November 08, 2005Adventures in Paranoia
One of the sides ("up" or "down," I can't figure which) of keeping a close eye on Internet scams and attacks is that I'm hypersensitive to things that just don't seem right. With such ample evidence that "they" are really "out to get" everyone, the slightest inconsistency or unexpected behavior causes all kinds of alarms to go off in my head.
Such was the case several weeks ago when I tried to log into my PayPal account.
I accessed the site by typing the secure PayPal address in my browser, and verifying that not only was the connection secure, but the encryption certificate looked correct. The site correctly read the browser cookie and had my PayPal ID pre-entered into the log-in field. This is another, albeit loose, confirmation that this was the real PayPal site.
I next entered my password. I don't let browsers automatically save and enter passwords to sites containing personal info on the outside chance that someone could steal my computer.
To my surprise, however, the site rejected my ID/password combination. Thinking that I perhaps made a typo in the password (it's a finger-twister), I tried again. No go. I toggled the CapsLock key on and off again, and tried once more. Nope.
By this time, bells and sirens are going off in my head, and my heart rate certainly jumped several notches. Had someone somehow gotten into my account and changed my password? Everything had worked fine a couple of weeks earlier when I made a payment through PayPal. What the fudge?
In the denial page is a link you can click to have PayPal email you a link to reset your password. To get that far, it turns out, you have to take a little identity test that includes portions of information that PayPal would have known from your original registration—not something that a crook could guess at. That looked legit to me. My last concern was that if a crook had gotten into my account, he or she would have changed the email address to deflect notifications away from me. If I "aced" the identity test and didn't get a quick email message, then I'd know the account had been cracked.
Lo and behold, I did receive a message from PayPal. Checking the message's headers, I confirmed that it really did come from PayPal, and I followed directions to get to a page where I could log on and reset my password.
Upon reaching that page, I thought I was going to stroke out. In the very first sentence of the page was a typographical error ("your" for "you"). Was this whole thing some elaborate charade? To what end, other than to gain control over my account?
Enough of the Web stuff. I wasn't going to enter another thing into a Web page form. Time to talk to a human being. At this point, I wondered if I could trust anything I was seeing at this so-called PayPal Web site. But I thought I'd give the support phone number a try, and see how things sound.
After more identity affirmations (they supplied some of the info that they had on file), I felt assured that I was really talking with PayPal. The support rep was quite well-equipped to help out. She could see the record of my login attempts (and none others), but didn't have an answer to why my password didn't work. To her credit, she expressly refused to reveal my password (I didn't ask for it—I already know it). That made me feel good.
We went through the "forgotten password" email sequence again, and I showed her the typo on the page that caused me to start behaving like the South Park character Tweek. Continuing on, when I tried to reset my password, the system wouldn't let me. Now she was perplexed, and placed me on hold. She had explained to me that their system monitors login attempts with bad passwords. When there are too many such attempts, they block the account. It made me wonder if someone had, indeed, tried to gain unauthorized access to my account, although she didn't see any login attempts other than mine.
After a few minutes and an apology for the delay, she asked me to try again, et voilà, it worked. I don't know what they did, nor what kind of glitch blocked access to my account. I asked, but she was not forthcoming—perhaps for the best.
All systems appeared normal, and there had been no unusual activity in my account. Under the heading of "trust, but verify," I kept a daily watch on the account (as I already do for my credit card). The crisis has passed without further ado.
This incident reminded me of my physician brother who, dozens of years ago, was about to undergo surgery to remove a small lump. His medical training taught him all the things that it could be, and that knowledge terrified him. Fortunately, the mass was completely benign, and there was a happy ending. Although not life-threatening, my PayPal situation could have been an indication of identity theft, something I'm not eager to experience and rectify. Having read about security breaches beyond the consumer's control, and having seen firsthand how far crooks will go to trick Internet users, I was terrified that I was perhaps a victim. Meanwhile, millions of Internet users are oblivious to the dangerous junk that slips into their computers without their knowledge (e.g., the stuff that installs from Sony BMG music CDs when played on a PC). Now that's terrifying.Posted on November 08, 2005 at 01:46 PM