• When you click on links to various merchants on this site and make a purchase, this can result in this site earning a commission. Affiliate programs and affiliations include, but are not limited to, the eBay Partner Network.

Archived

This topic is now archived and is closed to further replies.

High Grade Comics Hacked?

Started by skypinkblu,

96 posts in this topic

CKB

CKB

Posted
Posted
I consider myself tech savvy, and I had my PayPal account hacked about a month and a half ago.

 

Wiz, I am big fan of yours, but if you have a well-used high dollar paypal account and just attached an authenticator to it last month...that's not tech saavy! :baiting: I ordered an authenticator (a real one, none of this texting stuff) the day they were offered and was bugging paypal about offering them long before.

 

It's good to hear paypal took care of it for you...lesson learned I'm sure!

 

I'll use this as an opportunity to tell everyone that if you have a paypal account linked to your checking, or routinely have high balances in your account, not having the authenticator attached is extraordinarily unwise.

 

2c

 

Link to comment
Share on other sites
blazingbob

blazingbob

Posted
Posted

Update to previous post

 

Upon review of the code to generate the password reset it seems that any customer who had a email address on file even though they never registered on my website would have gotten a password reset.

 

That customer could have bought a book from me at a show or ebay. Bought a book via email and not through the website etc.

 

Bottom line - The hacker would not have gotten your password from my website, there wasn't one on file.

 

Bob

Link to comment
Share on other sites
Paul_Maul

Paul_Maul

Posted
Posted

 

I'll use this as an opportunity to tell everyone that if you have a paypal account linked to your checking, or routinely have high balances in your account, not having the authenticator attached is extraordinarily unwise.

 

2c

 

I'd love the added security, but I can see this turning into a typical computer nightmare. I do most of my paypal on an iPad, and although I am not using the eBay or PayPal apps, when I checkout from eBay the PayPal mobile checkout is launched. From what I understand, the SMS pins do not work in that environment.

 

 

Link to comment
Share on other sites
comicwiz

comicwiz

Posted
Posted
I consider myself tech savvy, and I had my PayPal account hacked about a month and a half ago.

 

Wiz, I am big fan of yours, but if you have a well-used high dollar paypal account and just attached an authenticator to it last month...that's not tech saavy! :baiting: I ordered an authenticator (a real one, none of this texting stuff) the day they were offered and was bugging paypal about offering them long before.

 

It's good to hear paypal took care of it for you...lesson learned I'm sure!

 

I'll use this as an opportunity to tell everyone that if you have a paypal account linked to your checking, or routinely have high balances in your account, not having the authenticator attached is extraordinarily unwise.

 

2c

 

Yeah, it way definitely an eye-opening experience. And I'll probably chalk it up to a combination of being lazy and not knowing they had this two-step authentication. My first reaction to the PayPal guy explaining it was to ask if there was any chance it could lock me out of my account (i.e. did I need to remember another numeric password), because I have a hard time managing the handful of PIN numbers and passwords as it is with regular banking, so in a roundabout way, this is the "being inconvenienced" part talking out loud. As someone else mentioned, I'm surprised my bank hasn't done something similar. I know they kind of ask security questions randomly as a secondary layer of authentication (i.e. where were you born, what was your first pet, etc.), but having experienced what I did, I know the importance of having that two-step process all the time as a necessary safeguard.

Link to comment
Share on other sites
VintageComics

VintageComics

Posted
Posted

I recently switched banks and one of the banks I use has a rolling code on a key fob - changes every 30 seconds. Can't make any transfers without getting that rolling code correctly.

Link to comment
Share on other sites
MrBedrock

MrBedrock

Posted
Posted

I recently had a tuna sandwich.

While chewing I pondered the fact that Josh at ComicLink ordered a 6.5 X-Men 1 from the High Grade Comics web-site. hm

 

I was first alerted by a X-men #1 6.5 being ordered by Josh of Comiclink using an old account.

Link to comment
Share on other sites
silverweb

silverweb

Posted
Posted

Wiz,

How do you add that 2 level authentication to your Paypal account? I dont see the option. Do you have to contact them first?

