Where's the hole in this PayPal payment system?

in Techie Stuff
10 replies 347 views
B0bbyEwingB0bbyEwing Forumite
762 Posts
500 Posts Name Dropper
Forumite
My wife has just come to me saying she had notification to her phone of a payment of over £500 that she hasn't made & she's to dispute it within 24 hours if she never made it (which she didn't).

I told her to go on the laptop & access PayPal that way to see if it tallies - it did.

She has 2FA enabled on her PayPal yet somehow a payment was sent to some Cyber Security company (with an Outlook email address??). 

She's cancelled it from within her PayPal but is wanting to know how this is likely to have happened since 2FA is turned on & whether other areas need looking at and strengthening or just PayPal itself. The Live Chat seems to be a slow process but then it is Sunday.

Replies

  • edited 20 November 2022 at 7:55PM
    facadefacade Forumite
    6.2K Posts
    Part of the Furniture 1,000 Posts Name Dropper
    Forumite
    edited 20 November 2022 at 7:55PM
    The query was probably generated because she has 2FA switched on but the transaction didn't use it. I just bought a few things with paypal, and had to get a 2FA code off my phone- because "the merchant requested it", so I think that the 2FA isn't on every transaction.

    When you set 2Fa up, it is only for your first login to paypal, nothing to do with transactions as far as I can tell


    I want to go back to The Olden Days, when every single thing that I can think of was better.....

    (except air quality and Medical Science ;))
  • B0bbyEwingB0bbyEwing Forumite
    762 Posts
    500 Posts Name Dropper
    Forumite
    I know that every time I buy something on ebay for example, I have to enter 6 digit codes as I use PayPal. 

    The way it was looking in her account was that the payment would've gone through had she not cancelled it. 

    A little concerning that it got that far so obviously would like to know what to change & how to find that out other than the overkill of "everything". 
  • notyourrealnamenotyourrealname Forumite
    30 Posts
    Fourth Anniversary 10 Posts
    Forumite
    Firstly, make sure she changes her Paypal password to something strong and different to any other password. Doesn't necessarily have lots of weird characters, could use 3 words instead.

    The previous poster is incorrect, MFA on Paypal has to be used for all transactions (certainly does for me).

    Which type of MFA is she using? SMS MFA can be compromised, a quick google will reveal multiple ways this can happen.

    It sounds like someone has her password, at least, if not also access to her MFA.
  • B0bbyEwingB0bbyEwing Forumite
    762 Posts
    500 Posts Name Dropper
    Forumite
    Never heard of MFA. Heard of 2FA though so I can't ask her what MFA she's using as she'll probably look as blank as I do right now.

    The only time I don't need to enter 6 digits text to my phone is when I've just entered the code. For example, I buy something on eBay - I'll need the text, the 6 digits & then once this is entered if I immediately make another purchase on eBay then I wont need to enter another code. 
    Buy something the next day and it'll be a new code. No idea of the timeframe as I'm sure it's only minutes & not hours but just saying what I've experienced myself.


  • saajan_12saajan_12 Forumite
    3.3K Posts
    Part of the Furniture 1,000 Posts Name Dropper Combo Breaker
    Forumite
    Similar issue earlier this week - I happened to notice a confirmation email for 2 transactions that went through from my Paypal balance in quick succession, which I didn't do. Goods ordered to a completely random address away from me or my family and things I'd never order.

    I reported the transactions as unauthorised and changed password. Luckily the transactions were relatively low value and Paypal refunded the amounts the same day. However more concerning, is how come they went through in the first place - considering I have 2FA, had a unique password only used for Paypal, haven't clicked on any email I thought was from Paypal before this.

    Have asked Paypal how these 2 transactions went through, or what security features it managed to pass, but no (useful) response yet. 
  • edited 24 November 2022 at 3:35PM
    B0bbyEwingB0bbyEwing Forumite
    762 Posts
    500 Posts Name Dropper
    Forumite
    edited 24 November 2022 at 3:35PM
    Seem to be sharing your experience.

    PayPal have said no further action required. They've cancelled the transaction.

    Well that's not good enough for me. Yes it's my wife's account but it's our money & I want to know how this happened. 

    Message sent to them via Live Chat at 8am. Notification will be received when they respond, apparently. 

    2:34pm still waiting.

    I wonder if we're still using the Covid excuse as to why things aren't happening in a decent timeframe.
  • flaneurs_lobsterflaneurs_lobster Forumite
    2.1K Posts
    1,000 Posts Fourth Anniversary Photogenic Name Dropper
    Forumite
    Not a payment issue as such but last week I sent a payment request from PayPal to another of my email accounts (trying to drive a direct debit payment). Email received OK but Paypal shows the request as having been sent to a completely different and completely unknown (to me) person. 
  • notyourrealnamenotyourrealname Forumite
    30 Posts
    Fourth Anniversary 10 Posts
    Forumite
    In reply to BobbyEwing previous post, MFA = 2FA, the M being Multi as opposed to 2, sorry to confuse.

    Paypal won't tell you what happened as that would potentially reveal that they have a hole in their security somewhere.

    Best way to protect yourself is to change all passwords to unique, strong password and make sure you have got up to date antivirus software installed and scanning your system. 
  • B0bbyEwingB0bbyEwing Forumite
    762 Posts
    500 Posts Name Dropper
    Forumite
    In reply to BobbyEwing previous post, MFA = 2FA, the M being Multi as opposed to 2, sorry to confuse.

    Paypal won't tell you what happened as that would potentially reveal that they have a hole in their security somewhere.

    Best way to protect yourself is to change all passwords to unique, strong password and make sure you have got up to date antivirus software installed and scanning your system. 
    Is the issue likely to lay 100% with PayPal then? (as in changing PayPal password would be the answer)

    Because to start changing literally EVERYTHING is going to be a right ballache. All banks, all websites that are linked to spending money. What a nightmare.
  • notyourrealnamenotyourrealname Forumite
    30 Posts
    Fourth Anniversary 10 Posts
    Forumite
    It's impossible to say 100% as if there was a hole in Paypal's security, they would never admit it.

    If she changes her paypal password that should stop that being compromised. 
    If the current paypal password is being used for other sites, I would change those as well.

    Up to you how far you want to go. Bank sites normally have some sort of 2FA involved but then they are holding access to your money.

    Is there a possibility she, or you, or anyone else using that PC has clicked on a malicious link that has led to malware being installed?
    I would run a full scan with something like Malwarebytes (free) to be on the safe side.
Sign In or Register to comment.
Latest MSE News and Guides

British Gas prepay meter users...

...to pay less for gas from 1 April

MSE News

The 'odd Easter flavours' thread 2023

What bizarre food stuffs have you spied?

MSE Forum

Energy Price Guarantee calculator

How much you'll likely pay from April

MSE Tools