Where's the hole in this PayPal payment system?

762 Posts

in Techie Stuff
My wife has just come to me saying she had notification to her phone of a payment of over £500 that she hasn't made & she's to dispute it within 24 hours if she never made it (which she didn't).
I told her to go on the laptop & access PayPal that way to see if it tallies - it did.
She has 2FA enabled on her PayPal yet somehow a payment was sent to some Cyber Security company (with an Outlook email address??).
She's cancelled it from within her PayPal but is wanting to know how this is likely to have happened since 2FA is turned on & whether other areas need looking at and strengthening or just PayPal itself. The Live Chat seems to be a slow process but then it is Sunday.
I told her to go on the laptop & access PayPal that way to see if it tallies - it did.
She has 2FA enabled on her PayPal yet somehow a payment was sent to some Cyber Security company (with an Outlook email address??).
She's cancelled it from within her PayPal but is wanting to know how this is likely to have happened since 2FA is turned on & whether other areas need looking at and strengthening or just PayPal itself. The Live Chat seems to be a slow process but then it is Sunday.
0
Latest MSE News and Guides
Replies
(except air quality and Medical Science
The way it was looking in her account was that the payment would've gone through had she not cancelled it.
A little concerning that it got that far so obviously would like to know what to change & how to find that out other than the overkill of "everything".
The previous poster is incorrect, MFA on Paypal has to be used for all transactions (certainly does for me).
Which type of MFA is she using? SMS MFA can be compromised, a quick google will reveal multiple ways this can happen.
It sounds like someone has her password, at least, if not also access to her MFA.
The only time I don't need to enter 6 digits text to my phone is when I've just entered the code. For example, I buy something on eBay - I'll need the text, the 6 digits & then once this is entered if I immediately make another purchase on eBay then I wont need to enter another code.
Buy something the next day and it'll be a new code. No idea of the timeframe as I'm sure it's only minutes & not hours but just saying what I've experienced myself.
I reported the transactions as unauthorised and changed password. Luckily the transactions were relatively low value and Paypal refunded the amounts the same day. However more concerning, is how come they went through in the first place - considering I have 2FA, had a unique password only used for Paypal, haven't clicked on any email I thought was from Paypal before this.
Have asked Paypal how these 2 transactions went through, or what security features it managed to pass, but no (useful) response yet.
PayPal have said no further action required. They've cancelled the transaction.
Well that's not good enough for me. Yes it's my wife's account but it's our money & I want to know how this happened.
Message sent to them via Live Chat at 8am. Notification will be received when they respond, apparently.
2:34pm still waiting.
I wonder if we're still using the Covid excuse as to why things aren't happening in a decent timeframe.
Paypal won't tell you what happened as that would potentially reveal that they have a hole in their security somewhere.
Best way to protect yourself is to change all passwords to unique, strong password and make sure you have got up to date antivirus software installed and scanning your system.
Because to start changing literally EVERYTHING is going to be a right ballache. All banks, all websites that are linked to spending money. What a nightmare.
If she changes her paypal password that should stop that being compromised.
If the current paypal password is being used for other sites, I would change those as well.
Up to you how far you want to go. Bank sites normally have some sort of 2FA involved but then they are holding access to your money.
Is there a possibility she, or you, or anyone else using that PC has clicked on a malicious link that has led to malware being installed?
I would run a full scan with something like Malwarebytes (free) to be on the safe side.