 

I consider myself tech savvy, and I had my PayPal account hacked about a month and a half ago. They transferred everything from my balance all in one shot into a shell acount, and it was a significant dollar amount.

 

To this day, I still am not 100% sure how they did it. It was both eye-opening and mind-numbingly frustrating.

 

A week prior, I received a spoof PayPal message saying my account was suspended, asking me to confirm my account information. Normally I ignore these messages, but the timing was uncanny and too coincidental. I got my back up to this particular message because of two reasons. One, they were asking for my social insurance number, which I have a right to refuse. The second is that a few days prior, I had filed a dispute against a seller who I'd sent money to and didn't send me my merch - my first dispute in over 15 years of using PayPal.

 

I did not click any links or provide them any information. Instead, I called PayPal and began reading them the riot act. Thinking, that the dispute resolution process was the culprit, I railed on them for asking me for this information and suspending my account, not realizing that it was a scam message.

 

About a week later, I logged-on to my computer in the early AM to get some work done before getting the kids ready for school. My saving grace was that I had a complaint filed because otherwise I wouldn't have checked my PayPal account. I log-in and see my account empty, and a transaction that occurred before 9AM EST from a guy out in Spain. I can't tell you how nerve wracking that whole situation was. The first PayPal guy was not helpful, and told me I had to wait 48 hours for them to look into and investigate. I was flustered, needing to get back to work, and getting nowhere with him, so I hung up.

 

The next day (a Saturday) I called again and when the guy started saying they had to look into it, I asked him if he was qualified to check the referral log and IP for the fraudulant transaction. I then instructed him on exactly how to differentiate the IP activity for that transaction, and to compare it with all other activity on the account. He said, yeah I definitely see what you're talking about. I told him to also lock that account, and that if PayPal wouldn't look into it themselves, that I would instruct Interpol to ask for it by warrant. This person was a criminal and had committed a high dollar amount theft. I guess he didn't like how that was sounding so he immediately refunded me the money, and told me PayPal would take care of it.

 

I've since activated a PIN number on login. It's a second step, and a bit of a hassle as you need to wait for a text that sends you a six digit passcode, but I won't take any more chances.

 

Now if this kind of thing is happening with PayPal, I can totally understand how a comic collectibles site would be compromised. The only sure fire way to eliminate the risk of being hacked is to pull your internet plug out of the wall and use a vivid imagination to surf the web.

Link to comment
Share on other sites
comicwiz

comicwiz

Posted
Posted

silverweb - I checked a couple of how-to links, but they seem to be a bit outdated. Maybe someone here can walk you through how its done it.

 

I did it over the phone, and if you ask for PIN verification that sends a 6-digit code to your phone by text, they should be able to set you up.

 

If you go that route, PayPal's toll-free is 1-888-221-1161

 

Wiz,

How do you add that 2 level authentication to your Paypal account? I dont see the option. Do you have to contact them first?

 

I consider myself tech savvy, and I had my PayPal account hacked about a month and a half ago. They transferred everything from my balance all in one shot into a shell acount, and it was a significant dollar amount.

 

To this day, I still am not 100% sure how they did it. It was both eye-opening and mind-numbingly frustrating.

 

A week prior, I received a spoof PayPal message saying my account was suspended, asking me to confirm my account information. Normally I ignore these messages, but the timing was uncanny and too coincidental. I got my back up to this particular message because of two reasons. One, they were asking for my social insurance number, which I have a right to refuse. The second is that a few days prior, I had filed a dispute against a seller who I'd sent money to and didn't send me my merch - my first dispute in over 15 years of using PayPal.

 

I did not click any links or provide them any information. Instead, I called PayPal and began reading them the riot act. Thinking, that the dispute resolution process was the culprit, I railed on them for asking me for this information and suspending my account, not realizing that it was a scam message.

