back to article Credit card of PayPal PRESIDENT cloned by UK crooks

PayPal president's credit card got hacked on a UK visit, the victim revealed on Twitter. David Marcus said that an unidentified criminal used a skimming device and his credit card was cloned before "tons" of fraudulent transaction were made. The senior executive of the eBay-owned payment processing firm made sure to score a …


This topic is closed for new posts.
  1. Anonymous Coward


    This almost smells like a setup to me to get PayPal better into the picture.

    I don't know how this works in other countries, but over here in Holland I honestly wouldn't describe PayPal as a secure means for electronic payment. FAR from it.

    The problem: In the old days I did have a Paypal account, even favoured it. Simply because I could transfer money onto that account without having to set up any connection. No stored creditcard profile, no stored bank account information; nothing. So basically it was truly my "Internet piggy bank".

    I made sure that it had an amount which I could use to do stuff, while also making sure that it was never an amount which would hurt me should I suddenly lose it. Best of both worlds.

    Nowadays this isn't an option anymore. If I open an account Paypal demands that I either link a credit card onto it or worse: grant them access to do automatic withdrawals from my bank account. I can no longer tell my bank to transfer money; instead I tell Paypal to take it out for me.

    Hopefully I don't have to tell you why I immediately cleared out my account and removed it the very day when they started using this approach? It's simple really: should something does go wrong with my account, either due to weak passwords (unlikely) or other issues at Paypal themselves I get to suffer to the fullest extend. Because the bad guys would now have access to everything I got. And we all know that fixing the damage after it has been done is a lot harder than preventing said damage to begin with.

    Fortunately there are other parties (Multisafepay comes to mind) who do understand the need for this kind of separation. At the very least to give us customers a feeling of security; separating "internet cash" from the "real cash".

    Heck; PayPal has even stooped to a level where you can no longer make payments without having a PayPal account. Of course; only if you're from the Netherlands. If you're from the US you don't have this kind of limitation.

    So even if I do make some false assumptions up there (like this news being staged) I hope you can see the reason for my cynicism here.

    1. Anonymous Coward
      Anonymous Coward

      Re: Bollocks?!

      > Heck; PayPal has even stooped to a level where you

      > can no longer make payments without having a PayPal

      > account. Of course; only if you're from the Netherlands.

      > If you're from the US you don't have this kind of limitation.

      You can but it's up to the seller to tick a box. If they claim to have done so though complain to your consumer protection agency whatever about this. It worked for me here in Slovenia after I filed a complaint I rarely hit upon a seller that I'll get a create an account only payment option. Usually a pay and optionally create is what I'll hit.

      I'm using moneybookers/skrill myself. The prepay mastercard they give out works. I need to wire money to them. So it works for my use. And yes I only load what I need/have plnanned usually a week or so before I need it(just because you know... banks take an age to transfer bits around)...

    2. Anonymous Coward
      Anonymous Coward

      Re: Bollocks?!

      "or worse: grant them access to do automatic withdrawals from my bank account"

      ...and even worse than that, they quietly introduced the ability for merchants to set up repeating payments in your PayPal account, which siphon money from your real bank account without any further authorisation.

      I as a long term PayPal account holder was completely unaware of this - having used the standard yellow [Pay using PayPal] button on a website to pay for a 1-year membership for a drivers club here in the UK, was baffled when more money was taken from my account the following year despite my decision not to renew. Turns out that the standard [Pay using PayPal] button can also set up recurring subscriptions.

      WTF PayPal??

      My conversation with the PayPal 'customer service' rep didn't go very well either when trying to find out how a repeating subscription had come to be set up without my consent - they are totally unrepentant. PayPal considers the button on a 'merchant' website to be the property of the merchant apparently, despite that its an embedded link served from PayPal's servers - and they also think its partly your fault for not having read terms and conditions that the merchant is assumed to have made available to you.

      The fact that the embedded button for a recurring subscription looks identical to one for making a standalone payment is irrelevant in PayPal's eyes.

      They also view the transaction as being entirely between you and the merchant. The fact that the activity takes place in your _PayPal Account_ is also irrelevant to them.

      Once I got my money back from the club, I closed my PayPal account immediately - which I've had since PayPal were the new kid on the block.


      Mind you on the bright side - I spot a market opportunity for setting up an ethical online payments facility ...

      1. myarse

        Re: Bollocks?!

        I had this happen from some Irish Facebook Aps company- I don't Facebook.

        I got an email saying that I was being charged 120 quid by Paypal, first thought it was a phishing scam, but checked only to find out some scam company I'd never heard of had put an auto renewing £120 charge on my account.

        I managed to get a chargeback and I know these scams are hard to combat but a quick Google found hundreds of complaints, going back several years, on Paypal's own forums about the same company doing the same thing. With no response, or action, from Paypal.

        Now if I was more suspicious I might wonder if Paypal do nothing about these things because they gain if the fraud works but lose nothing if it doesn't due to the time limits and barriers they put on chargebacks.

