A look at the design, market and legacy of Victorian pottery

Friday, March 17, 2017

Cyber Crime and the Remote Auction Buyer

Unlike most of our posts, the subject of this is not about ceramics. It is however about the tools one maintains when buying remotely by auction, something most antiques buyers do. Whether you buy through eBay or Online Auctions or any number of other auction services one needs to keep a PayPal account for convenient payment to these sites. Recently we were a victim of theft through our PayPal account and it may be instructive to others to detail our experience.

A while back we heard of the massive breach of Yahoo email accounts by Russian hackers. We didn't give it much mind because, although we had a Yahoo email account, we hadn't used it for many years. One afternoon while randomly checking our balance on PayPal we noticed a large money transfer from our bank to the PayPal account. To those unfamiliar with PayPal, all PayPal accounts require a source of funding on which to draw be it a credit card or a bank account. We had ours tied to a checking account.

The transfer was in an odd amount: $999.00. We couldn't recall having purchased anything recently that would have required such an amount of funds. We checked with our bank and sure enough the checking account had been depleted by $999.00. To get to the bottom of this we called PayPal and asked what the money had gone towards paying for. All they could tell us was that a cash withdrawal from our funding source had been initiated from the PayPal account two days prior to our first having noticed it. Because of PayPal's rules such a transfer requires five days to finalize. The money was actually still in the PayPal account. We told the operator that we had not authorized the withdrawal and wanted to know if we could get the money back. She said we could after the hold was complete. We were relieved that the money was still there. We were told to change the password on the PayPal account so that whomever had gained access to the account could not return to withdrawal the money. After that it could be safely allowed to sit in the account until we decided to return it to the funding source.

This is when we realized how the warning about the Yahoo breach played into the story. This is how the hackers had gained access to the account! Although we did not use our ancient Yahoo account in setting up our PayPal account we did use the same user name and the same password that we had used in the Yahoo account. The hacker must have done a random search of thousands of Web sites trying the combination of user name and password and finally found a match in PayPal. Once inside our account they transfered the maximum amount that PayPal allows, $999.00, and waited for the five day waiting period to end so they could withdrawl the money. It was merely a fluke that we had signed into PayPal and seen the money transfer within that five day waiting period in time to stop it.

After this we went through all of our online accounts and changed all our passwords. We believe the PayPal account was unique among our accounts for using the same account name and password as Yahoo, probably because it had been established around the same time that we were using the Yahoo account. We had since moved onto other email accounts and more sophisticated password combinations but this one outlier still had the old combination.

As for the hackers, well we doubt they will ever be caught even though the United States justice department has identified four agents of Russia's Federal Security Service as being responsible for that massive Yahoo breach. Of course even though they have been identified the U.S. has no way of arresting them as they are in Russia and the United States does not have an extradition treaty with Russia. PayPal told us they had blocked the Web address of those who had initiated the withdrawl from ever being able to access PayPal again. However these guys always manage to find a way around such blocks.

The important thing is to pay attention to the discovery of these types of breaches and change your online passwords frequently. We had dodged a bullet but a lesson had been learned to give each site we used online a unique password/user name combination. And you should too.