Feeds

Skype ignores PayPal siphoning hijack scheme

The phone company without a phone

Build a business case: developing custom apps

One day last month, when Klaus Zimmerman tried to log into his Skype account, he got an error message indicating his username and password didn't match. Concerned something was awry, Zimmerman, a computer repairman living in Wexford County, Ireland, phoned his brother and asked him to check his online status.

"I saw you on earlier, but your picture was gone," the brother reported. "You're now listed as living in Germany." On top of that, the person logged in was no longer answering the brother's queries.

Forum threads here, here and here and Google searches here and here suggest Zimmerman's experience is by no means unusual. The Register has contacted many victims, and a common pattern has emerged. Around the same time the victims are locked out of their accounts, they receive emails indicating their PayPal accounts are being charged for funds that are credited to the purloined Skype accounts. Frantic emails reporting the problem remain unanswered for weeks or months by Skype and PayPal representatives.

"Basically, you get a generic email saying 'Sorry you're having problems with Skype, we'll try to solve the problem,'" says Dave Ballard, a Newfoundland, Canada-based graphics artist, whose account has been inaccessible for five weeks. The eBay powerseller adds: "This is just not right because it's costing me thousands of dollars."

The account contained more than 200 contacts of people Ballard has done business with. Because Ballard didn't back up the contacts, they will be permanently lost if he remains unable to access the account. (An earlier version of this story incorrectly said Skype doesn't provide a means to back up contacts. In fact it does, by going to Tools > Advanced > Back up contacts to file.)

Ballard says he sent Skype's support team 34 emails, one each day since the account was hijacked, but never received a live response. Late last week, a Skype rep contacted him to acknowledge the problem and offered him a refund. He remains locked out of the account he's used for three years.

The rash of Skype hijackings come on top of a separate issue in which PayPal users are debited for Skype services they never ordered. Since reporting the problem in June, Vulture Central has been inundated with email from readers who say they too continue to experience mysterious Skype charges.

The Register has repeatedly contacted representatives from eBay, PayPal and Skype, but at time of writing, none of them were able to discuss whether company officials are aware the of the glitch or what they're doing to fix it. Shortly after this article was published, a Skype spokeswoman email a statement that read:

"We are continually working to educate our users on how to protect their online accounts and take precautions to prevent as many of these fraudulent transactions as possible. Unfortunately for some users we cannot get back to them as quickly as they'd like but we are doing our best to make our Customer Support as effective and efficient as possible."

We're still trying to understand how the attackers are commandeering the accounts. There are no reports of phishing emails or other attempts at social engineering. And the Skype client encrypts usernames and passwords during the login process, making a man-in-the-middle attack unlikely. If your account has been hijacked, please post the particulars as a comment to this story, or contact the reporter using this link.

In the meantime, Skype users should consider reconfiguring their account so it's no longer possible to automatically debit money from PayPal accounts or credit cards.

Several of the victims work in the information technology industry and say they take pains to use strong passwords and log in to their accounts only from secure machines located at home.

"I'm fairly IT savvy," says James M. Fahey, a Boston resident who recently found $40 worth of Skype charges debited to his PayPal account. The strange thing, he says, is that the credits were added to someone else's Skype account, not his. When he sent emails protesting the charges, a representative insisted the account that was credited was the one Fahey had been using for years.

Fahey was unable to persuade the representative, even after he sent screenshots proving the account under his control hadn't been credited, so he decided to delink his credit card from the account and drop the matter.

"It just blows me away that Skype doesn't respond or make corrections to what's going on," he says. "It's a phone company, but they don't have any phone number to respond."

Indeed, the only victim we've talked to who has reported a satisfactory outcome is Zimmerman. Several days after we first spoke to him, he reported receiving an email from a Skype representative informing him his account had been been reset. Within two minutes, he had regained control of the account, but was saddened to find all his contacts missing.

While he's glad to be reunited with an account he's used for years, he says the experience has him looking over his shoulder.

"My identity was used for God knows what," he says. "Maybe at some point, I'll get some nasty email saying, 'Weren't you the one who did such and such?'" ®

Endpoint data privacy in the cloud is easier than you think

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
Microsoft's Euro cloud darkens: US FEDS can dig into foreign servers
They're not emails, they're business records, says court
Plug and PREY: Hackers reprogram USB drives to silently infect PCs
BadUSB instructs gadget chips to inject key-presses, redirect net traffic and more
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
prev story

Whitepapers

7 Elements of Radically Simple OS Migration
Avoid the typical headaches of OS migration during your next project by learning about 7 elements of radically simple OS migration.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
A new approach to endpoint data protection
What is the best way to ensure comprehensive visibility, management, and control of information on both company-owned and employee-owned devices?