Tonight, I got several email confirmations for separate €25 Paypal payments to “Skype Communications Sarl”. Thing is, I haven’t used Skype in years. At first I thought it was just another phishing attempt. But the domain on the e-mail checked out. I logged into my account (manually) and saw that multiple $35 charges did indeed go through. How? Was my PayPal account hacked? I changed my password, and then another unauthorized payment went through!
Long story short, it was my Skype account that was hacked. I didn’t even know this, but PayPal has a program of “preapproved” payments where a merchant can repeatedly charge your account without the need to type in your PayPal password. This is meant for monthly subscriptions and the sort. Although I have bought credit from Skype before, I don’t ever recall signing up for any of these subscription-style plans at any merchant. My suspicion is that it was buried somewhere into a default checkbox that I didn’t undo, or worse it was just hidden in the terms and conditions fine print. (I am usually really careful about this sort of thing, so I am quite mad at myself!)
Lesson #1: If you use PayPal at all, check your preapproved merchant list immediately. To find this list, log into your account and then go to My Account > Profile > My money > My preapproved payments. You should see a screen like this:
My recommendation is to make every single one inactive immediately. If not, you should treat your accounts at those merchants as carefully as your bank accounts, because they literally have access to every linked bank account and credit card at PayPal. I had no idea that buying one joke bumper sticker from Zazzle in 2009 could be the equivalent of an open wallet.
Apparently, I’ve been vulnerable for years but I never noticed until now. I bet there are a lot of abandoned Skype accounts with simple or unsecure passwords. The criminals gain access, change the linked e-mail and password so the original owner has no access, and can then sell or use the Skype credit. There are also several other reports of unauthorized Skype/Paypal charges on the Skype forums.
Lesson #2: Never use PayPal to buy things online instead of a credit card unless absolutely necessary, usually for eBay. The big thing is that Paypal is NOT regulated like banks or credit cards. There is no federal law that says you are not liable for unauthorized PayPal charges. Instead, they just claim that you are “protected” when in reality they have all the power to decide if you ever see your money again. I had to open a dispute with PayPal online as they don’t have 24/7 customer service (again, unlike credit cards). If I had just used a credit card, even if the number was stolen, I could be confident that I would get my money back in a timely manner. I’ve already had other bad experiences with PayPal, but we’ll see what happens.