Paypal

Anyone had trouble similar to mine. Opened Paypal account in March 2007, never used the account except for account and bank verification. Out of the blue last Thursday had email would I confirm that I had changed my password. Rang them querying this. Nothing they could do. Then email showing three purchases 2 in US and 1 in Germany. Rang again, stated they would investigate. Then received several more emails telling me I had changed my security questions and email address to:
creamspice20@aol.com

Now to start off, I can understand them getting my email address, easy. But how did anyone outside of Paypal manage to break an ALPHANUMERIC password of eight letters/numbers.

I cannot of course get into the account and Paypal state they cannot either, only set their investigation team on it which will take about 10 days.

Anyone out there got any answers, suggestions or similar experiences?

why would you be ringing them? use the site to investigate or make complaints, thats the way its designed. if such a thing ever happens again, do not pick up the phone, they arent set up to deal with security issues that way, they arent a bank. log in, if possible. if not, follow the appropriate security links to report the problem. the account would have been locked immediately if you had done that.

its quite possible that your account got somehow mixed up with someone else's. it has been known to happen. paypal is secure, so its very unlikely someone hacked them.

Red if I had been able to go the route suggested I would have done, it was not I was locked out of the account and the only way left was a phone call. I could not even access the complaints dept I WAS LOCKED OUT due to change of password, security question changes and finally email address changes. I had to ring them this morning again as I received charges from my bank where Paypal had allowed the fraud to continue by taking money from my bank account and placing me overdrawn.
You say that Paypal is secure, sorry but in my expereince this is not the case, and their response is going to be 10 days. I thought we were in the electronic age, but when it f........up it really f......up

PS You say they are not a bank, sorry to have to inform you but in EUROPE they are registered in Luxembourg as a bank!!

fOR YOUR INFO RED........

From 2 July 2007, a new PayPal company, PayPal (Europe) S.à r.l. & Cie, S.C.A. (PayPal Luxembourg), will become the service provider for PayPal in the EU. This is a Luxembourg entity regulated as a BANK by the Commission de Surveillance du Secteur Financier (CSSF), the Luxembourg equivalent of the FSA. PayPal Luxembourg will provide the PayPal service throughout the EU.

Going to hand this one over to my girlfriend. She's had years of practice monitoring my internet usage and breaking into my stuff to make sure I'm not cheating!! (I'm not lying) Here she is: I find that once you have a person's e-mail address it is often easy to request a password or password change and from there change the e-mail address. Back to me: Why don't you break back in using ole creamspice's email addy? Maybe do some old school email bombs from spoofed email addy's and sign cream up for lots of porn/spam. Hey, making your life hell, why not return the favor. Might be able to get some info out of AOL with a carefully placed phone call and a good lie. Other people aren't doing it for you eh?

as yes, europe. home of the cctv and other lack of privacy issues, as well as the russian crime syndicates


yeah, the problem wasnt with paypal, or there would have been a big ass announcement of their servers being compromised, etc. someone obtained your user name and password from you or someone else who has it, or simply bruteforced it. as he said, if someone accessed your email account, that would do it as well. probably the easiest way to go, in fact, since they tend to be less secure.

this is the text i get without logging in if i try to report a problem. its followed by the usual page requesting specific details. no log in required to report a stolen account.

Unable to log in?
If your password has been changed or you cannot log in to your account, you can still file a claim if you suspect any unauthorized use of your account.

POnix
Fine thoughts, but I think after that sort of action Paypal would be hard pressed to take you seriously that it wasn't you mucking about all the time!
However I would rather have someone knock on his door (He left a name and address in Arizona) and when he answers the caller says, "FBI come with us." Much more pleasing to me.......
Has a damned good effect on his pants as well......you know what I mean!

Red
Russian Crime syndicates operate in Russia, last count that was not in Europe!
Fine, I do not bandy about or give my passwords to ANYONE.
My computer is pretty secure, (I am only user) nobody else in the house except the cat.have I now got to grill her?
You say 'bruteforced it' Are you saying an Alphanumeric password can be broken (I would like to know how please?)
How the hell do you operate and keep your email address out of reach?
I tend to think the Europe interface my differ from US as the email specifically requested I phone them. Turns out its Paypal in Dublin.
You also state that if they have your email they can obtain password......I thought you stated earlier they were secure.
Heard back from Paypal yesterday, they found the person responsible he admitted to stealing my credit card details. Therefore I would tend to think that is how he accessed Paypal account. Luckily or not I had cancelled the credit card 7 months ago when the bank informed me of suspicious activity.
So Red is this how it happened then?
Would like to know answers to the above for future possible use of Paypal. Just so I do it right.
Thanks for all your help.

a bruteforce paypal password cracker would have to be a cleverly written program to insert text and hit "enter" on the page. I'm sure it could be done programmatically. From there you just have to have a password list (usually the dictionary in a text file) and it tries them one by one. Hence the name "bruteforce". Of course you have to give out your email address. Just make sure you have a STRONG password. The definition being a password with 12 characters of letters, numbers, and the occasional symbol &. With a strong password on your email then I don't think you will have to worry about problems like this in the future. The only other explanations would be that someone was intercepting your tcp/ip packets back and forth from paypal but this is unlikely and the whole process should be encrypted. If someone has your credit card details they can use the card but this was most likely some investigation on the criminal's part into your life based upon the information at his disposal. You should ask him yourself =p

POnix
TVM for information. It would seem that passwords are not as secure as I first thought. No doubt you heard the Government here 'lost' 25 million peoples details on two CD's. There was a TV program last night looking at this and computer security. Experts got the presenter to burn a CD and put a password (Alphanumeric) on it. His computer broke the password completely in 16 minutes 13 seconds. If a computer experts have access to this type of software then so do hackers and others I would guess?
Red
Any advice on password security from your point of view, would be grateful for any advice from any quarter (Including the odd hacker or two!!)

i dont do this even though i should:
it is recommended that you change passwords on a regular basis from once a week to as little as once a month also changing user names at the same time as this makes it harder to crack a persons stuff.
i read that in a magazine that had an article about a rock star who was being stalked by a fan who worked at los alamo's facility in new mexico.