Skype ignores PayPal siphoning hijack scheme
The phone company without a phone
One day last month, when Klaus Zimmerman tried to log into his Skype account, he got an error message indicating his username and password didn't match. Concerned something was awry, Zimmerman, a computer repairman living in Wexford County, Ireland, phoned his brother and asked him to check his online status.
"I saw you on earlier, but your picture was gone," the brother reported. "You're now listed as living in Germany." On top of that, the person logged in was no longer answering the brother's queries.
Forum threads here, here and here and Google searches here and here suggest Zimmerman's experience is by no means unusual. The Register has contacted many victims, and a common pattern has emerged. Around the same time the victims are locked out of their accounts, they receive emails indicating their PayPal accounts are being charged for funds that are credited to the purloined Skype accounts. Frantic emails reporting the problem remain unanswered for weeks or months by Skype and PayPal representatives.
"Basically, you get a generic email saying 'Sorry you're having problems with Skype, we'll try to solve the problem,'" says Dave Ballard, a Newfoundland, Canada-based graphics artist, whose account has been inaccessible for five weeks. The eBay powerseller adds: "This is just not right because it's costing me thousands of dollars."
The account contained more than 200 contacts of people Ballard has done business with. Because Ballard didn't back up the contacts, they will be permanently lost if he remains unable to access the account. (An earlier version of this story incorrectly said Skype doesn't provide a means to back up contacts. In fact it does, by going to Tools > Advanced > Back up contacts to file.)
Ballard says he sent Skype's support team 34 emails, one each day since the account was hijacked, but never received a live response. Late last week, a Skype rep contacted him to acknowledge the problem and offered him a refund. He remains locked out of the account he's used for three years.
The rash of Skype hijackings come on top of a separate issue in which PayPal users are debited for Skype services they never ordered. Since reporting the problem in June, Vulture Central has been inundated with email from readers who say they too continue to experience mysterious Skype charges.
The Register has repeatedly contacted representatives from eBay, PayPal and Skype, but at time of writing, none of them were able to discuss whether company officials are aware the of the glitch or what they're doing to fix it. Shortly after this article was published, a Skype spokeswoman email a statement that read:
"We are continually working to educate our users on how to protect their online accounts and take precautions to prevent as many of these fraudulent transactions as possible. Unfortunately for some users we cannot get back to them as quickly as they'd like but we are doing our best to make our Customer Support as effective and efficient as possible."
We're still trying to understand how the attackers are commandeering the accounts. There are no reports of phishing emails or other attempts at social engineering. And the Skype client encrypts usernames and passwords during the login process, making a man-in-the-middle attack unlikely. If your account has been hijacked, please post the particulars as a comment to this story, or contact the reporter using this link.
In the meantime, Skype users should consider reconfiguring their account so it's no longer possible to automatically debit money from PayPal accounts or credit cards.
Several of the victims work in the information technology industry and say they take pains to use strong passwords and log in to their accounts only from secure machines located at home.
"I'm fairly IT savvy," says James M. Fahey, a Boston resident who recently found $40 worth of Skype charges debited to his PayPal account. The strange thing, he says, is that the credits were added to someone else's Skype account, not his. When he sent emails protesting the charges, a representative insisted the account that was credited was the one Fahey had been using for years.
Fahey was unable to persuade the representative, even after he sent screenshots proving the account under his control hadn't been credited, so he decided to delink his credit card from the account and drop the matter.
"It just blows me away that Skype doesn't respond or make corrections to what's going on," he says. "It's a phone company, but they don't have any phone number to respond."
Indeed, the only victim we've talked to who has reported a satisfactory outcome is Zimmerman. Several days after we first spoke to him, he reported receiving an email from a Skype representative informing him his account had been been reset. Within two minutes, he had regained control of the account, but was saddened to find all his contacts missing.
While he's glad to be reunited with an account he's used for years, he says the experience has him looking over his shoulder.
"My identity was used for God knows what," he says. "Maybe at some point, I'll get some nasty email saying, 'Weren't you the one who did such and such?'" ®
Sponsored: Network DDoS protection