PayPal Account hacked after purchase from Hobby Search

[Fenway Park]

Hi

A friend of mine set up a new account with HS and following his purchase received various E Mails from PayPal to say there were several subscriptions taken out on his account.

 

He has had no trouble in the past and this would suggest that HS have poor security.

 

So what to next ?

[bill937ca]

But many accounts that get hacked have very poor passwords.  That doesn't entirely let the user off the hook.  I think the hackers are far ahead of the rest of us.

[cteno4]

fenway,

 

so did he set up the paypal pre approved? were these subscriptions from somewhere else? were they charged back to hs or other folks.

 

jeff

[Guest ___]

Hadn't there been a server-side security issue on HS a few years ago that their database was compromised? My experience with Japanese IT sector is not a hell of a lot further than their use of their credit card system. I recall many purchases made w/ my CC while in Japan, the receipt still printed out the full CC#. Overall, I found Japanese security protocols on all levels is lacking compared to the west.

[cteno4]

yes their secure server was hacked for cc numbers about a year ago. cant remember if it was one they ran or one that their merchant account provider ran. they then went to paypal. they sent out warnings to affected customer and had it on their home page.

 

hopefully we can get some more intel from fenway about what and how it happened so we can watch to see if this was a larger break in or just a single account hacked.

 

more and more keystroke logger viruses out there looking for good account info and sending it off to the bad guys.

 

cheers

 

jeff

[Fenway Park]

Sorry I have put this in the wrong section. I will try and find out more information as it is of some concern.

[keitaro]

it's true they got hacked but in the case of paypal HS do not store your password they only get you to accept a subscription with them that lets them automatically request a payment from you with out you accepting it.

 

This is definately from a keylogger on your friends pc

[The_Ghan]

keitaro is probably correct.  Keyloggers are difficult to detect sometimes.  Another possibility is that your friend uses the same password in many locations - bank, paypal, forums, etc. and perhaps a forum or another site got hacked.  Here's a few things to note to help prevent hacking:

 

1. Keyloggers can record a mouse-click, but not where that mouse-click was.  They might get the coordinates if the logger is very sophisticated, but not what was displayed at those coordinates.  Keep this in mind for the next few tips.

 

2. Whenever you open a sensitive site drag the window to a different part of the screen so that it isn't in the same place everytime you log in;

 

3. Don't always fill in the details in the same order.  For example, type a few characters of the password, then a few of the log in name and alternate between them;

 

4. I open a copy of notepad and click in there and type a few dummy characters just to mix it up in the middle of typing the password and log in name on sensitive sites and when entering credit card details;

 

5. Keep separate passwords for social media, on-line shopping, and banking.  That means you need three current passwords;

 

6. Change your passwords at least annually.  Seriously.  Set aside a few hours one night to go through every site you use and make the changes.  I do mine twice a year;

 

7. Keep a password document encrypted where you list all your passwords.  It must be encrypted.  You can get an app or program that does this or you can encrypt a Word document;

 

8.  My personal favourite tip: use a full sentence password, remove the spaces, corrupt the sentence, and then replace some of the letters with similar looking keyboard symbols.  For example, "A bird in the hand is worth two in the bush" becomes "Abirdinthehandisworthtwointhebush" with no spaces. I corrupt it to "Aherdinthebandisworthboointhetush" and then I replace some of the letters with other similar keyboard characters, for example an "e" can become a "3", an "i" can be replaced with a "!", an "s" can become a "$" or a "5" ... but don't replace all "e"s ... eg: "Ah3rd!nthe6andisw0rthb0ointhetu$h" ... this is an example only, it's never actually been my password.

 

When a friend taught me step 8 I thought he was a lunatic.  However, it wasn't long before I was doing it myself.  Then, back in your password document, you only need to store "A bird in the hand is worth two in the bush".  For the first week or two it was a bit clunky and I was having trouble remembering which letters I substituted.  I'm pretty good at it now though.

 

Despite all of this, I've had my credit card details stolen from an on-line shopping site before. 

 

Cheers

 

The_Ghan

[linkey]

Yes HS has had issues with cc details had been hacked into, but I haven't had any issues with paypal usage. But please be awarte of what you get in your inbox when the so-called e-mail is from Paypal. Most of them are phishing e-mail and have a wrong website connection which got nothing to do with Paypal and that is how they trap people.

 

Paypal says that they will always send e-mail with dear (person's name) not dear customer in their e-mail.

 

So make sure that the e-mail is not a phishing or fake e-mail with incorrect weblink.

[The_Ghan]

HS had issues ... they no longer store credit card details.

 

Linkey raises a good point: if you ever get an email from your bank, ebay or paypal asking you to check or update your details do not click on the link.  Go to your regular banking site.  My bank doesn't send emails of this kind.  Most don't.

 

Cheers

 

The_Ghan