PayPal fraud

2

Comments

  • born_again
    born_again Posts: 14,335 Forumite
    First Anniversary First Post Name Dropper
    Make sure you have 2 step verification set up as well.
    Life in the slow lane
  • Exodi
    Exodi Posts: 2,856 Forumite
    First Anniversary Name Dropper First Post Combo Breaker
    Make sure you have 2 step verification set up as well.
    The OP seems to imply they have 2FA set up:
    mitch2509 said:
    Exodi said:
    I'll ask some direct questions, since Paypal seem to suggest the payments were authorised - does anyone know your account details (e.g. login/password). Do you have 2FA set up? Anyone in your house have access to your mobile device, e.g. kids.
    i have the the things you mentioned in place and none of them were triggered when they made these transactions, I’ve questioned PayPal about that and they said they don’t always trigger
    But on your recurring point, and if I may speak openly:
    mitch2509 said:
    Just FYI PayPal told me that there security protocols don’t always kick in so I said even if 2 transactions of the same amount are made and they said no especially at this time of year because it’s no uncommon. PayPal is not as secure as they would have you believe.
    To continue along the lines of what RefluentBeans said, I think there is a difference between your interpretation of what Paypal is telling you, and mine.

    I do not believe PayPal's 2FA security systems just casually 'don't always kick in' based on chance, or that PayPal would non-nonchalantly tell you this.

    Data is constantly captured about customers that might influence whether 2FA will activate. Whether it is trusted devices (e.g. adding a phone's device ID to a 'whitelist'), an IP whitelist (e.g. logging in from a certain location), cookies from a recent session, etc.

    As an example, I can login to my Vanguard investment account on my phone without 2FA activating. If I try to do the same on my work laptop, I am prompted to enter a code that has been text to my phone. Behind the scenes, Vanguards 2FA algorithm has deemed that the login through my phone is secure, whereas my work laptop my not be.

    I could interpret this as being random that one prompts and one doesn't, but I know it's anything but random. Being blunt, it's hard to believe PayPal, a company that handles the transfer of well over $1 trillion a year would have a 2FA system that activates completely randomly depending on if you're lucky or not. I think the former is the case, but it was easier for the Customer Service team to say 'it doesn't activate 100% of the time' in response to your question about how a foreign login could happen with 2FA set up.

    Have you contacted Argos? Could you possibly get the order details from them - as you paid for it.
    Know what you don't
  • born_again
    born_again Posts: 14,335 Forumite
    First Anniversary First Post Name Dropper
    2FA kicks in on every PP purchase I make. 
    Asks for a generated code, refreshes every 30 seconds, to be entered from selected authenticator app. To approve purchase.
    Life in the slow lane
  • Exodi
    Exodi Posts: 2,856 Forumite
    First Anniversary Name Dropper First Post Combo Breaker
    2FA kicks in on every PP purchase I make. 
    Asks for a generated code, refreshes every 30 seconds, to be entered from selected authenticator app. To approve purchase.
    Don't get me wrong, I suspect formal 2FA is not enabled, but I just meant to point out the OP has suggested it is on.

    Unfortunately I'm probably too sceptical on the OP's situation, having been through the same myself and it turning out a family member was involved.

    In any case, it totally sucks that the OP is out of pocket quite a considerable amount. If it was me, I'd be extremely proactive with Argos to deal with it. They will have the delivery address, and if quick, you may be able to stop it in transit since you paid for it. Most scammers don't order physical goods to be delivered because it adds significant risk.
    Know what you don't
  • I think it’s also worth pointing out that it also depends on the merchant. Whilst if it’s a new merchant that I haven’t purchased from/I ‘checkout through PayPal’ that seems to generate the 2FA pretty routinely (99times out 100). However if I have an agreement already it doesn’t. For example - my Uber account has my PayPal account linked, as does my Microsoft account (for Xbox game purchases); neither of which require 2FA. I’m sure behind the scenes these are treated as ‘safer’ transactions. 

