It Could Happen to YOU!

I awoke this morning to a rather interesting email.  PayPal was emailing me saying that I had a suspicious transaction posted to my account, and asking me to verify. I almost dismissed it because it appeared to be the quintessential phishing scam, you know, “verify” your account information so that we can make sure you’re really you… etc.

Upon closer examination, things checked out.  It was legit! Independently of my email, I logged into my PayPal account and realized that yes, indeed there was an unauthorized transaction posted to the account.

Amongst the questions running through my head, I thought of my hero “Survivorman” Les Stroud.  First, assess your situation, see what you have available and come up with a plan.  Oh yeah, and remain calm.

Okay, let’s assess the situation, in the least someone got a hold of my credentials for PayPal.  Thinking back over the past few weeks, I only made one PayPal order.  I made it on a friend’s PC.  I remember him saying last night that his PC might have a virus.  It does not take a rocket scientist to connect the dots.  I also thought about what other risky behaviors I have engaged in, more to come below.

Second – let’s see what I have available.  In the least I know PayPal was compromised, if it was due to the transaction on my friend’s PC.  First I activated the PayPal dispute resolution program to get that going so I can get my money back.  But, just in case I went to my bank and put a temporary hold on the account to block any other attempts while I review my login credentials for other sites and reset all my passwords.

Third – I need a plan.  In the short term I will be resetting all of my passwords on any sensitive web login, and closely monitoring my account activity to see if anything else is going on.  A few weeks out I will run a credit check on myself just to be extra safe.  In the long term, I will have to modify a few of my behaviors.

It’s funny, as an IT professional I am and should always be well aware of the things that can go wrong with security.  This was a not-too-gentle reminder of how easy it is to become complacent.  Here are two BIG mistakes I have made in the recent past, things that you may want to be aware of:

#1 – I made a transaction on a computer that was not my own.  I have no idea what type of virus protection my friend had, I also learned today that he is running Windows XP, Service Pack ZERO.  Yes, not even patched… once.  In the future, I will only be making online purchases from my own hardware.

#2 – I have been traveling a lot lately.  While traveling I have on occasion connected to various wireless networks.  Sometimes, I had no idea whose network I was connecting to.  I was so hungry for web connectivity I’d take what I can get.  While connected, it’s easy to forget how vulnerable you are, especially if it’s not your own wireless network.  While I doubt this was the cause of my issue, it very well could have been, and it could have been much worse!

I hope that this little story serves as a reminder – DON’T EVER LET YOUR GUARD DOWN.  We all have much more to lose than a PayPal password.  Keep your online identity safe!

Garry