The Stop Online Piracy Act in the US is getting ever more publicity with GoDaddy one of the high profile companies to suffer from supporting it as we wrote a couple of days ago.  In our previous article Martin summed up SOPA very effectively.

If you are living in the United States, you should have heard about SOPA (Stop Online Piracy Act) and Protect-IP, which, when passed, would give companies rights that they should not have. If it passes, IP rightsholders (a term vaguely defined) could send notices to payment processors or ad services like Google Adsense to force them to stop doing business with listed websites, all without legal process.

Site owners have five days to file a counter-notice, but neither payment processors or ad networks have any obligation to respect it. Even worse, they are granted “immunity for choking off a site if they have a “reasonable belief” that some portion of the site enables infringement”.

Now a loose confederation of Internet giants are considering shutting down the entire websites for 24 hours and instead showing a messagew urging their visitors and customers to contact their representative in the US congress the day before the vote goes to the house there.

The coalition is made up of some very big names on the Internet including Google, Amazon, Facebook, Twitter, Wikipedia, Yahoo!, eBay, PayPal, AOL, Foursquare, IAC, LinkedIn, Mozilla, OpenDNS and Zynga.  If the plan goes ahead all these services could be taken offline for 24 hours.

In a report by CNet…

When the home pages of Google.com, Amazon.com, Facebook.com, and their Internet allies simultaneously turn black with anti-censorship warnings that ask users to contact politicians about a vote in the U.S. Congress the next day on SOPA, you’ll know they’re finally serious.

True, it would be the political equivalent of a nuclear option–possibly drawing retributions from the the influential politicos backing SOPA and Protect IP–but one that could nevertheless be launched in 2012.

“There have been some serious discussions about that,” says Markham Erickson, who heads the NetCoalition trade association that counts Google, Amazon.com, eBay, and Yahoo as members. “It has never happened before.”

This wouldn’t be the first piece of anti-piracy legislation around the world to face stiff opposition.  France have already passed an Internet copyright law but the Digital Economy Act in the UK stalled in the face of arguments from major Internet Service Providers British Telecom and TalkTalk.

Many reports say that SOPA is still set to pass the US congress and that very few Americans have heard about it.  Shutting down services such as Facebook and Google, and replacing them with anti-SOPA messages for a day would certainly raise awareness, but a question mark remains over whether doing so only one day before the congress vote would be effective enough.

This is the first time ever that major websites have threatened to effectively go on strike to boycott something, and it is completely unprecedented.  It is unclear at this time whether the services would be taken down worldwide or just in the US and also how serious the coalition are about the boycott, which would inevitably lose them all a day’s trade.

Services are commonly targeted for IP addresses anyway and it wouldn’t be difficult for these companies to target messages to their US-based users.  With many millions of visitors every day in the US, companies such as Google and Facebook could achieve this on their own.  Imagine then how much more leverage they would have with Amazon, Yahoo! and others on board.  If this goes ahead it is still possible that other companies could follow suit, effectively crippling the Internet in the US for the day before the vote.

So what do you think of SOPA and your favourite websites being taken offline for a day?

New PayPal accounts are limited automatically until they are verified. Limitations block certain site features and limits the amount of money that unverified PayPal users can transfer to other PayPal users or withdraw to a bank account.

Accounts can be verified either by adding and confirming a bank account or credit card. Both verification options may not be available in all countries. (You can use this page on the PayPal site for additional information on the process for select countries)

To verify a PayPal account click on the Get Verified link underneath the welcome message on the start page.

You then have the option to verify the PayPal account either by Credit Card or by bank account.

Verify PayPal by bank account

If you select the bank account verification option you are asked to enter the account information in the verification form. PayPal will make two small payments to the account in the next business days which you need to confirm once they are listed in the account statement. Just visit the PayPal website again to complete the verification.

Verify PayPal by credit card

PayPal will withdraw a small amount of money from the credit card as part of the card’s verification. The company will refund the money to the PayPal account after the verification. Verifying by credit card is usually faster than verifying by bank account.

Verify PayPal by virtual credit card

What can you do if you cannot verify by bank account or credit card? You could create a virtual credit card and use that card to get the account verified. Services like EntroPay offer virtual credit cards. This comes as a price though, as many services require you to deposit money into the virtual credit card account and charge you for that.