 

About a week later, I logged-on to my computer in the early AM to get some work done before getting the kids ready for school. My saving grace was that I had a complaint filed because otherwise I wouldn't have checked my PayPal account. I log-in and see my account empty, and a transaction that occurred before 9AM EST from a guy out in Spain. I can't tell you how nerve wracking that whole situation was. The first PayPal guy was not helpful, and told me I had to wait 48 hours for them to look into and investigate. I was flustered, needing to get back to work, and getting nowhere with him, so I hung up.

 

The next day (a Saturday) I called again and when the guy started saying they had to look into it, I asked him if he was qualified to check the referral log and IP for the fraudulant transaction. I then instructed him on exactly how to differentiate the IP activity for that transaction, and to compare it with all other activity on the account. He said, yeah I definitely see what you're talking about. I told him to also lock that account, and that if PayPal wouldn't look into it themselves, that I would instruct Interpol to ask for it by warrant. This person was a criminal and had committed a high dollar amount theft. I guess he didn't like how that was sounding so he immediately refunded me the money, and told me PayPal would take care of it.

 

I've since activated a PIN number on login. It's a second step, and a bit of a hassle as you need to wait for a text that sends you a six digit passcode, but I won't take any more chances.

 

Now if this kind of thing is happening with PayPal, I can totally understand how a comic collectibles site would be compromised. The only sure fire way to eliminate the risk of being hacked is to pull your internet plug out of the wall and use a vivid imagination to surf the web.

Link to comment
Share on other sites
Paul_Maul

Paul_Maul

Posted
Posted

 

That's it. I just did it today. So maybe something good will come out of this for Bob's customers.

 

 

I'm concerned about what will happen in a mobile environment. From what I've read the security key is not compatible with the PayPal mobile checkout, which is what I use pretty much all the time because it is spawned automatically when using eBay checkout on a mobile device (whether using eBay app or not). Could someone who understands this stuff clarify?

Link to comment
Share on other sites
TheShadowKnows

TheShadowKnows

Posted
Posted
I recently had a tuna sandwich.

While chewing I pondered the fact that Josh at ComicLink ordered a 6.5 X-Men 1 from the High Grade Comics web-site. hm

 

I was first alerted by a X-men #1 6.5 being ordered by Josh of Comiclink using an old account.

Wasnt it a turkey sammich

Link to comment
Share on other sites
FutureFlash

FutureFlash

Posted
Posted
Update to previous post

 

Upon review of the code to generate the password reset it seems that any customer who had a email address on file even though they never registered on my website would have gotten a password reset.

 

That customer could have bought a book from me at a show or ebay. Bought a book via email and not through the website etc.

 

Bottom line - The hacker would not have gotten your password from my website, there wasn't one on file.

 

Bob

 

Ah that explains it, I believe I did buy something from you via the eBay. Thanks for clarifying. Nice site by the way.

Link to comment
Share on other sites
blazingbob

blazingbob

Posted
Posted

Thank you.

 

One other update:

Customers who may not have gotten the two emails from me may be having my company emails blocked by their Internet service provider.

 

You would try to login with your old password and get a message that the password doesn't work.

 

If you don't email me and ask what is wrong with it you may request a password reset. If that email is blocked by your ISP provider you will really start to get upset.

 

Please be aware that I have the ability to forward that information to you if this happens.

 

 

Link to comment
Share on other sites
Mark 1

Mark 1

Posted
Posted
Thank you.

 

One other update:

Customers who may not have gotten the two emails from me may be having my company emails blocked by their Internet service provider.

 

You would try to login with your old password and get a message that the password doesn't work.

 

If you don't email me and ask what is wrong with it you may request a password reset. If that email is blocked by your ISP provider you will really start to get upset.

 

Please be aware that I have the ability to forward that information to you if this happens.

 

 

Great job with the updates Bob. This forum is a great resource on these types of things

 

 

Link to comment
Share on other sites
blazingbob

blazingbob

Posted
Posted

I agree.

 

While some feel that the boards get a little redundant with topics just this topic alone has given me some insight to some of the other problems out there. I was not aware of a different level of security for paypal. My only experience with random password generation is when I worked for Verizon and we had a random access generator for logging into the corporate website.

 

 

 

Link to comment
Share on other sites
Go to topic listing