Update on my PayPal Story

Martin Brinkmann
Jul 17, 2008
Updated • Apr 12, 2012

I noticed in the beginning of July that someone else transferred most of the money that had been in my PayPal account to an online hoster to buy six month access to an virtual server. That was quite shocking and you can read up on theUnauthorized Payment Done With My PayPal Account story. I got the money back the same day because the merchant was nice enough to post a full refund of the money after I submitted a dispute on the PayPal website.

The analysis of my computer did not turn up anything that could have been used to grab my PayPal credentials and make the transfer and I did scan it with a multitude of scanners.

The support line at PayPal was not helpful at all and could not even tell me if I was the only one that has logged into my own PayPal account recently claiming that it was against their privacy policy to disclose such data. That was very unfortunate because it would have helped me tremendously to know if someone logged into my account to make the payment.

I was contacted at the same day by Steve Ragan from The Tech Herald who published an interview about the case on the website. That interview seemed to have sparked the interest of PayPal because I was shortly after contacted by their CISO who wanted to transfer my case to a specialized team, he called it unusual e-crimes investigations team. That was a pleasant surprise and I had hopes that I would finally find out how the money was transferred.

Unfortunately though I have not heard back yet and I'm not sure if I ever will. I know that some big companies are rather slow when working on cases but it has been two weeks and no reply since.

Last but not least Steve contacted me again telling me that the guys at VeriSign would like to send me one of those PayPal Security Key after they have heard the story which is really nice of them. Unfortunately though I have ordered one already which has not arrived yet. It's also been two weeks since then and I'm beginning to see a pattern here. So VeriSign nice, PayPal not so nice. I will keep you updated if I'm ever contacted again by PayPal about this matter.


I received both the PayPal Security Key and the VeriSign ID Protection key shortly after finishing the article. Will write about those soon.


Previous Post: «
Next Post: «


  1. Steve Ragan said on July 18, 2008 at 12:08 am

    I’m glad to hear you got the keys, and that the story helped you out.


    That thing we talked about (the give away)…I think it is a go. Ping me and we can talk more.

  2. Martin said on July 17, 2008 at 5:33 pm

    Rarst I think it’s a team with additional experience and expertise in handling cases that cannot be explained immediately.

  3. Rarst said on July 17, 2008 at 5:27 pm

    >unusual e-crimes investigations team

    That’s like having second team for fixing what first team couldn’t?.. :)

    Rather scary I’d say.

  4. Michael Shi said on July 17, 2008 at 3:47 pm

    Well, Actually I am not surprised at all. At least you are lucky to catch Paypal’s attention because of publicity.

    We all know paypal sucks, there is no doubt about it. You don’t feel you are valued at Paypal, you are just a money cow to them.

  5. Dotan Cohen said on July 17, 2008 at 3:01 pm

    OpenSolaris (or one of the BSD’s) might just be the most secure option, by it’s very obscurity. If it runs all the application one needs (I think that KDE runs on it) then by all means give it a shot.

    Of course, like you mention, network sniffing will defeat all local defenses. However, as Paypal is rather well encrypted, I suspect a client-side vulnerability.

    In any case, I just changed my Paypal password! And I now use a specific browser profile just for Paypal, with no extensions.

  6. Faust said on July 17, 2008 at 2:18 pm

    @ Dotan
    Security is in the user NOT the OS itself, so that is a random statement, but yes I agree he should switch, maybe OpenSolaris ?
    Anyways I hope everything gets found out, btw you could have been sniffed or some other type of network attack rather than a local one.

  7. Jojo said on July 17, 2008 at 1:14 pm

    PayPal support is soooooo lame!

    I had a problem with them recently where I brought a product but he didn’t have a direct Pay by PayPal button. SO I had to log into my account and od a Send Money operation.

    I don’t keep any money in my PayPal account as I always choose the option to use my credit card. That way, if I have any problems with the payee, I can get my credit card company involved to help me.

    But when I executed the Send Money operation, I WAS NOT given the choice to choose my secondary source (credit card) source. Instead, PayPal took the money directly from my checking account which luckily, I had enough money in to cover the debit.

    I sent an email to PayPal support. The first guy didn’t seem to comprehend what I was asking. The second guy he passed me to also seemed to have a problem with reading comprehension. Finally, I was passed to a 3rd person who did understand what I was asking but could not offer an explanation. When I replied saying her answer was useless, she did not reply at all. I then got a survey asking for my experience with support. Of course, I gave low marks. Hopefully, the read the survey’s and maybe they will fire the whole lot of useless idiots!

  8. Dotan Cohen said on July 17, 2008 at 1:14 pm

    You should really consider using a secure OS, such as Ubuntu or Mac. One of the reasons I moved to Fedora was security, as I keep quite a bit in Paypal and other online services. Fedora was hard to manage, but as it is Linux based it is very secure. Now that Ubuntu (another Linux-based OS) is available, and is easier to use than Windows, I really don’t see any reason to put up with an insecure OS. Even if you like games (Which Windows is better for) then you should dual boot.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.