As far as EntroPay is concerned; The service does not charge for the account or the creation of the virtual Visa card. It does however charge for loading a credit card, exchange fees and money that’s transferred to the card.

Please note that EntroPay accounts need to be verified as well.

Closing Words

It also needs to be noted that the initial account limitation is different from other PayPal account limitations. There are a number of reasons why PayPal limits account, a common one being unusual account activity.

Using a virtual credit card to verify an account should work for users from all over the world. Please note that you may still run into troubles when withdrawing money from PayPal (To be honest, I’m not 100% certain that you can withdraw money to a credit card. You may need a bank account for that after all.).

The credit card is on the other hand useful to get the account verified and to fund money. Plus, you can limit automatic withdrawals to a specific sum of money.

Have you had troubles getting your PayPal account verified? Let me know in the comments.

What other options do you have? You could try and get a virtual credit card, either from a bank that is offering those cards or an online service such as Entropay. The first may work fine and without lots of administration, the second can be quite the hassle to setup and maintain. Plus, it can happen that virtual credit cards won’t be accepted by the service or website, in which case you are still not able to complete the sign up process.

An alternative to this are test credit card account numbers. They are not linked to any accounts or names. PayPal has a public page with test credit card account numbers available where you find credit card numbers for major companies such as American Express, Mastercard, Visa or Discover.

The expiration date can be freely selected, the only requirement is that it needs to be a data in the future in mmyy format.

The credit cards cannot be used to make purchases. What they can be used for however are services that require you to enter a credit card either during signup or for specific services they offer. One example would be Amazon’s AppStore service which requires you to enter a valid credit card account number to download the free apps that it provides on a daily basis.

It is likely that at least some sites and companies have banned those credit card numbers from being used on their sites. You’ll probably be surprised that they will work on a lot of sites on the other hand.

Disclaimer: Please note that companies or organizations may see it as fraud if you are using credit card information that are not your own. Neither ghacks nor the author of this article are responsible if this happens.

According to his information, PayPal accounts are sold for as little as $50 per 100 unverified accounts. 50 cents per account may not seem like much, but you need to consider that unverified means that the original owner has not linked the account to a bank account or credit card. This limits what can be done with the account (while it is possible to use it to move money, it cannot be used to make purchases if the PayPal balance is not sufficient).

Verified accounts on the other hand start at prices of $2.50 for PayPal accounts with a balance of up to $10, and more if the balance is larger. You see a larger account with a balance of more than 1000 Dollars go for $45 at the site selling those hacked accounts.

It is rather interesting that the site not only lists the account balance, first name address and type of account but also much of the user’s email address. Registration at the site is closed and only possible by contacting a site operator over ICQ.

Considering that email addresses are listed, it would make sense of PayPal to try and get an account to block all hacked accounts before third parties can use them for illegal activities.

Brian believes that the majority of accounts for sale have been collected via phishing attacks, but that trojans on user computers have also been used considering that some of the PayPal accounts are sold with linked email account log ins.

It feels kinda strange that a site like this can operate for a relatively long time without being taken down by the authorities. I won’t link directly to the site, but you find the link and a sister site mentioned in Brian’s article.

I personally would have expected the accounts to be sold at higher prices. This can either mean that demand is not high, or that the site operators have access to a lot of hacked PayPal accounts.

What’s your take on this?

Users who fail to comply will have their PayPal account limited, which basically means that they wont be able to send or withdraw money from the account.

It reads:

Need further information

Dear Martin Brinkmann !

We need to confirm some of your account information or collect further information. Please complete this by 29.09.2011. If we don’t receive this information in time,
PayPal is required by law to limit access to your account.

What should I do?

The next time you log in to your PayPal account you’ll be guided through a process to collect the necessary information.

Why is this required?

EU law requires financial services firms like PayPal to confirm the identity of all our customers. This is necessary to provide a safer platform for our users and to help prevent the illegal use of our services.

When you visit the PayPal website you will see the following screen after login.

The screen offers similar information and options to update the account information now or at a later time. Information provided on that page are slim. Neither the EU regulation is linked to properly for users to verify or read up on the regulation, nor is it explained what users need to update, other than that they have to identify their account type and may be required to upload documents to PayPal.

A click on Update Now loads a screen where users are asked to verify their ownership type. Available for selection are:

• A private account suits any individual operating outside of a company, business or profession.If you’re a non-registered partnership, you’ll need to select business account for sole proprietor.
• A sole proprietor What’s this?A business account for sole proprietors suits any individual operating a business where there is no legal distinction between the owner and the business. A sole proprietor may also use a business name other than his or her legal name.
• Any other type of business, charity, or government entity What’s this?

