My API Was Hacked - Left with $3,879 bill from Paypal

Kosher1

Kosher1

Senior Member
Joined
Oct 22, 2009
Messages
929
Reaction score
459
Well, I am pretty new here, but not new to the ideas and genius BHW posts.. Great site.

Let me start, as I hope some of you have some suggestions:

9/11/09 I get a call from a customer in regards to a charge appearing on her credit card statement from my website. The charge was under $1 (something like $0.23). I immediately logged into Paypal and noticed thousands (yes that many) of these "authorizations" for under a $1.

I immediately called paypal and told them about this. they said i have nothing to worry about since an authorization must be accepted by me, and i dont accept them, then they will just go back to the credit card holder after 72 hours (in other words they will expire).

Until now, I am fine with everything, so i ask the Paypal 'clerk' how did they do this? He did not have an answer and told me to change my API Certificates and add them back to my shopping cart. so I did this, sure enough the charges stopped.

Guess what? Next morning again! New charges, thousands, one after another, like 40+ in a minute, it must have been automated, well for sure it was... So i called paypal again, they told me to change the API Cert. again and this time change my Paypal Password, so I did.

Guess what? This time it ended. So i went about my business....

Sure enough, the month ends, and my Website acceptance Virtual Terminal (or whatever they call it) was charge the normal $30/monthly fee.

Today, I get the new bill, and they took out of my account $3,879!!!! I know i should not have that much money in there, but seriously, I purchase goods, and need money there.

I called Paypal and said WTF ???? They all of the sudden became GENIUSES and told me that my API code must have been hacked and used to authorize these stolen credit cards, and i was charged .30 per authorization. That is SICK! That is a total of 12,900+ authorizations!!!

I became MAD! Kept myself calm, and asked the almost $4000 of these fees be returned to my account, they said, can't be done, the credit card companies charge us, and we charge you, that is the way it works.

What can I tell you, after pleading with the guy, that no one used my API, he said you must not have SSL on your site. (joker), i told him i do, so he checked, and found out I did so he said, well somehow they used your API code to run these transactions.

I am so pissssed off its amazing! He told me he will send it to the dispute department but not to expect anything, because i am responsible for such fees.

People out there, any ideas? I googled all over but could not find anyone posting something similar like what happened to me.

Your time and input is greatly appreciated. I really dont need "sorry, that sux" comments, it wont make me feel any better *grin*

Hope for some good feedback....

I wana cry!!!!!!!!!:(
 
Advertise on BHW
thats nice... but any way to recoup this lost money? Any laws protecting me? there must be something.
 
Raise hell with them. The more you call, the more chances you have some something getting done. I have been in your shoes before. It took me three months to get my fees returned. Just keep at it and be persistent. Take good notes when you are on the phone as well.
 
take them to the court, you did not do it. You can legally put them or the CC companies guilty. Let them find out the hacker
 
If you live at US it will be easier to go to court. Next time be more carefull with your pass cuz the thief problably had it. He stopped when you changed your pass not the API.
 
Yeah, there has to be something he can do... but it takes money to take them to court so dunno if that would be the best idea.

Keep us informed
 
I find this odd considering the minimum amount that you can charge someone via Paypal is $1.00.
 
I just went through something similar except my experience was quite the opposite of yours. It took me a couple of weeks, but I got it all straightened out. Mine was fraudulent purchases and I got all my money and bank fees back.

I agree with the other guys, be persistent. Ask to speak with their bosses. Go up the ladder until you find somebody that doesn't give you the runaround. That's a lot of money. I'd pester the shit out of them until they got tired of me calling.
 
You could get a lawyer but it will cost you probably more, unfortunately.

There's one thing you should check though, is your insurance. Often insurences propose in their packages free law advice, or free lawyer to solve out your problems. That would be a good free way to get ahead.

In most cases, if there's no lawyer involved they'll just keep you waiting, or just say fuck off.

Now another thing is you should find out who is responsible for the security flaw. It's also possible to argue that a payment system like paypal should have a warning system for cases just like yours. Hell it's a payement company they deal with all kinds of fraud, they should know that kind of trick and warn you about !

