always use 2FA.
Ironically, the closest I got to online fraud was when a fellow TZ'er reused passwords, allowed his TZ account to be hacked by this method and someone put a very convincing Speedmaster on SC for sale, which obviously didn't exist. Had I sent my money to them I would never seen it again.
Last edited by Christian; 7th August 2022 at 13:55.
Fair enough, removing financial data from websites such as Paypal, Amazon etc is one way to keep secure...I guess you have to weigh up the convenience and how much you use the site. I also don't really like companies keeping my card on file if there is no good reason, but I use paypal and amazon so frequently this would be impractical for me.
I would, however, recommend making use of iCloud keychain or whatever your platform has. Use the computer to generate a new password for every site and store it in the computers password manager. I would also recommend making sure two-factor authentication is enabled whenever possible. This isn't just an alert, but a two way check that doesn't allow someone access unless they have either your phone or authenticator app.
An occasional check of your email on haveibeenpwned is a good habit too.
Last edited by Christian; 7th August 2022 at 14:15.
Oh, by the way, I still think you are confused what two-factor authentication is.
Two factor authentication wont allow you into your account without receiving a text message with a 6-digit code that you then enter into the login screen. For example, if I try to log into paypal to make a purchase, I get this screen:
I think you are confusing it with notification settings, which is just a text or email to let you know activity has occurred:
This is just a setting and doesn't really secure your account over and above the password alone. Once someone has access to your account, they can just switch it off in the settings prior to making a purchase and you won't get notified. It provides no real protection.
As above I suspect you are not 100% clear on 2FA.
I use this on anything financial either by text or using one of the many Authenticators. I use Google Authenticator.
I also have an email address that I only use for financial services. I use a Proton account. I use a very strong password and all their security options as your email address is the gateway to many other accounts as that is where password resets go.
Then for on line shopping I use my general business email which is public domain.
Shopping online you can now use single use virtual cards that are available via the likes of Revolut which I now use in shops most of the time to ring fence my main account.
Whilst we should expect our financial services providers to detect fraud the first defences are our own choices.
Last edited by Montello; 7th August 2022 at 15:40.
For someone with a pwned password and no 2FA set up you sure are throwing a lot of blame around everywhere but yourself.
Fix your account and move on.
At least they took action straightaway.
I noticed a strange payment on my card, Sainsburys PetrolCanley, made last Mon/Tues at 10:30am. Asked the wife and kids if they had pinched our CC and maybe used it and then rang Nationwide CS. The women who I spoke to tried to suggest that it must have been me as it fits my spending pattern, except this was in Coventry, I live in NW London and in Sainsburys which I hardly ever use. She then suggested that Canley, Coventry could be the HQ of Sainsburys so that info wasn’t important. Asked her how the payment was made, her reply magnetic strip, told her wasn’t that in itself unusual as I’d not made a payment like that in years, always contactless or chip and pin.
I asked her quite openly why she was trying to convince me that I must have made the transaction to which she blurted out that she found that single transaction of under £50 unusual and that if it were her she’d have spent thousands. Had to tell her quite bluntly that I am refuting/querying the payment as I didn’t recognise it.
Hope it all works out for you OP.
Just 5 minutes ago I logged into PayPal and began the close my account process due to reading this thread. I hardly ever use the account, a few buys here in sc and that's about it. It's just another way in for the scrotes.
When you go down the 2 factor route I would strongly advise using an authenticator app that generates a rolling set of one time codes instead of SMS. That way you are not reliant on having mobile phone coverage to use the thing.
In the Sotadic Zone, apparently.
Plenty of advice here on password managers, 2FA etc
The NCSC's cyber security advice to protect you and your family, and the technology you rely on.
Last edited by J J Carter; 7th August 2022 at 17:11.
As I noted earlier if you had 2fa working previously and it’s now stopped it smacks of a larger breach, I would undertake the checks to ensure your mobile phone has not also been transferred if you haven’t already
Considering the OP is not very clear on whether 2FA was activated and there has previously been confusion in his mind between 2FA and notifications, I'd say a sophisticated SIM-swap scam or a reverse proxy scam where he unwittingly interacts with a server that sits in between his computer and paypal is unlikely. Chances are it was an unsecured paypal account and compromised password that caused this.
Let’s not let this degenerate, some useful stuff here.
Worth closing, as they now charge an inactivity fee of £9/yr
https://www.paypal.com/uk/smarthelp/...ty-fee-faq4427
You should also address all your other accounts.
Once the scammers have realised you have been a bit loose with your PayPal security they will assume you are similarly loose elsewhere.
This thread has been useful and I’ve now set up the second factor authentication. Cheers
Sent from my iPhone using TZ-UK mobile app
I am glad it has helped some, I am amazed that such an important security protection as 2FA is an option and there must be tens of thousands who do not have this enabled. It should be set as a default not an option. If the user can turn it off then an hacker can do the same, as someone has posted on this thread notifications such as emails and text alerts can also be turned off, all this security and it can all be disabled?