Once you have confirmed your selection my checking “Yes, the information above is correct” you are taken to the next screen. This screen depends largely on the selection. My choice of “sole proprietor” for instance completed the process immediately. I was greeted with a “You’ve finished providing the information we needed” page and did not need to upload data or add other information to my account.

PayPal users can repeat the process on that screen, for instance if they made a mistake.

A click on the continue button loads the PayPal account interface.

Have you received please update your account information emails from PayPal? Did you already fill out the information on the PayPal website? If so, share your experience with us in the comments.

Friday the hacking community Lulz Security (LulzSec) posted a file which it claimed contained the username and password information of 62,000 random individuals using popular websites like Facebook and PayPal. While it is doubtful that Lulz itself plans to use that information to do anything but embarrass those websites, other people who now have access to that data may be less playful.

It is unknown how this information was acquired or from what source. However, if you find yourself in a situation in which your Facebook or PayPal accounts have been compromised in a similar hacking campaign, there are important steps that you must take to secure your information and retake control of that loose data.

Mark Ward, a financial IT professional from Colorado, warns anyone who has been compromised to ask the two big questions of information loss: how did it happen and why.

“Anyone who has lost login information of any kind should immediately check the computers they use to access accounts for malware, keyloggers or rootkits. Otherwise, no matter how often you change your information thieves will retain access to the information.”

If you were foolish enough to use that login information in multiple places, change it everywhere – or you might find those accounts compromises as well. Next, identify why you were targeted.

“LulzSec rarely goes after individuals – if your information comes up in their attacks you were probably just caught in the crossfire.”

If you are someone who they may take personal interest in, however, take care to protect all other information and let those connected to you know you have been targeted. They may be approached for further information.

The loss of PayPal login information is typically more pressing than the loss of Facebook data, and as such requires forceful and immediate action. Begin by reporting the breach to PayPal and closing the account immediately. This stops that account from being used for any illegal purposes that you might otherwise wind up being liable for. Next, contact the financial institutions connected to the PayPal account and have them monitor your funds. It may be necessary to close those accounts in time, but it typically is not necessary to do so immediately.

Finally, and perhaps most importantly, contact any individuals with whom you regularly do business through that account and let them know that you have been compromised. Your past actions will be visible to any digital thieves, and it is very possible that they may be contacted by email or phone by people claiming to be you. Consider setting up a secure passphrase with PayPal business partners so that they can know that it really is you they are talking to.

Facebook contains mostly social information and is not connected to your finances and as such it is less crucial to contact connections to such an account as quickly. Again, notify Facebook, telling them of the breach, and close the account. This severs your connections to any photos that may be linked to your account. Let your friends know that you have been hacked, and advice them to be weary of anyone claiming to be you.

As skirmishes online increase in frequency, more and more people will likely get caught in attacks on groups they have no significant connections to. By following these simple steps, the damage of a breach can be minimized and you can return to your usual online activities without delay.

Martin’s Words of Wisdom

If you had an account at one of the hacked company sites, and used the same account login, email, password combination at other sites, your first step needs to be to change your passwords at all those sites. Before you do anything else, change your account passwords.

PayPal users can improve security with identity protection devices. It costs little money and adds two factor authentication to PayPal. Attackers who get your username and password, cannot access the PayPal account because they do not have the code that gets generated on the fly when you use the device locally.

I probably would not go as far as to close down the account. I’d change the account password, get the security device and monitor my PayPal funds closely to react immediately when I’d spot an unauthorized transfer. You may however want to cut the link to your debit and credit cards in PayPal to avoid that they are charged automatically whenever a payment is made that exceeds the account balance.

Handing out your credit card on the other hand may be a standard procedure in countries like the United States where the average consumer has more than 2 credit cards. The core problem with handing out your information is twofold. First, you need to trust the company or business that processes your credit card information on their web page. Considering that one of the largest banks did not get it right, it is fair to assume that there are no 100% safe places on the Internet to submit your credit card information to.

Some users might say that stolen credit card information may not be a big problem, as it is possible to cancel credit card payments for quite some time after the payments have been made. But that is only true if the credit card owner monitors payments regularly.

