1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

My API Was Hacked - Left with $3,879 bill from Paypal

Discussion in 'Black Hat SEO' started by Kosher1, Nov 2, 2009.

  1. Kosher1

    Kosher1 Power Member

    Joined:
    Oct 22, 2009
    Messages:
    725
    Likes Received:
    387
    Well, I am pretty new here, but not new to the ideas and genius BHW posts.. Great site.

    Let me start, as I hope some of you have some suggestions:

    9/11/09 I get a call from a customer in regards to a charge appearing on her credit card statement from my website. The charge was under $1 (something like $0.23). I immediately logged into Paypal and noticed thousands (yes that many) of these "authorizations" for under a $1.

    I immediately called paypal and told them about this. they said i have nothing to worry about since an authorization must be accepted by me, and i dont accept them, then they will just go back to the credit card holder after 72 hours (in other words they will expire).

    Until now, I am fine with everything, so i ask the Paypal 'clerk' how did they do this? He did not have an answer and told me to change my API Certificates and add them back to my shopping cart. so I did this, sure enough the charges stopped.

    Guess what? Next morning again! New charges, thousands, one after another, like 40+ in a minute, it must have been automated, well for sure it was... So i called paypal again, they told me to change the API Cert. again and this time change my Paypal Password, so I did.

    Guess what? This time it ended. So i went about my business....

    Sure enough, the month ends, and my Website acceptance Virtual Terminal (or whatever they call it) was charge the normal $30/monthly fee.

    Today, I get the new bill, and they took out of my account $3,879!!!! I know i should not have that much money in there, but seriously, I purchase goods, and need money there.

    I called Paypal and said WTF ???? They all of the sudden became GENIUSES and told me that my API code must have been hacked and used to authorize these stolen credit cards, and i was charged .30 per authorization. That is SICK! That is a total of 12,900+ authorizations!!!

    I became MAD! Kept myself calm, and asked the almost $4000 of these fees be returned to my account, they said, can't be done, the credit card companies charge us, and we charge you, that is the way it works.

    What can I tell you, after pleading with the guy, that no one used my API, he said you must not have SSL on your site. (joker), i told him i do, so he checked, and found out I did so he said, well somehow they used your API code to run these transactions.

    I am so pissssed off its amazing! He told me he will send it to the dispute department but not to expect anything, because i am responsible for such fees.

    People out there, any ideas? I googled all over but could not find anyone posting something similar like what happened to me.

    Your time and input is greatly appreciated. I really dont need "sorry, that sux" comments, it wont make me feel any better *grin*

    Hope for some good feedback....

    I wana cry!!!!!!!!!:(
     
  2. Kosher1

    Kosher1 Power Member

    Joined:
    Oct 22, 2009
    Messages:
    725
    Likes Received:
    387
    thats nice... but any way to recoup this lost money? Any laws protecting me? there must be something.
     
  3. bfellow

    bfellow Jr. VIP Jr. VIP Premium Member

    Joined:
    Jan 3, 2008
    Messages:
    322
    Likes Received:
    372
    Occupation:
    Self-Employed. No other title really fits.
    Location:
    Dark Side of the Moon
    Home Page:
    Raise hell with them. The more you call, the more chances you have some something getting done. I have been in your shoes before. It took me three months to get my fees returned. Just keep at it and be persistent. Take good notes when you are on the phone as well.
     
  4. virus_1720

    virus_1720 Jr. VIP Jr. VIP Premium Member

    Joined:
    May 9, 2008
    Messages:
    1,686
    Likes Received:
    1,197
    Location:
    BHW
    take them to the court, you did not do it. You can legally put them or the CC companies guilty. Let them find out the hacker
     
  5. polocolto

    polocolto Regular Member

    Joined:
    Apr 26, 2009
    Messages:
    241
    Likes Received:
    28
    If you live at US it will be easier to go to court. Next time be more carefull with your pass cuz the thief problably had it. He stopped when you changed your pass not the API.
     
  6. w4rl0rdx

    w4rl0rdx Junior Member

    Joined:
    Jun 14, 2009
    Messages:
    136
    Likes Received:
    10
    Occupation:
    Geting out of fake job and into IM
    Location:
    Michigan
    Yeah, there has to be something he can do... but it takes money to take them to court so dunno if that would be the best idea.

    Keep us informed
     
  7. leprakhauns

    leprakhauns Registered Member

    Joined:
    Sep 8, 2009
    Messages:
    84
    Likes Received:
    15
    Occupation:
    PHP Programmer
    Location:
    New York
    Home Page:
    I find this odd considering the minimum amount that you can charge someone via Paypal is $1.00.
     
  8. MuonTrail

    MuonTrail Registered Member

    Joined:
    Mar 5, 2009
    Messages:
    96
    Likes Received:
    93
  9. eidyggidogon

    eidyggidogon Newbie

    Joined:
    Dec 30, 2008
    Messages:
    26
    Likes Received:
    9
    Occupation:
    Underwear Model
    Location:
    Chattanooga, TN
    I just went through something similar except my experience was quite the opposite of yours. It took me a couple of weeks, but I got it all straightened out. Mine was fraudulent purchases and I got all my money and bank fees back.

    I agree with the other guys, be persistent. Ask to speak with their bosses. Go up the ladder until you find somebody that doesn't give you the runaround. That's a lot of money. I'd pester the shit out of them until they got tired of me calling.
     