    In an ideal world there would be multiple 2FA occurring, but as any e-commerce person will tell you, the more barriers you put in place the more likely the customer will fail to complete the purchase. Simply requiring a customer to create an account can reduce sales by up to 1/3 - hence why guest checkouts still are fairly common place. Thus, I would imagine there is a threat analysis done based on cookies, browser information, and customer information that will dictate if the purchase is ‘safer’ or ‘riskier’ with different people having different thresholds for that. 

    Taken together, I think if the Argos account was already linked to the PayPal account, and is used at least semi-regularly, on the ‘normal’ browser and device, it may not flag as suspicious. Additionally it is less likely that there would be 2FA set up on a website like Argos than PayPal. 

    Cloning browsers is possible - and as is mimicking device ID’s and system information. But that is a fairly sophisticated attack, normally reserved to bypass corporate security systems (to beat 2FA) as it often requires a double attack - a phishing attack to get a recent copy of the browser and then the actual attack. Given the relatively small amount of money, I’d imagine that this is less likely to be the case. Of course you should still change all your passwords for all your accounts (especially if you have automatic filling of passwords enabled). This said - I still would at least check with your household to make sure someone hasn’t accidentally used your Argos account and forgot to change the payment information. To me this is more likely to be the case than someone cloning your browser for two small stake purchases from Argos. 
  • born_again
    born_again Posts: 14,335 Forumite
    First Anniversary First Post Name Dropper
    Is Uber listed in the pre-approved payments section, which would make it a subscriptions. Which do not require 2FA?
    Life in the slow lane
  • Is Uber listed in the pre-approved payments section, which would make it a subscriptions. Which do not require 2FA?
    Potentially. Had it from numerous other merchants too, who couldn’t be argued as a subscription payment. 

    Fundamentally - what I’m saying is that the OP having two smaller transactions was either a test transaction by hackers before a big purchase; or more likely that a payment was verified recently on a device and someone purchased something in the same device. The hacker scenario is unlikely as it would be a very sophisticated attack to steal a very small amount of money (or if a test transaction, normally the big transaction comes straight away to prevent the victim from being able to do anything). I think that’s very unlikely, but either way all of the OP’s accounts may be compromised, and so they all should have their passwords changed, even if it’s just for the peace of mind. 
  • Thanks for your reply’s I’m still waiting for PayPal to finish “investigating” so no real update yet.

    i have shipped at Argos before using my PayPal account and that is the reason it didn’t trigger f2a according to them BUT the Argos order wasn’t made using my Argos account I know this because I’ve checked.

    at the time the orders were placed I was at home and so were my phone and iPad both in my possession so it wasn’t done that way, there’s only one family with any possibility of doing this to me and I would never give him my details .

    it might help if PayPal would give me a tiny bit of information but they won’t so I’ve don’t a SAR request to see if that sheds any light.

    i can tell you it’s not looking good because it was a click and collect order so I’m not sure how I prove it wasn’t me but I’m happy to go to the financial ombudsman if I have to and see if I can get anywhere that way.

    ive been with PayPal almost 20 years and my account has always been in good standing but that doesn’t mean anything to them either.ill be closing my account which ever way this goes as soon as i can because if this had been done with my bank it would have been sorted by now.

    The thing that makes me the most upset is that i called them the second this transaction showed up on my account(i got emails) and they wouldn’t stop the transactions if they had it would have saved a whole lot of trouble.

    in the end I’m a single mother of 4 who works extremely hard but i dont have £950 to spend on someone else’s Christmas 

    thanks again 
  • born_again
    born_again Posts: 14,335 Forumite
    First Anniversary First Post Name Dropper
    How are the paypal funds taken from your bank account?
    Life in the slow lane
Meet your Ambassadors

Categories

  • All Categories
  • 343K Banking & Borrowing
  • 250.1K Reduce Debt & Boost Income
  • 449.6K Spending & Discounts
  • 235.1K Work, Benefits & Business
  • 607.8K Mortgages, Homes & Bills
  • 173K Life & Family
  • 247.8K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 15.9K Discuss & Feedback
  • 15.1K Coronavirus Support Boards