Disputing Unauthorized Transactions on Paypal

Abe Olandres Editor-in-chief June 8, 2011 · 4 min read

Listen to article

GCash to replace SMS OTPs with In-App Authentication TECNO POVA 8 5G unveiled: 8,000mAh Battery and AI Features TCL unveils A400 Pro and A400M lifestyle TVs with QD-Mini LED displays HUAWEI nova 15 Max debuts in PH with 8,500mAh battery, IP65 rating, starts at PHP 19,888 UWANT Y100 Steam Cleaner Review

So my Paypal account was hacked at exactly 10:01am this morning. In the many years that I have been doing online transactions, I’ve gotten used to frauds and hacks but this one from Paypal (Unauthorized Transaction) is the biggest so far.

Just woken up before 10am this morning and was checking the blog when I received an email alert from Paypal (thanks to the GMail pop-up alert plugin). The heading says something like “Password Reset” so I immediately logged into my email and check what it was.

Realizing that someone tried to submit a “Forgot Password” request, I went to Paypal and logged in. After 2 failed attempts, I concluded someone got in and changed my password. But how? First came to mind was one of the email accounts attached to my Paypal account was hacked and used to reset the password.

Knowing that my GMail is still working (and is my primary Paypal account), I hurriedly went and did another password reset. Good thing I had my bank account details ready.

After being able to log back again, I found that funds were transferred to another account (that was fast! it only took him minutes). Unfortunately, it was a sizable amount.

The first thing I did was remove all the other email accounts linked to Paypal so the hacker can’t request another password change. I also changed my passwords and details.

I then filed for Dispute with Paypal. I thought this would be easy and will be resolved in my favor. Besides, I am the one claiming the transaction was un-authorized — the burden is on the recipient to prove otherwise. I had confidence it will be alright and done with.

Around 30 to 45 minutes later, I received an email from Paypal stating the transaction is valid. What? The recipient had a Non-US, Un-verified account. Paypal did not give any details why they decided against the claimant (me) and approved the transaction and closed the dispute.

There was no other way to re-open the case so I tried calling Paypal US but the Web PIN they gave me doesn’t work and I could not get thru.

Still thinking of ways to re-open that dispute. Will update once I get things cleared.

Update: Hacker got back again using password reset. They also changed my primary email so I am locked out now (it looks like they added a new email, [email protected], and then made it primary email then deleted my email accounts). Already send an email to PayPal support, DMed @AskPaypal and tried calling the US number many times to no avail.

Update 2: I believe it was my fault that I did not immediately changed my GMail account. It was the one that was compromised although the password on the email was not changed the first time around that’s why I did not suspect the initial breach to come from there. I have since added the 2-step authentication method which also requires a PIN sent thru my mobile phone via SMS.

I also called my credit card company and asked if there were any charges passed on thru Paypal and glad that there have been none. I alerted them of the possibility though and they suggested I monitor it from time to time.

Update 3: After a few exchanges with @askpaypal over Twitter, a Paypal US rep called me last night over the phone and helped me restore my account. I have since gained back my original Paypal account. The 2 fund transfers made are also now under investigation.

Update 4: I just got an email stating that my claim for un-authorized transfer has been denied due to lack of evidence. I thought that after establishing that my account was hacked, it would have been evidence enough. I’m making an appeal.

Update 5: Both of the un-authorized transfers have now been reversed and everything is back to normal. Thanks to Paypal for the quick response and to all those who extended the help (local PR, agency, fellow tweeps and especially @askpaypal). That’s 32 hours from incident to resolution.

React to this article:

hacked paypal account paypal access paypal password unauthorized transaction paypal

Abe Olandres

Editor-in-chief

Abe is the founder and Editor-in-Chief of YugaTech with over 20 years of experience in the technology industry. He is one of the pioneers of blogging in the country and is considered by many as the Father of Tech Blogging in the Philippines.

8,007 Articles

View all posts by Abe Olandres →

242 Comments

NemOry · 15 years ago

I think sya yung sa FRIENDSTER na nakita ko…so what if sya ba yun sir??

Vignet · 15 years ago

Tambangan na natin! Lahat tayo nagtratrabaho dito tapos sila nagnanakaw lang? Mahirap kaya magtrabaho. Parang nagpupuyat ka gumawa ng iOS app tapos bigla mo na lang makikita dinidistribute sa motionbirdmedia.com at iba yung kumikita. Dapat yung mga ganyang tao nilulumpo.

nameless · 15 years ago

Oo! mga sira ulo mga yan. nakukuha na nga nila for free, pagkakakitaan pa nila.

