Last Thursday afternoon I was sitting here in my office working away when a couple of email messages from PayPal arrived in rapid succession: both were receipts for purchases that I didn’t actually make (one for a “prank SMS” service, another for a year’s worth of web hosting in Germany), and both were genuine PayPal email messages (I didn’t click on the links in the emails themselves: I went to PayPal’s website to verify that the money had actually left my PayPal account. It had).
At first — before the second message arrived — I thought that Oliver might have been using the computer at home, that I’d mistakenly had his web browser remember my PayPal username and password, and the Oliver had mistakenly purchased something. Once the second email arrived with notice of the second purchase, I realized that this was unlikely (reinforced by the realization that making complete PayPal purchase would be beyond Oliver’s capabilities click-wise).
So panic temporarily set in once I realized that someone had guessed my PayPal password and was making purchases with it. Visions of my bank account quickly draining away danced in my head.
So here’s what I did.
First, I logged into PayPal again, confirming that I was actually connected to PayPal itself and not some phishing site by examining the URL (it did, indeed, start with https://www.paypal.com/).
Second, I immediately changed my PayPal password. Because doing this requires that having the original credit card that I used to register the account, I assumed the evil hacker wouldn’t have this information, and would be unable to change the password themselves. Nor to access my account once the password was changed.
Third, I went to PayPal’s “Resolution Center” and opened a new case to dispute the two purchases, providing all the details of the purchases and the original PayPal transaction numbers.
Finally, I visited the websites where the original fraudulent purchases had been made and sent email to their customer service contact addresses outlining what had happened and asking them to immediately cancel the purchases.
Now here’s the time for my mea culpa: I’m partly to blame for all this. Against all logic (and against everything I preach to others about password security) my PayPal password was both easy to guess — it was a combination of two English-language words both of which you’d find in a dictionary — and one that I’d used promiscuously on other consumer websites with the same username I’d used on PayPal.
Why was I so careless? Because I was lazy. I’d set up my PayPal account a long time ago when the world was a simpler place, and despite telling myself that I should update my password, I never got around to it.
So my next step, after dealing with the immediate PayPal crisis, was to ferret out all the other sites where I’d used the same password (at least I had good records!) and immediately changed my password to something unique to each website and in each case involving lots of upper and lower case letters, punctuation marks and numbers.
I’m happy to report that both of the fraudulent transactions were reversed, with the cooperation of the websites involved, within 3 days (I got personal replies from both after I sent my inquiries assuring me that they would reverse the charges).
And I’m happy to have been kicked in the security ass over an issue involving a couple of hundred dollars, not a couple of thousand.
I continue to think of PayPal as an excellent service, and I’m keeping my PayPal account in place (with its new much-more-secure password). But, as they used to say in high school, “with freedom comes responsibility.” What’s your PayPal password?