Feeds

Skype ignores PayPal siphoning hijack scheme

The phone company without a phone

The essential guide to IT transformation

One day last month, when Klaus Zimmerman tried to log into his Skype account, he got an error message indicating his username and password didn't match. Concerned something was awry, Zimmerman, a computer repairman living in Wexford County, Ireland, phoned his brother and asked him to check his online status.

"I saw you on earlier, but your picture was gone," the brother reported. "You're now listed as living in Germany." On top of that, the person logged in was no longer answering the brother's queries.

Forum threads here, here and here and Google searches here and here suggest Zimmerman's experience is by no means unusual. The Register has contacted many victims, and a common pattern has emerged. Around the same time the victims are locked out of their accounts, they receive emails indicating their PayPal accounts are being charged for funds that are credited to the purloined Skype accounts. Frantic emails reporting the problem remain unanswered for weeks or months by Skype and PayPal representatives.

"Basically, you get a generic email saying 'Sorry you're having problems with Skype, we'll try to solve the problem,'" says Dave Ballard, a Newfoundland, Canada-based graphics artist, whose account has been inaccessible for five weeks. The eBay powerseller adds: "This is just not right because it's costing me thousands of dollars."

The account contained more than 200 contacts of people Ballard has done business with. Because Ballard didn't back up the contacts, they will be permanently lost if he remains unable to access the account. (An earlier version of this story incorrectly said Skype doesn't provide a means to back up contacts. In fact it does, by going to Tools > Advanced > Back up contacts to file.)

Ballard says he sent Skype's support team 34 emails, one each day since the account was hijacked, but never received a live response. Late last week, a Skype rep contacted him to acknowledge the problem and offered him a refund. He remains locked out of the account he's used for three years.

The rash of Skype hijackings come on top of a separate issue in which PayPal users are debited for Skype services they never ordered. Since reporting the problem in June, Vulture Central has been inundated with email from readers who say they too continue to experience mysterious Skype charges.

The Register has repeatedly contacted representatives from eBay, PayPal and Skype, but at time of writing, none of them were able to discuss whether company officials are aware the of the glitch or what they're doing to fix it. Shortly after this article was published, a Skype spokeswoman email a statement that read:

"We are continually working to educate our users on how to protect their online accounts and take precautions to prevent as many of these fraudulent transactions as possible. Unfortunately for some users we cannot get back to them as quickly as they'd like but we are doing our best to make our Customer Support as effective and efficient as possible."

We're still trying to understand how the attackers are commandeering the accounts. There are no reports of phishing emails or other attempts at social engineering. And the Skype client encrypts usernames and passwords during the login process, making a man-in-the-middle attack unlikely. If your account has been hijacked, please post the particulars as a comment to this story, or contact the reporter using this link.

In the meantime, Skype users should consider reconfiguring their account so it's no longer possible to automatically debit money from PayPal accounts or credit cards.

Several of the victims work in the information technology industry and say they take pains to use strong passwords and log in to their accounts only from secure machines located at home.

"I'm fairly IT savvy," says James M. Fahey, a Boston resident who recently found $40 worth of Skype charges debited to his PayPal account. The strange thing, he says, is that the credits were added to someone else's Skype account, not his. When he sent emails protesting the charges, a representative insisted the account that was credited was the one Fahey had been using for years.

Fahey was unable to persuade the representative, even after he sent screenshots proving the account under his control hadn't been credited, so he decided to delink his credit card from the account and drop the matter.

"It just blows me away that Skype doesn't respond or make corrections to what's going on," he says. "It's a phone company, but they don't have any phone number to respond."

Indeed, the only victim we've talked to who has reported a satisfactory outcome is Zimmerman. Several days after we first spoke to him, he reported receiving an email from a Skype representative informing him his account had been been reset. Within two minutes, he had regained control of the account, but was saddened to find all his contacts missing.

While he's glad to be reunited with an account he's used for years, he says the experience has him looking over his shoulder.

"My identity was used for God knows what," he says. "Maybe at some point, I'll get some nasty email saying, 'Weren't you the one who did such and such?'" ®

Next gen security for virtualised datacentres

More from The Register

next story
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Germany 'accidentally' snooped on John Kerry and Hillary Clinton
Dragnet surveillance picks up EVERYTHING, USA, m'kay?
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
Think crypto hides you from spooks on Facebook? THINK AGAIN
Traffic fingerprints reveal all, say boffins
Rupert Murdoch says Google is worse than the NSA
Mr Burns vs. The Chocolate Factory, round three!
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.