Most virtual credit cards offer better protection when shopping online. The core difference between virtual and real credit cards is that most virtual cards need to be charged before they can be used. They are prepaid cards. While it is still possible to get the credit card information stolen, an attacker has less options to squeeze out money from the account. A normal credit card could be charged for thousands of Dollars, a virtual card only for the amount that has been transferred to it by its owner. It is still recommended to check the credit card bills regularly, regardless of card and activity.

It is usually a lot easier to delete a virtual card and get a new one, in case someone managed to steal the information. Some banks and companies offer unlimited virtual credit cards to their customers, while others only one at a time.

Lets take a look at the benefits of virtual credit cards again:

• They work online just like real credit cards
• They are prepaid, and it is not possible to overdraw the account
• They are usually faster to setup and cancel

There are three downsides that we need to address. First, you get another credit card number that you have to monitor and take care of. Second, these virtual cards may come with fees that you have to pay. Some companies charge per transaction while others a yearly fee. This differs highly, and there is no rule of thumb. Some banks might even offer virtual credit cards without fees. And lastly the charging time. Depending on the bank or company, it may take time to charge the virtual credit card. At my local bank, it takes four business days to set up a prepaid credit card, and a day to charge it, which is not good if you need to make a payment urgently.

A year ago, I would have suggested PayPal for most users. But PayPal has dropped their virtual credit card offering. Your best option now is to contact your bank to see if they are offering virtual cards. If you are lucky they do and charge you little or nothing at all for it.

You find several independent companies on the Internet that offer virtual prepaid cards. Companies like Entropay charge a hefty fee for transactions on the other hand. They currently charge 4.95% for transferring money to the card.

Is there another way to get a virtual credit card online? Let us know in the comments. I for one have made the decision to get a prepaid card from my local bank, despite the negative aspects.

It quickly turned out however that the message was a scam, a phishing attack to steal my PayPal login credentials. Why would attackers want those information? To transfer all the money from the account, and maybe even more if a Credit Card is linked to the account.

They may use PayPal to make purchases on the Internet, or use the account as a temporary haven for illegal transactions.

Whatever it is, it is certainly not in the interest of the account owner. Lets take a closer look at one of the emails to see what it is all about, and learn how to identify if it is a phishing email.

The email reads:

Dear PayPal account holder,

PayPal is constantly working to ensure security by regularly screening the accounts in our system. We have recently determined that different computers have tried logging into your PayPal account,and multiple password failures were present before the logons.

Until we can collect secure information, your access to sensitive account features will be limited. We would like to restore your access as soon as possible, and we apologize for the inconvenience.

Download and fill out the form to resolve
the problem and then log into your account.

Thanks ,
PayPal

The sender is PayPal updates-int@paypal.net, the subject: Your account has been temporarily limited. There is an attachment, a HTML page with the name Restore_your_account_PayPal.html.

When you look at the email you will notice several indicators that it is a phishing email. You do not really need to look at email headers for that.

• 1. No customer name – Phishing emails usually do not have access to customer names, which means that they will address the recipient in general terms. Dear xxx.
• 2. No contact – Companies do usually include contact information in their emails. This can be a company’s street address, support phone numbers or links to web properties.
• Attachment – While it is possible that companies send attachments with their emails, it is unlikely that a company will do it in this case.

When you look at email headers you notice that the return-path and received headers do not mention PayPal but another domain (powerski.net), which more or less proves that the email at hand is a phishing email.

But what about the HTML email attachment? The easiest way to find out is to save it locally to open it in a text editor.

I do not really need to see the site in action, analyzing the code is all that is needed to get the information that I want.

If you double-click the HTML file in the email you will load it in your default browser locally. You will see a form and a page that resembles the PayPal site.

If you look at the source, you notice that the form action points to http://networkpp.comlu.com/tmp/w.php and not a PayPal domain. Form action means that your input is send to that address when you click the submit button.

The form asks for all kinds of personal and security related information, including your social security number, credit card or debit card number, expiration date, security code, mother’s maiden name and email.

What can you do if you receive an email that you suspect to be a phishing email?

• Ask a tech savvy user to look at it. You can forward the email to the user for instance if necessary.
• Go to the company website manually, look for contact information and call or email support there.
• Analyze the email the way I did. All information you need can be found in the email itself.
• When in doubt do not open. Move the email to a folder for safe-keeping, or delete it outright.

