« This Should Be Illegal | Main | New Year/Old Tricks »

December 20, 2005

Last month I related my experience with PayPal when my account failed to let me into it. Well, it happened again yesterday, and with the help of the support rep at PayPal, I found out a little more.

Last time I attributed the hangup to a glitch in their system. That doesn't appear to be the case. After more digging, we discovered that someone (or multiple someones) had been attempting to log into my account during the past month. As before, when PayPal sees ten bad password attempts, it blocks the account, even if you have the right password.

The knee-jerk reaction from the support rep was to have me change my password. But, I advised my friend from the other side of the planet, the fact that my account is blocked means that my password hasn't been cracked, and that it offers good protection for my PayPal account. Instead, I suggested that the best solution is to change the email address (which is the login ID) on the account. If I change the account to an unpublished (and unspammed/unphished) address, that should end this recurring problem. I've done so, and we'll see how it goes.

That leaves one unanswered question: Why was someone targeting my PayPal account. Is it something personal, or a routine thing that happens a lot? I would guess that most PayPal customers have only a single email address. If that address is a known, live address, and if that person has a PayPal account, then half of the login combination is known to every e-crook on the planet (requiring an email address as a login ID is a controversial practice, but that's the way PayPal does it). At that point, your only protection is a strong password (I provide guidelines in Spam Wars).

I would think that if there were widespread attempts to log into random email addresses at PayPal in hopes that an address owner is a PayPal customer, this blocked account business would be quite rampant, and PayPal would have a horrendous customer support problem on their hands. Given the response I got from the customer support rep this time, I don't believe PayPal is experiencing this in significant numbers.

Therefore, I'm beginning to think the attacks have been personal—or at least relatively so. It's quite possible that my phishing reports (which usually include a complete copy of the phishing email message) have gotten back to a phisher or one of the gangs. They took the calculated (and, unfortunately, temporarily successful) gamble that I had a PayPal account with the most commonly phished email address as the login ID. Fortunately, my password kept them out of the account.

And now they don't even have the login ID. Phhbbbbt!