Dexter | Techathand · 15 years ago

Than was bad.. Well what happen to me is another Paypal sad story, which i blog recently.. ( http://techathand.net/a-bad-experience-in-accepting-payment-with-paypal-unverified-buyers-resulting-to-paypal-chargebacks/ ) lesson learned, don’t stock too much money in paypal.

say · 15 years ago

tsk. this is scary. I’ve been a Paypal user for the past couple of years. And to think na yung pinaghihirapan ko e mapupunta lang sa “napakagaling” na hacker. Makes me want to withdraw my money.

Goodluck sir abe!

kebbot · 15 years ago

well i guess the safest for me is to have smart money, use this with your paypal account, before you purchase anything you need to unlock smartmoney and after purchase you need to unlock it again but it will automatically lock after 5 min, i think this is safest way to buy online,and you will know if there is activity on your smartmoney because it sends text message after your transaction.

ekek · 15 years ago

a lot of emails are already compromised. people just dont know it. I’ve been hacked twice on 2 different emails. Im geeky programmer and always careful sa links and virus, pero na hack pa rin.

you just have to reset/change password once in a while.

nameless · 15 years ago

Uh. The hacker is a seasoned hacker i think.. She knows what to do. From my first thought, she might have done this a lot of times already.

James · 15 years ago

Kung Gmail ang gamit mo for Paypal, you should have had the 2 step verification which is available sa Gmail accounts. That way hindi basta basta mapapasok ang Email account mo without the use of your personal mobile phone kasi basing from what I have read I think yung Email ang at fault. kung hindi siya napasok hindi marerest yung password.

Gmail 2 Step verification – googleblog.blogspot.com/2011/02/advanced-sign-in-security-for-your.html

James · 15 years ago

not even a keylogger can get in easily kasi kelangan pa ng one time verification key (which would be sent on your phone through sms) everytime na may maglologin from somewhere other than your system. (well unless hawak din ng hacker yung mobile phone mo then that’s another story)…

e30ernest · 15 years ago

If you have a keylogger, you don’t need to login to his GMail account. All you have to do is sniff out the details he typed in when he logged into Paypal.

James · 15 years ago

Read and analyze bro… basahin mo ulit yung post ni yuga… Password reset ang nangyari which means walang access sa paypal sa account niya, only in his Gmail account.

Now if the 2 step verification was in place, kahit alam nung keylogger kung ano yung password and even the Verfication pin na nadetect nung keylogger at that time, hindi pa din makakapasok yung hacker sa account since one time use lang yung verification pin and would only be sent dun sa mobile phone ng owner.

A new login on a PC or Mac or Mobile Phone or wherever would mean a new verification pin (if cookies aren’t saved which is prompted before logging in).

So ma-sniff man ng keylogger yung keys na tinype sa Gmail account which includes the Pin hindi pa din magiging effective since nagamit na yung verification pin na nasniff. A new one would be requested once another login is prompted.

Again… hindi Paypal account ang nahack, its Gmail basing on the situation written above since Password Reset ang nangyari.

Mag-papassword reset ka pa ba kung alam mo na pala yung login details sa Paypal?

e30ernest · 15 years ago

Check your system. You might have a keylogger somewhere there. What OS are you running?

e30ernest · 15 years ago

Also, I would consider calling your credit card company just in case whoever stole your account decides to send funds using your credit card.

Ram · 15 years ago

I also have an ongoing case with PayPal and a “scammer”. This has been ongoing for almost a month now. So, the issue is my so-called client ordered two gadgets from me worth around Php28k (overall). I thought everything went smooth until a week later, the scammer disputed the money she sent to me telling Paypal that she didn’t receive the gadgets.

I know this will be taking more than a month since I have no communcation (not at all) with the scammer; she changed her mobile number.

You might all think that everything will be resolved asap after (me) sending the receipts, proof of purchase, etc. But NO! Paypal has really been unfair to the sellers since they’re more in favor with the buyers. So techinally, Paypal is “safe” IF you’re a buyer. Moreover, I still have to wait a little longer since Paypal has been responding really slow. But if it’ll come a point that I’ll be impatient anymore (which will really come very soon), then I’ll be calling them straight to the US.

But that doesn’t stop there. I’ll be coordinating with my uncle who works in the NBI to track on that scammer. I’m not sure if this is her right address, but I/we already have “something” to start witht he investigation.

And when it’ll be resolved (hopefully), I’ll be spreading the news that FIRST this girl is a scammer and second, Paypal simply sucks bigtime.

Dexter | Techathand · 15 years ago

It also happens to me, and the problem is that i always fail to win the case. I had more than 5 disputes..

Ram · 15 years ago

Did you contact your credit card holder?
Did you report it to any legal authorities?
What made you lose the cases?

Thanks.

Dexter | Techathand · 15 years ago

No.. Actually I am seller of e-load at that time, and there is no way to prove aside from e-mail exchange about our transaction.. here is my story : http://techathand.net/a-bad-experience-in-accepting-payment-with-paypal-unverified-buyers-resulting-to-paypal-chargebacks/

Niel · 15 years ago

I also encountered same case. Kaya d na ako gumagamit ng PayPal. Buti na lang na reverse yung charges sa Credit Card ko.

