Online life

My eBay and PayPal accounts were hacked – and I found the thief

Today, while chatting with a co-worker, I received a PayPal notification on my cell confirming my eBay purchase of $586.00.

paypal-ebay-account-hacked
Excellent!

I love when my purchases are approved. My PayPal account sees more action than nearly any other app on my phone. But I only like hearing from PayPal when I’m buying things.

I did not buy anything on eBay today. I have not bought anything on eBay in years. Once Amazon Prime wooed me into membership, I forgot eBay existed – which is part of the problem.

Immediate response

My eBay is connected to my PayPal, which was connected directly to my checking account. Panic commences. My first steps were to:

  1. Stare at my PayPal app.
  2. Self doubt – “Did I buy a Ford 6.0L Powerstroke Victor Reinz Head Gasket & Head Studs?” No. What is that? Also, I drive a Nissan.
  3. Look for a cancel or dispute button. Find nothing.
  4. Login to bank account. There is no pending purchase… yet.
  5. Login to eBay on my computer.
  6. Request a cancel order.
  7. Cancel order three more times.
  8. Call PayPal.

PayPal’s response

While waiting on the phone for a human being after spending ~5 minutes explaining the issue to a lady robot, I changed my eBay password. Hopefully the criminal couldn’t make any more purchases there for now.

The PayPal representative was very nice and helpful. First, he froze my account and reset my password. Now both eBay and PayPal were protected. I explained the situation and he immediately refunded my account. He also verified all my information and notified me that there was a new address in my settings – a Trenton, NJ address.

He explained the order had already gone through and the money was going to leave my bank account, but I could transfer the refund to my bank now to break even. I thanked him and we hung up. It was really easy, and that is really rare. Many hacked accounts are hard to reclaim.

How my account was compromised

Firstly, the person in Trenton who ordered the head gasket is 100% not a hacker. eBay was hacked in 2014 and the site requested all users change their passwords. I did not, because I forgot eBay existed.

There is a black market for selling website credentials. When a site like LinkedIn or eBay is hacked, the hackers can collect thousands (if not millions) of usernames and passwords which they then sell. They can sell 100 usernames to one person, and 5,000 to another depending on what the buyer can afford. With this list in hand, the thief will try each password and username they purchased until finding the ones that work. Reply All has a very interesting podcast about buying and selling passwords.

In my case, I had the same password for eBay and PayPal. I can’t be sure which account they got to first, but with that password they were able to access several websites. In using the same password I had set myself up for fraud.

Finding the thief

The thief had changed my primary shipping account to their house. It was a Trenton, NJ address. So I began:

  • Google map the house. It looks scary and it’s in a bad neighborhood.
  • Zillow the house. I can see it hasn’t been sold or bought recently. I look at the estimated worth, property taxes, etc. I am trying to get a feel for the people who live here, and more importantly I’m trying to decide if I think the house is being rented or not.
  • Google the address for public records of people who have lived there.

At this point, I find 4 names of people who live or have lived in this location. The first two are men over 60 years old. They don’t have Facebook or any online presence that I can find, so I set their names aside.

The third name belongs to a middle-aged woman called Brenda. Brenda has a Facebook, and she still lives in Trenton. Most coincidentally  – she is friends with the fourth person on my list – a late twenty-something woman named Felisha. Felisha lives in Trenton currently.

I deduce, and you may disagree with my reasoning, that Brenda and Felisha live together. Public records show they both have lived at the address and they are friends on Facebook. Neither Brenda nor Felisha are friends with the older gentlemen listed as previous residents, and I determine the men are less likely to be involved.

Felisha lives in Trenton. Her pictures are of a late twenty-something, heavy set woman with a constant mean mug. She wears all male clothing and portrays herself as very tough. If I have to guess between Brenda (her mother perhaps) or Felisha, I am assuming Felisha is the thief. Am I wrong? Maybe. It’s definitely not enough evidence to call the police. I could send Felisha a Facebook message, but I’m not a journalist and I don’t want this to get weird.

Perhaps Felisha’s friend is the thief, using Felisha’s address to throw us all off. I don’t know, and I’m not going to follow up with it because…

Final justice

Two hours after the ordeal began, I received confirmation from eBay that the order was cancelled. Not only did I get my money back, but Felisha is not getting free head gaskets and the seller isn’t out almost $600. There is justice in this world.

What you need to do

Have you been hacked?

https://haveibeenpwned.com/ is a website that tracks if you have any accounts on websites that have been hacked and had user info stolen. It is a safe and reputable website, and it’s scary.

Enter your username that you use on most sites, or simply enter your email address. It will tell you what websites you are a part of that have been hacked. If you’re in the database, change your passwords.

Have several different passwords

I changed every password today on every site. PayPal, eBay, email accounts, all banking and credit cards, Facebook… you name it. You need to create a system of passwords. At least 1 password for email, 1 password for social, 1 password for banking, etc.

If a thief does get your password, they will try it on a ton of websites. Don’t let them get too far.