We have seen an increase of phishing emails with the subject “Your account has been temporarily limited” that target PayPal users. The from email address is updates-int@paypal.net. The email body contains no links or clickable contents. It reads like this.

Dear PayPal account holder,

PayPal is constantly working to ensure security by regularly screening the accounts in our system. We have recently determined that different computers have tried logging into your PayPal account,and multiple password failures were present before the logons.

Until we can collect secure information, your access to sensitive account features will be limited. We would like to restore your access as soon as possible, and we apologize for the inconvenience.

Download and fill out the form to resolve
the problem and then log into your account.

Thanks ,
PayPal

A html file with the name Restore_your_account_PayPal.html is attached to the email which mimics the official PayPal page but is executed from the local system. It consists of a simple form asking users to fill out personal information which includes name, address, social security number and credit card. The form does not ask for PayPal login information.

The email is obviously fake and not from PayPal. Here are some clues why that is the case:

• It does not mention the name of the customer, nor a PayPal representative or contact information.
• The return address is set to nobody@ne07.tt.co.kr and not a PayPal address
• Thunderbird mentions that the “sender is open HTTP proxy server”
• The attached file is a local form that is executed on the user’s system and not on the official PayPal website.
• PayPal does not use PayPal.net, it redirects the domain to PayPal.com. It is therefor unlikely that PayPal.net email addresses are used to communicate with customers. We personally have only received emails from PayPal.com and country domains like PayPal.de

A look at the HTML source code reveals further inconsistencies. The document embeds elements from unofficial sites like Megabyet, the form action (which is where the form data is submitted and processed is also on Megabyet and not on PayPal.com.

What should you do with the fake email? You can forward it to spoof@paypal.com the way it is, or delete it right away if you do not want to forward it to PayPal’s spoofing department.

If you analyze the connections that PayPal makes you notice that the site makes two connections to load objects from the domain paypal.112.2o7.net. This looks on first glance like one of those phishing websites that add the name of the service that they attack to the url to make users believe that they are on the right website. The two elements are the smallest in size (both are 43 Bytes) but seem to take the longest to transfer.

The very long url of these requests seems to transfer data about the computer system. It contains the screen resolution and browser plugins among other data which might be even more cause for concern. If you open paypal.112.2o7.net directly you are greeted with a page that is more or less blank.

Not found does not sound good as well. Omniture on the other hand will give many webmasters a clue. It is a service that analyses traffic and it seems that PayPal is one of their customers. This has been confirmed by a press release on the Omniture website which states that PayPal is indeed one of the company’s customers.

The way the data is handled, especially the cryptic url paypal.112.2o7.net can cause concern by users. PayPal should consider changing that url so that the request will come from a PayPal server and not that url.

Update: Nothing has changed ever since we first reported on the issue. PayPal is still connecting to the service.

One interesting aspect of the chart is that Chase Bank and ebay battled it out for most of the year and that PayPal began its rise in December which Avira attributes to the Christmas season and the increased usage of PayPal in that season.

Several other brands experienced a lot of phishing attacks as well. Here is the top 10 list according to Avira:

• PayPal 32205 threats
• Chase Bank 25901 threats
• eBay 18738
• American Express 5202 threats
• Bank of America 4540 threats
• Abbey Bank 3978 threats
• IRS 3712 threats
• HSBC Bank 2762 threats
• Citibank 2265
• Facebook 2217

All of the brands in the top 10 with the exception of Facebook are brands related to the finance sector or shopping. It certainly is an interesting trend that the attackers were able to produce that many phishing websites in December alone to make PayPal rise to the top of the statistics.

The statistics collected by other companies will probably differ marginally but it is likely that the top brands listed in the Avira list are also the top brands in their listings. PayPal users should be very cautious at the moment.

PayPal recently began to sell a so called PayPal Security Key to protect PayPal users from phishing attacks. The system works by protecting the login to the account not only with a username and password but also a security key that is generated on the fly on an external device. Attackers who are able to steal PayPal login information would need physical access to the security key to be able to log into the account at a later time.

It is not a 100% perfect solution as attackers are still able to circumvent the security key if they have additional information related to the PayPal user’s account. It still is a viable protection in most cases. PayPal is hosting a security center on their website that is informing and educating users about security risks and how to reduce them and prevent attacks.