Steve Jobs · 15 years ago

I used my domain name email for all financial transactions online. st****@apple.com

I don’t trust Free mail service.

paulee · 15 years ago

Sorry about that sir yuga. I’ve worked in a bank in US. I’ve dealt issues with unauthorized transactions and if Paypal is not willing to help, last resort would be calling the bank to dispute it. hope you’ll get your money back.

Dhadha · 15 years ago

This is really SCARY! :(

Otep · 15 years ago

Mas maganda nde free email ang ginamit mo sa paypal… a tip i got from ajvilloria Thumbs up!

chardsnet · 15 years ago

I used paypal dispute system before when I paid a merchant and haven’t received the service. After paypal investigation, they favored my case for the reason of “Non-receipt”. Here is what I received from paypal as resolution of my case:

“We have concluded our investigation into your case and have decided in your
favor.

We were able to recover $10.00 USD and this amount has been credited to
you. Please allow five business days for this adjustment to be posted.

If you are due any additional funds, we will make our best effort to
recover the balance from the seller.

If the seller’s account has insufficient funds to complete the refund owed
to you, please be assured that we will take appropriate action against the
seller’s account, which may include limitation of the seller’s account
privileges.”

Ian · 15 years ago

Google Checkout ang pinakasafe sa lahat. =)

Andre · 15 years ago

call paypal asap, the web pin works, if not you can get through their system. Its the fastest way

merriam · 15 years ago

>Yahoo is hacked the easiest based on my experience.

ANyway, what I suggest is use a prepaid credit card like the one from PSBank in your Paypal. :) Safe! Just “deposit” a small amount like 5k for regular use, then for larger purchases, just make a special trip to deposit the money. Safe.

kolokoy · 15 years ago

paypal is actually safe, the problem is how the intruder hack the gmail account.

” if the hacker know your secret answer, he will change the the password anytime. “

Fleeb · 15 years ago

The issue is with PayPal is always about the dispute resolution and Gmail accounts are besides the point. Regardless of the e-mail provider, it is bound to be gotten around by smart social engineers. That was what Kevin Mitnick was known for – not because he exploited a very insecure system but because he took advantage of the user. Social engineering – look it up.

An example: a buyer paid with a fake CC which PayPal “verified”. Later on it was confirmed that the CC is fake and the seller lost his 52″ TV for nothing. Of course the seller wants his money back. PayPal painted it as the fault of the seller whereas they are the one who made the “verification”. In spite of that (they screwed up with the verification), PayPal do not want to accept they made a mistake and do not want to honor what the seller lost.

That is just one of the many horror stories I read about PayPal.

kolokoy · 15 years ago

true, I agree paypal customer service sucks, email is not the main issue but the problem started on hacked email account. why gmail prone to hacking… etc etc

Lucien Tiojanco · 15 years ago

This is exactly why I don’t recommend using any Google service as the primary or “official” e-mail for any money related account. Google, even Android, is too insecure. I’m glad my Hotmail has never been hacked, because my Gmail, which I used to use for Facebook and Twitter, has been hacked a few times already.

kolokoy · 15 years ago

very true! my girl friend gmail account was hacked many times.

Mike · 15 years ago

I don’t use paypal because they suck. They are one of the worst customer service companies in the world. Just look up paypal in any non-pay-for/advertising objective consumer metric agency. They consistently get among the worst ratings. I don’t understand why so many people keep using them, but by the same token, I don’t really understand why so many people pay to use so many companies that actually work against them. Maybe people are just dumb? Who knows.

Given the amount of hacks reported here alone, I think its clear that there is probably a serious security issue with Paypal Singapore (all of SE Asia is run through a single office in Singapore, so calling the US office is a waste of time). In the past, Paypal ignores these problems till there is a significant media backlash. Part of the advantage when you have a lousy service that stupid people keep using no matter how bad it is, is that you can ignore everyone. and that is what paypal does.

I would suggest you use your media contacts to try and get all these reported hacks here raised by local news. Then have them also talk about Google’s new wallet service in the same story. That should get Paypal to do something. If you’re lucky Chanel News Asia, Xinhua and Al Jezzera might pick up on it.

Phil Soriano · 15 years ago

Very disappointed with PayPal’s very low security! Reading this from a person with high credibility makes me wonder if it’s still safe using PayPal for business purposes… tsk tsk tsk

otep · 15 years ago

I agree. +100

Otep · 15 years ago

Aw sayang naman… that proves na nde safe sa paypal..weeehh… tuwang tuwa cguro yung hacker..malaki laki nakuha nya cguro…

Sana merong ganito sa paypal

dummy account1 <–dito isesend ang pera..
offcial paypal account <— dito ifoforward ni dummy account yung pera.. tapos yung nasa dummy account..buburahin nya after ma send ang pera para nde ma trace…

Red @ Pinoy VIP · 15 years ago

What the heck hacker! Maybe the best thing to do is not to stage large amount in paypal, transfer agad sa bank. @benchmark; i just heard, it’s possible to create multiple account in paypal, using different emails.