Enable two-factor authentication (2FA)

2FA is a system on Gmail and other platforms that will send a code to your phone or alert you in another way if your account is accessed from a new computer or device, or if your password is changed. The thief will enter your password, and then find a screen that reads “We have texted you a code to your cell phone. Please enter the code to proceed”.

Unless they also have your phone, or whatever second method of confirmation you create, the thief will likely be locked out.

If PayPal had texted me when my account was first accessed from an unknown device, all of this could have been stopped in advance. Enable 2FA on every account you can.

Enable app notifications on your phone

Allow any app that deals with your email or banking information to send you push notifications on your activity. When you buy something on Amazon Prime, get a text about it. It was the text that alerted me to the fraud and allowed me to stop it immediately. Otherwise, I may not have gotten my money back, and Felisha could have charged even more to my account.

Online life

Quitting: Social Media

Why I quit following your every move

In December of 2015, I decided to go 1-month without Facebook or Instagram.

I initially started my 31-day break for two reasons:

  1. I was on Facebook and Instagram all the time. I would stay up in bed scrolling and scrolling, without retaining anything.
  2. I didn’t care about the things I was reading. People’s politics, “funny” quips, year end resolutions – God was I bored. The mundane and often unimpressive details of my “friend’s” lives were making me hate them. I wasn’t happy for anyone; I felt judgmental and dismissive, or envious and unhappy.

All of the above is bad, and after taking a good look at what social media was doing to me, I took a break.

I kept a list of a few things I wanted to post, and some observations I made, during the first few days of my hiatus.

  • “Can you believe its December 1st?”
  • “I just typed “Gmails” into Google and clicked Send to get to my email. #tuesday”
  • A picture of the NYC skyline from my office that I didn’t end up taking
  • A picture of the wasabi ginger potato chips that came with my lunch
  • I forgot my best friend’s birthday. Without the Facebook notification, I completely overlooked it.
  • While driving the 2 hours home from work, I picked up my phone to look at Facebook. I just realized how dangerous that is, and how often I must do it.
  • “I just watched my 3rd Netflix documentary today.”

All of the above is bad.

Jotting down and looking at the posts I would have made brought their idiocy to the forefront of my mind. Usually, I post and forget. But really looking at the posts I would have created made me hate them, and myself too kind of.

I didn’t want my life represented on the internet like this. After 4 days, I stopped having urges to login.

Disclaimer: You are probably judging me right now, because you carefully craft interesting and poignant posts before hitting submit. You only upload breathtaking and life changing photos. You have already dismissed me completely as part of the problem. Be warned, ye who find themselves pompously posting. You’re probably posting dumb shit too.

Staying friends anyway

My friends had to text me and call me more. I had to personally update them on my life because I could no longer just post toward them. We shared news with each other, not our profiles.

I felt like I was caught up and close with my friends by reading their daily updates. But I wasn’t actually interacting with them, and there’s a difference.

I felt more connected to my friends by the end of December than I had in quite some time. That’s for real.

Removing validation and comparison

December is a really great time to quit social media, because there’s a lot of socializing going on, and you will want to send pictures of yourself having fun to all 300 of your acquaintances.

Not posting pictures or writing about the parties and friends I visited made me realize I didn’t need my life to be validated.

Removing the burden of prying eyes on my day-to-day changed my perspective. I want to pursue a life I’m proud of for me and not because of how it’ll make me look.

Let me repeat that: Instead of wanting my life to look a certain way, I want my life to actually be a certain way. Those are 2 very different things.

I thought I was chasing life for myself, but removing constant public opinion from my everyday helped me to hone in on what I really wanted. Not doing a single thing based on how others will respond made life begin to feel more genuine.

Even though I hadn’t noticed it, I had been altering parts of myself, or at least how I portrayed parts of my life, for your public approval.

The end

At 1am or so on New Year’s Day, I signed back onto Facebook. The next day, I signed back onto Instagram.

By January 3rd, both were deactivated again.

It was like a rush of self-involved nonsense. The things people were writing infuriated me. Several photos of the outfit you’re wearing tonight? Complaining about the guy who cut you off? Really long, introspective paragraphs about all you’ve learned this last year? STOP.

Why do we feel the need for so much attention? Why are you telling me the guy at Starbucks can’t make a latte? Why are you telling me you think your girlfriend is the most beautiful girl in the world?  Does that make you love her more? Because you threw it into cyberspace instead of just telling her yourself?

Maybe I will go back eventually. I mean, this isn’t a personal challenge or a promise or a social-network diet. I know there are good parts to social media. I really miss some parts of it. It’s easier to create an event online than to send invitations to people. It’s nice to see your second cousin’s new baby. But the majority of the time, we use it to tell everyone what we had for dinner, and how bad Star Wars was, and why everything is great for us, or why everything sucks today. And that’s okay. If you want to use this phenomenal tool to spout nonsense toward people you’d avoid in person, go right ahead. I won’t judge you, but only because I won’t be there to see it.