Probably the best way of fighting most attacks and all phishing attacks is to always open the PayPal website directly instead of clicking on links that are supposed to lead there. Another security method is to use a password manager to store the PayPal login information. Many password managers, such as Last Pass, can fill out the login form and log in the user automatically in configured accounts. This can be a very effective method of detecting fake websites as the password manager will not fill out the login information automatically on these websites.

A new widget has been recently added to Gmail labs that increases email security by offering phishing protection for the two services PayPal and eBay. Emails send by these two services are authenticated by the widget and an authentication icon is displayed in the Gmail interface so that the user can see at first glance that the emails are coming from the original source.

The main advantage of this added layer of phishing protection is that emails that claim to be from either PayPal or eBay but are not will now be deleted before they reach the user’s email account meaning that they will not appear in the spam folder either. Google is hoping to add additional services in the future to increase the reach of the additional email security layer.

Users can add the new phishing protection by logging into their Gmail account, clicking on the Settings link in the top right corner, switching to the Labs tab and enabling the Authentication icon for verified senders widget.

Nope, I needed to send some ID and utility bills. The process was fairly simple, I took a photo of my phone bill, my AmEx report and both sides of my National ID. In the Paypal documentation they say a phone bill is not ok, but since my apartment is not on my name I don’t pay bills per se. Nevertheless, I sent these all off.

After some mucking about (the form was not the best), Paypal accepted these documents and this, as a lot of government and verification processes puzzles me a bit. I mean I could’ve Photoshopped all that right? Unless they actually checked with my government and bank and carrier service, which I’m sure they didn’t, they replied in like 2 days, they can’t be really sure.

My reasoning is that someone like me would have to go to more trouble to prove his identity and location truthfully, than a money launderer would have to go to to forge this stuff. If I didn’t have a camera I would’ve had to spend about $30 to photocopy, print, scan and so on. A money launderer may have to pay $1,000 for a good forgery, but hey, he has a printing press right, money comes easily.

The point is, that all I proved is that I have an internet connection and probably an ID. Is this a process that is supposed to deter people on the wrong side of the law? I doubt if it does, it did deter me though, my account was even frozen for a while!

The key is an electronic device that generates a six digit key every 30 seconds. That key is needed to login into PayPal. The device can be ordered from within the PayPal interface or from VeriSign directly. It works at all websites that make use of the key including eBay and PayPal.

PayPal has introduced the mobile security key recently. It makes use of the same principle with the difference that the security key is generated by an official server and send to the user’s cell phone instead.

This offers a few advantages like increased mobility and no waiting time till the device arrives. It does however mean that the user is charged for every SMS send by his cell phone provider. Merchants who log into PayPal several times a day might want to use the hardware solution primarily to save costs.

Users who want to order a mobile security key can do that once they are logged into PayPal. The option becomes available after the PayPal login. A click on the Security link in the top right corner of the website will load a new page with a link named Security Key.

A click on that link will display two options: To order a security key device or a SMS security key.

The VeriSign Identity Protection device can be used to add another layer of security to the login process. The PayPal Security Key mentions only eBay and PayPal and I’m not sure if it works with the other websites and services that the VeriSign Identity Protection key works with.

The key is a little device that displays a six digit security code when a button is pressed. That code is active for 30 seconds after which it disappears again. The device has to be activated on the website that you want to use it for by entering the serial number of the device and two six digit codes.

Once a device has been linked to an account it has to be used to log into the account by pressing the button and entering the six digit code after the password on that website or by entering the login credentials normally and the six digit code on the next page where it is requested before the user can proceed.

The real benefit of this key is obviously that an attacker who is getting hold of your login credentials cannot login into the account if he does not have access to the active six digit code.

PayPal seems to heavily subsidize the key. If you order the security key at PayPal you receive a blueish-gray device for roughly 5€ while the VeriSign key is delivered in dark red for the price of $30. As I said I’m not sure if the PayPal key works with other services as well.

The VeriSign website offers two additional devices. One is the so called VIP Security Card (for $48), a credit-card sized device that seems to offer the same functionality and the SanDisk U3 TrustedSignins
which works with SanDisk U3 devices but does not seem to come with additional charges.

This is definitely a step into the right direction and I strongly suggest to everyone using eBay and PayPal regularly to get one of those security devices to add another layer of protection to their account.

The analysis of my computer did not turn up anything that could have been used to grab my PayPal credentials and make the transfer and I did scan it with a multitude of scanners.