Razielle · 15 years ago

That sucks :( Hope you get your money back soon.

UPLB-2008-37*** · 15 years ago

gamitin niyo na lang kasi ang SMARTMoney Mastercard sa pagbabayad online – pwede lang macharge ang card kapag “ini-unlock” mo yung Internet Transactions sa SMART Menu sa phone mo, so kung mahack man yung details ng card mo, as long as hindi mo naman inaapprove via phone, no charge. Nga lang, may limits ang transactions per day, in terms of amount.

Baidu · 15 years ago

thanks for the info abe. good luck!

Fleeb · 15 years ago

When TechTV was still in existence, in one of the segments “Cyber Crime”, PayPal was “featured”. That was nearly a decade ago. Thus, up until now, I do not want to think PayPal is secured. Not really being technically secured, but people might encounter not so favorable dispute resolutions.

Num Lock · 15 years ago

That’s why for any financial matters, I don’t thrust the Internet eeheehehee. I’ll just go the banks and other financial institution personally or I authorized other person to transact personally.

Trina Santos · 15 years ago

Something similar happened to me just last Friday. My credit card was charged $100 through PayPal. Good thing I always check my email so I was able to file a dispute on the same day. PayPal refunded the amount the following day.

qosmio · 15 years ago

my paypal was also hacked for about P48k,

Domar · 15 years ago

@yuga: same here…yesterday my account was hacked at around 9am in the morning by unauthorized transaction from unknown seller…not that much but it means a lot considering that i’ve worked hard for it…i didnt file a dispute coz i thought its nothing as my paypal was left with no balance since monday morning…but i was shocked around late afternoon that another 3 unknown seller appeared on my account and taken all of my money not in my paypal account but on the bank account that is connected with paypal..that was the time i raised a dispute with the unauthorized transaction….on top of that…i didnt noticed that it was a recurring payment till i checked…right now…im waiting for the results tho one of the cases was solved in favor of me….i hope it will be resolved ..not only me but also for the people who is having the same problem..

Jay Castillo · 15 years ago

That sucks bigtime Abe, I hope you’ll get your money back somehow.

Anyway, so the root cause was your other e-mail address linked to paypal got hacked right? Was it a yahoo e-mail address?

I’ve been noticing a lot of of friends with yahoo e-mail addresses that send crappy messages, and I suspect all of them have been hacked.

Bern · 15 years ago

Unfortunately, It is not paypal fault but your email account.

leah · 15 years ago

but shouldn’t the authorization process be under the ‘safety’ measures of Paypal? If this case is new to them, there could have a disclaimer for using an email account or atleast a recommendation. which I’m not sure if it’s already in the Terms & Conditions.

sana makitaan ng resolve sa mga detalyeng kasama nito, yuga. The email account registered or Paypal. aja!

fireball · 15 years ago

scary. i don’t have a paypal account but i am a constant online banking user and online credit card payment. so far no problems and i hope i won’t have a problem! =)

MeetJoeBlackPH · 15 years ago

you can try calling the banks of the accounts that were linked to your paypal account. i think they can still help intercede for you. if you can provide enough details, then a reversal may be in order.

Leah · 15 years ago

Thanks for this! Shox, I’ve been a Paypal user for around 3 years and even referring this to my friends who are careful to use their credit cards. It’s the (seemingly) safest payment gateway by far. Hope to find an alternative to this one.

Rob · 15 years ago

Thanks Yuga, This will serve as an eye opener to online selling sites owners that uses paypal as one major ways to recieve payment.

alwin · 15 years ago

uh-oh… good luck abe. be ready for a battle!

Logo Design · 15 years ago

Try calling the US phone number again but when they ask for a web pin or anything else, just hit “0” 7 or more times. Do this 3 times and then they will ask you what you are calling about and put you through to an operator.

Good luck!

harley mah-son · 15 years ago

that is scary! i really thought that is is the safest!

i hope things will be okay! all my prayers to you sir yuga!

deuts · 15 years ago

I so thought too Paypal was safe. Had to reconsider using them.

jun · 15 years ago

wow.. thats bad.. so maybe it is better if we withdraw our account on paypal.. after we had transaction..

randz · 15 years ago

that sucks.

benchmark · 15 years ago

pede bang dalawa yung email address sa paypal? Di ba isa lang pede i-register dun? Nako….I think I have to deactivate my paypal account….teka…I have to na nga….it scares me…perhaps tama bro ko, hackable ang paypal. tsk tsk tsk