The other day I was online to check the activity of one of my credit cards, and found a five-figure charge which came through
PayPal. This was a purchase I had not made, and I immediately understood that somehow, someone had hacked the account number.
Whether it was a online or offline theft, I currently do not know, but since the account number was relatively new, I do not have too many possible sources to investigate. In addition, I discovered the theft four
days after it occurred, and about two weeks before I would have normally been sent my current account statement.
I immediately called PayPal about the charge, and was informed that the my account was red-flagged, as a suspicious purchase; however, as mentioned above,
the charge did go through to the credit card company. PayPal informed me of two facts: 1)the charge would be reversed or cancelled, and 2) the name of the
purchaser, which appears to be that of a Vietnamese individual (because of the spelling), although it might also be Korean. PayPal fraud prevention
personnel are currently investigating the incident.
I notified my credit card company, which was informed of the fraudulent activity by PayPal, and which is issuing me a new account number.
I was happy to see that PayPal flagged the account to prevent further activity. I have a couple of merchant accounts with PayPal, and have always been
very satisfied with the company. In this incident, they did the right thing, except, that since the purchase was suspicious, I should have been immedialely
contacted by PayPal re: the ligitimacy of the purchase and user.
In 1994, when I was in Panama, I used an American Express card to purchase some items, and before the purchase went through, the shop keeper was contacted
by Amex security and was asked to speak with me in order to confirm that I was the authorized purchaser - a process which took about twenty minutes. As a
security consultant, I was, to say the least, impressed with Amex's security awareness. So if Amex was able to perform this service via telephone, my
question is, why couldn't PayPal have contacted me by phone or e-mail? Other than that, as I previously stated, what they did do was fine.
The point of all this is two-fold. Online purchases using secure transmissions are fine, though, since I can only assume that the account number was hacked
online, they may not be 100% effective. On the other hand, the theft could have been done by a person working for the credit card company or other source
initially receiving the account number for purchases made, meaning, of course, that one of the security weaknesses might lay in the human sector (hiring
procedures), rather than on the technological side.
In addition, let this brief story serve as a reminder of the value of the value of accessing your credit card information online. Regularly check all
purchases at least once a week,depending on the frequency of your card use. Do not hesitate to contact sellers and your credit card company whenever
you know or believe a problem exists. And when and if possible, press for the prosecution and conviction of anyone found to have committed credit
card fraud/theft. Everyone - sellers, credit card companies, and buyers, will appreciate that effort.
For more information, contact firstname.lastname@example.org