The support line at PayPal was not helpful at all and could not even tell me if I was the only one that has logged into my own PayPal account recently claiming that it was against their privacy policy to disclose such data. That was very unfortunate because it would have helped me tremendously to know if someone logged into my account to make the payment.

I was contacted at the same day by Steve Ragan from The Tech Herald who published an interview about the case on the website. That interview seemed to have sparked the interest of PayPal because I was shortly after contacted by their CISO who wanted to transfer my case to a specialized team, he called it unusual e-crimes investigations team. That was a pleasant surprise and I had hopes that I would finally find out how the money was transferred.

Unfortunately though I have not heard back yet and I’m not sure if I ever will. I know that some big companies are rather slow when working on cases but it has been two weeks and no reply since.

Last but not least Steve contacted me again telling me that the guys at VeriSign would like to send me one of those PayPal Security Key after they have heard the story which is really nice of them. Unfortunately though I have ordered one already which has not arrived yet. It’s also been two weeks since then and I’m beginning to see a pattern here. So VeriSign nice, PayPal not so nice. I will keep you updated if I’m ever contacted again by PayPal about this matter.

Update:

I received both the PayPal Security Key and the VeriSign ID Protection key shortly after finishing the article. Will write about those soon.

PayPal and eBay finally made the decision to sign all emails originating from their servers including the international versions which means that it is possible to eliminate PayPal and eBay phishing emails before they even reach the inbox or spam folder. The system was tested for a few weeks silently and only a few users did notice according to the official Gmail blog.

Now any email that claims to come from “paypal.com” or “ebay.com” (and their international versions) is authenticated by Gmail and — here comes the important part — rejected if it fails to verify as actually coming from PayPal or eBay. That’s right: you won’t even see the phishing message in your spam folder. Gmail just won’t accept it at all. Conversely, if you get an message in Gmail where the “From” says “@paypal.com” or “@ebay.com,” then you’ll know it actually came from PayPal or eBay. It’s email the way it should be.

Sounds like a dream come true and could pose an end to phishing if more companies, and mail providers, would jump on the bandwagon of signed emails. Companies that come to my mind first are financial companies and other online stores. I still would not blindly trust any email from PayPal or eBay that would arrive in my inbox but it definitely is a step in the right direction. The best way to handle it is to visit the websites manually and perform the eBay or PayPal login there.

Imagine my surprise when I discovered that a payment for all the money in the PayPal account has been made at 23:35:35 PDT to Santrex Internet Services. I was not awake at that time which could only mean that someone else managed to make the transaction. The question is how.

I contacted PayPal and filed for unauthorized payment and did contact the “seller” as well who replied telling me that someone did buy Virtual Servers from the money. I’m pretty sure that I will get the money back the question however is how someone was able to make that transaction in first place.

The possibility is there that someone was able to get my password for PayPal somehow and made the transaction that way. I’m not sure if there is a possibility to make a transaction from PayPal without logging into the account. It does not look this way.

I checked my system with latest anti-virus software and found nothing. I also checked the PayPal account settings and changed the passwords there. I will change all passwords for all sites just to make sure that someone did not get them all.

The strange thing is that the payment was only made for the amount that I had lying around in my account. Anyone ever heard of something like that ? The real question is how he was able to get into my account as it is unlikely that transactions could have been made without my PayPal login data.

That’s what PayPal (thanks Lee for the email) mentioned in a Whitepaper and I have to agree with it. There is virtually no reason why someone would still use Internet Explorer 3 or 4 to surf the Internet for example. Those browsers probably have so many known security holes and lack so many security features that it’s highly likely that the browser will get successfully attacked eventually.

This still does not take care of the user who is working with the computer which is in my opinion the greatest security risk of them all. I always like to say that if you do not understand basic security concepts, for instance the ability to differentiate between http and https websites, then you should not be doing security related stuff on the Internet including banking but also eBay, Amazon or PayPal.

The battle against Phishing is something that companies cannot win alone. Companies cannot do anything about a user who cannot differentiate between fake and original websites. Systems like Extended Validation SSL Certificates which highlight the address bar in green will surely help those users in the long run.

What should not happen though is the exclusion of a browser simply because it is being used by a smaller community. Say Safari for Mac. When I worked at one of the biggest German financial corporations I always had to tell Mac users that their browser was not officially supported. Security is not an excuse to lock out some users with more “exotic” browsers.