Where's the hole in this PayPal payment system?

B0bbyEwing

My wife has just come to me saying she had notification to her phone of a payment of over £500 that she hasn't made & she's to dispute it within 24 hours if she never made it (which she didn't).

I told her to go on the laptop & access PayPal that way to see if it tallies - it did.

She has 2FA enabled on her PayPal yet somehow a payment was sent to some Cyber Security company (with an Outlook email address??). 

She's cancelled it from within her PayPal but is wanting to know how this is likely to have happened since 2FA is turned on & whether other areas need looking at and strengthening or just PayPal itself. The Live Chat seems to be a slow process but then it is Sunday.

facade

The query was probably generated because she has 2FA switched on but the transaction didn't use it. I just bought a few things with paypal, and had to get a 2FA code off my phone- because "the merchant requested it", so I think that the 2FA isn't on every transaction.

When you set 2Fa up, it is only for your first login to paypal, nothing to do with transactions as far as I can tell

B0bbyEwing

I know that every time I buy something on ebay for example, I have to enter 6 digit codes as I use PayPal. 

The way it was looking in her account was that the payment would've gone through had she not cancelled it. 

A little concerning that it got that far so obviously would like to know what to change & how to find that out other than the overkill of "everything". 

notyourrealname

Firstly, make sure she changes her Paypal password to something strong and different to any other password. Doesn't necessarily have lots of weird characters, could use 3 words instead.

The previous poster is incorrect, MFA on Paypal has to be used for all transactions (certainly does for me).

Which type of MFA is she using? SMS MFA can be compromised, a quick google will reveal multiple ways this can happen.

It sounds like someone has her password, at least, if not also access to her MFA.

B0bbyEwing

Never heard of MFA. Heard of 2FA though so I can't ask her what MFA she's using as she'll probably look as blank as I do right now.

The only time I don't need to enter 6 digits text to my phone is when I've just entered the code. For example, I buy something on eBay - I'll need the text, the 6 digits & then once this is entered if I immediately make another purchase on eBay then I wont need to enter another code. 
Buy something the next day and it'll be a new code. No idea of the timeframe as I'm sure it's only minutes & not hours but just saying what I've experienced myself.

saajan_12

Similar issue earlier this week - I happened to notice a confirmation email for 2 transactions that went through from my Paypal balance in quick succession, which I didn't do. Goods ordered to a completely random address away from me or my family and things I'd never order.

I reported the transactions as unauthorised and changed password. Luckily the transactions were relatively low value and Paypal refunded the amounts the same day. However more concerning, is how come they went through in the first place - considering I have 2FA, had a unique password only used for Paypal, haven't clicked on any email I thought was from Paypal before this.

Have asked Paypal how these 2 transactions went through, or what security features it managed to pass, but no (useful) response yet. 

B0bbyEwing

Seem to be sharing your experience.

PayPal have said no further action required. They've cancelled the transaction.

Well that's not good enough for me. Yes it's my wife's account but it's our money & I want to know how this happened. 

Message sent to them via Live Chat at 8am. Notification will be received when they respond, apparently. 

2:34pm still waiting.

I wonder if we're still using the Covid excuse as to why things aren't happening in a decent timeframe.

flaneurs_lobster

Not a payment issue as such but last week I sent a payment request from PayPal to another of my email accounts (trying to drive a direct debit payment). Email received OK but Paypal shows the request as having been sent to a completely different and completely unknown (to me) person. 

notyourrealname

In reply to BobbyEwing previous post, MFA = 2FA, the M being Multi as opposed to 2, sorry to confuse.

Paypal won't tell you what happened as that would potentially reveal that they have a hole in their security somewhere.

Best way to protect yourself is to change all passwords to unique, strong password and make sure you have got up to date antivirus software installed and scanning your system. 

B0bbyEwing

notyourrealname said:

In reply to BobbyEwing previous post, MFA = 2FA, the M being Multi as opposed to 2, sorry to confuse.

Paypal won't tell you what happened as that would potentially reveal that they have a hole in their security somewhere.

Best way to protect yourself is to change all passwords to unique, strong password and make sure you have got up to date antivirus software installed and scanning your system. 

Is the issue likely to lay 100% with PayPal then? (as in changing PayPal password would be the answer)

Because to start changing literally EVERYTHING is going to be a right ballache. All banks, all websites that are linked to spending money. What a nightmare.

notyourrealname

It's impossible to say 100% as if there was a hole in Paypal's security, they would never admit it.

If she changes her paypal password that should stop that being compromised. 
If the current paypal password is being used for other sites, I would change those as well.

Up to you how far you want to go. Bank sites normally have some sort of 2FA involved but then they are holding access to your money.

Is there a possibility she, or you, or anyone else using that PC has clicked on a malicious link that has led to malware being installed?
I would run a full scan with something like Malwarebytes (free) to be on the safe side.