  10. proutprout

    proutprout Newbie

    Joined:
    Jun 18, 2009
    Messages:
    11
    Likes Received:
    0
    You could get a lawyer but it will cost you probably more, unfortunately.

    There's one thing you should check though, is your insurance. Often insurences propose in their packages free law advice, or free lawyer to solve out your problems. That would be a good free way to get ahead.

    In most cases, if there's no lawyer involved they'll just keep you waiting, or just say fuck off.

    Now another thing is you should find out who is responsible for the security flaw. It's also possible to argue that a payment system like paypal should have a warning system for cases just like yours. Hell it's a payement company they deal with all kinds of fraud, they should know that kind of trick and warn you about !

    In all cases make noise about your situation. The more noise you make the worse it's for their reputation. And they protect that a lot.
     
  11. ipopbb

    ipopbb Power Member

    Joined:
    Feb 24, 2008
    Messages:
    626
    Likes Received:
    844
    Occupation:
    SEO & Innovative Programming
    Location:
    Seattle
    Home Page:
    Someone tested their database of stolen credit card numbers on your site... You should use the AVS and CVV2 and require billing zip etc... if you loosened your paypal auth requirements optionally then you might be on the hook for the activity.

    Should use their encrypted tokens too. too easy to adjust pricing on the client side with the legacy stuff.
     
  12. nufaman

    nufaman Elite Member

    Joined:
    May 29, 2009
    Messages:
    1,697
    Likes Received:
    1,185
    sorry, that sux
     
  13. Celsius

    Celsius Registered Member

    Joined:
    Oct 15, 2009
    Messages:
    55
    Likes Received:
    22
    Occupation:
    Firmware Engineer
    Location:
    Phoenix, Arizona
    Home Page:
    Small claims court. Do it in November this month and make sure its as close at possible to thanksgiving they will not show up and the court will rule in your favor.
     
  14. muslickzz

    muslickzz Junior Member

    Joined:
    May 23, 2008
    Messages:
    109
    Likes Received:
    51
    Gender:
    Male
    Occupation:
    Burden
    Location:
    Up in your Grill...
    Yep, that's exactly what happened. I have seen it before...

    Sux man.. But like everyone said, Make Noise.. tell other users of paypal and the gateway system. If it happened to you it can happen to someone else. That they may be concerned with.

    -Mus
     
  15. creztor

    creztor Power Member

    Joined:
    Jan 20, 2007
    Messages:
    731
    Likes Received:
    295
    Location:
    Australia
    Home Page:
    See a lawyer, now.
     
  16. TheInsider

    TheInsider Registered Member

    Joined:
    Jan 18, 2008
    Messages:
    99
    Likes Received:
    102
    No matter what they tell you, you are NOT responsible for those charges. My mother had someone hack her paypal account password.. They ran up some 5000 dollars in charges. Bank tried to charge NSF fees, paypal tried to charge fees, etc.. In the end, she just kept explaining what had happened and everything was returned to normal.
     
  17. Kosher1

    Kosher1 Power Member

    Joined:
    Oct 22, 2009
    Messages:
    725
    Likes Received:
    387
    You are right, i did that and it worked, thanks!!!!!
     
  18. alex1

    alex1 Junior Member

    Joined:
    May 23, 2009
    Messages:
    123
    Likes Received:
    110
    Occupation:
    Software Developer
    Location:
    Toronto, Canada
    Does that mean that if bot comes to one's website and starts filling in real credit card numbers (so they will pass authorization) and submitting orders, each transaction will cost the site owner about .30 no matter what?

    Also, what if CC number did not pass authorization (like CC number is not matching the Cardholder Name) - so these will NOT pass authorization obviously, but will it cost any money to the site owner?


    P.S. I am not using Paypal, so cannot say anything on topic, but the whole situation has inspired these 2 questions above. Thank you, and sorry for the OP's troubles
     
  19. Qball

    Qball Registered Member

    Joined:
    Jan 1, 2008
    Messages:
    77
    Likes Received:
    21
    Location:
    Omaha,NE
    Paypal sucks. I've been screwed over by them numerous times.
     
  20. ac1020

    ac1020 Newbie

    Joined:
    May 22, 2008
    Messages:
    29
    Likes Received:
    1
    Home Page:
    I've been running a processor for a number of years and this is the normal course of action. Of course it doesn't make it right. Before you take legal action, I suggest you first go through the Paypal terms and condition in detail. Look for anything that gives you a way out and use that against them. Keep pushing for upper management staff to handle your case and elevating tickets as high as possible. Document everything. Push them to acknowlege that you requested aid on 2 separate occasions and they did not help. Document that.

    Assuming you find an angle that requires them to refund the money in the event of fraud, compile all the data and work you put into harrassing them into a nice package and send that back out to Paypal (if they haven't refunded your money), and push even harder with your nicely compiled "evidence" that you have been playing by their rules.

    If they continue to refuse, then threaten them with legal action, and push with your updated evidence package, after that if you still dont' get your money then you pretty much have to sue them.

    I know it sounds like a lot of work but threatening legal action right off the bat will shut all your available doors to get your money refunded amicably. The work you put into trying to get the money released allows you to research the case and put forward a reasonable case to have the money released. They make also refund the money based on the fact that you're a pain in the ass.

    I hate to say it but this process will take months. I've had similar things happen to me in the past and every time it took a minimum of 3 months to get anything back. I almost always got my money back using these methods. Don't accept it and walk away.

    Hope this helps... I know how it feels and bank/credit card processors/money transfer companies are all crooks. They need to be held accountable.