In all cases make noise about your situation. The more noise you make the worse it's for their reputation. And they protect that a lot.
 
Someone tested their database of stolen credit card numbers on your site... You should use the AVS and CVV2 and require billing zip etc... if you loosened your paypal auth requirements optionally then you might be on the hook for the activity.

Should use their encrypted tokens too. too easy to adjust pricing on the client side with the legacy stuff.
 
Small claims court. Do it in November this month and make sure its as close at possible to thanksgiving they will not show up and the court will rule in your favor.
 
ipopbb said:
Someone tested their database of stolen credit card numbers on your site...
Click to expand...

Yep, that's exactly what happened. I have seen it before...

Sux man.. But like everyone said, Make Noise.. tell other users of paypal and the gateway system. If it happened to you it can happen to someone else. That they may be concerned with.

-Mus
 
No matter what they tell you, you are NOT responsible for those charges. My mother had someone hack her paypal account password.. They ran up some 5000 dollars in charges. Bank tried to charge NSF fees, paypal tried to charge fees, etc.. In the end, she just kept explaining what had happened and everything was returned to normal.
 
TheInsider said:
No matter what they tell you, you are NOT responsible for those charges. My mother had someone hack her paypal account password.. They ran up some 5000 dollars in charges. Bank tried to charge NSF fees, paypal tried to charge fees, etc.. In the end, she just kept explaining what had happened and everything was returned to normal.
Click to expand...

You are right, i did that and it worked, thanks!!!!!
 
Does that mean that if bot comes to one's website and starts filling in real credit card numbers (so they will pass authorization) and submitting orders, each transaction will cost the site owner about .30 no matter what?

Also, what if CC number did not pass authorization (like CC number is not matching the Cardholder Name) - so these will NOT pass authorization obviously, but will it cost any money to the site owner?


P.S. I am not using Paypal, so cannot say anything on topic, but the whole situation has inspired these 2 questions above. Thank you, and sorry for the OP's troubles
 
Paypal sucks. I've been screwed over by them numerous times.
 
I've been running a processor for a number of years and this is the normal course of action. Of course it doesn't make it right. Before you take legal action, I suggest you first go through the Paypal terms and condition in detail. Look for anything that gives you a way out and use that against them. Keep pushing for upper management staff to handle your case and elevating tickets as high as possible. Document everything. Push them to acknowlege that you requested aid on 2 separate occasions and they did not help. Document that.

Assuming you find an angle that requires them to refund the money in the event of fraud, compile all the data and work you put into harrassing them into a nice package and send that back out to Paypal (if they haven't refunded your money), and push even harder with your nicely compiled "evidence" that you have been playing by their rules.

If they continue to refuse, then threaten them with legal action, and push with your updated evidence package, after that if you still dont' get your money then you pretty much have to sue them.

I know it sounds like a lot of work but threatening legal action right off the bat will shut all your available doors to get your money refunded amicably. The work you put into trying to get the money released allows you to research the case and put forward a reasonable case to have the money released. They make also refund the money based on the fact that you're a pain in the ass.

I hate to say it but this process will take months. I've had similar things happen to me in the past and every time it took a minimum of 3 months to get anything back. I almost always got my money back using these methods. Don't accept it and walk away.

Hope this helps... I know how it feels and bank/credit card processors/money transfer companies are all crooks. They need to be held accountable.
 
Advertise on BHW
You must log in or register to reply here.
Sign up now!

Main Menu

Home Main Forum List Black Hat SEO White Hat SEO BHW Newbie Guide Blogging Black Hat Tools Social Networking Downloads

Marketplace

Content / Copywriting Hosting Images, Logos & Videos Proxies For Sale SEO - Link building SEO - Packages Social Media Social Media - Panels Web Design Misc

Making Money

Affiliate Programs Hire a Freelancer Making Money Pay Per Click Site Flipping

BlackHatWorld

BHW Merch Forum Suggestions & Feedback Introductions Lounge Dispute Resolution

Other

Domain Name Forum IM Journeys Web Hosting Newsletter
Back
Top