    3. Anonymous Coward
      Anonymous Coward

      Re: Bollocks?!

      Frankly, I don't see the problem. My Paypal account never accepted "transferred-in" funds, it always told me it would charge my credit card directly instead if I actually tried "adding funds" to it. Which never was a problem for me since I used the same system as mentioned above from day one - only keep a small pool of money on that particular credit card (and it's actually a DEBIT one with no credit; you can't overcharge me that way). Incidentally, this is a double card (a "real" one plus an "internet-only", with easy transfers between them) but that's irrelevant as long as neither account is ever holding significant sums of money...

      Now, regarding PP's attitude towards customer support I wholeheartedly agree. Heavens forbid you run into any trouble at all with your PP account - if it does happen, trying to get through it will put your blackest nightmares to shame and chances are you won't be able to resolve the issue at all. It seems their motto can be summed roughly as "we just don't care, and when we do we make sure you'll regret it and won't get to appeal. We don't need you, there are plenty more customers where you came from".

  2. Tom 7 Silver badge

    And if they'd used PayPal

    they would have to put their prices up.

  3. Graham Marsden

    And of course...

    ... in the case of all those '"tons" of fraudulent transactions', the card issuer immediately snatched the money back from the retailers and gave it back to him before actually *checking* with the retailer to see if they were fraudulent in the first place...

    ... Oh, no, hang on, that's what PayPal does, isn't it?

    1. Lee D

      Re: And of course...

      Er... I think you'll find they both do since the introduction of Chip & PIN when the liabilities clauses were changed.

  4. Anonymous Coward
    Anonymous Coward

    UK businesses are primarily using chip and pin technology, so if the magstripe got skimmed he should easily be able to work out where (and therefore who) skimmed it.

    1. Buzzword

      Any business where you hand your card over to somebody is vulnerable. When your friendly waiter takes your card and inserts it in the chip-and-pin terminal, you're unlikely to spot him surreptitiously scanning it through a dodgy mag-stripe reader hidden underneath. That's all it takes.

      The real question is where did the crims manage to use the information gleaned from the stripe? Pretty much everywhere requires chip-and-pin these days.

      1. Anonymous Coward
        Anonymous Coward

        They use them in America. Visa and MasterCard are trying to impose chip and pin rollout in America, to much resistance.

  5. Eradicate all BB entrants

    He is 100% correct ....

    ..... in that this type of scam cannot work on Paypal. That's because they introduced numerous other ways of helping miscreants defraud you of what is rightly yours (the easiest being the vendor wiping their Paypal account as they are typing out an email saying they will refund you) then walk away as they are not regulated by financial authorities.

    Recently found out that due to using a card on it years ago which has expired I can not use the one off payment function some sites have as their sole payment offering because it's the same card number. Now the account is 'restricted', which means I have to be at home to wait for a fecking phone call, just so I can delete the damn card off of their systems.

    Just a shame his bank didn't tell him to piss off and charge him for all the transactions, like his company has done to numerous people when they have issues.

  6. Anonymous Coward
    Anonymous Coward


    Potentially compromised credit card terminal OR use PayPal?

    Potentially compromised credit card terminal OR use PayPal?

    Potentially compromised credit card terminal OR use PayPal?

    ....I'll take my chances with the credit card thanks.

  7. TRT Silver badge

    Tripping the hack scam-plastic

    A pay-paler shade of blight?

    1. Anonymous Coward
      Anonymous Coward

      Tripping the hack scam-plastic


  8. Anonymous Coward
    Anonymous Coward

    score a marketing point

    perhaps this was all there was to it - no scam, no credit card skimmed? After all, he could cheerfully refuse to verify the story in any way, claiming that, given the sorry affair, he's not prepared to divulge ANY further details. But hey, the story's probably already all over the news. Nothing like free advertising by the end of financial year, eh?

  9. Irongut Silver badge

    Pics or it didn't happen.

    Sounds like a marketing ply to me.

  10. Tromos

    ...cloned by UK crooks.

    Makes you proud to be British.

    1. Trainee grumpy old ****

      Re: ...cloned by UK crooks.

      I'm sure one of our magnificent "news" papers will find that it was an illegal immigrant wot done it.

  11. johnaaronrose

    Why magnetic stripe?

    The obvious question: why do banks still put magnetic stripes on debit & credit cards? Given that all ATMs (though I know that they have not, because when I demagnetised the magnetic strip on my debit card, it didn't work on some ATMs) & merchants have converted to Chip & Pin in Britain, why? I asked my bank why & I was fobbed off. I've also looked at ATM security websites and they give no answers. Can anybody cast any light on this?

    1. Anonymous Coward
      Anonymous Coward

      Re: Why magnetic stripe?

      Various foreign countries haven't implemented chip and pin yet, so magstripe is still needed.

      1. johnaaronrose

        Re: Why magnetic stripe?

        I realise that. However, we should be able to get cards which can be only used for Chip & Pin (i.e. no magnetic stripe). It's rather pointless having a relatively secure id system on a card when there's a very insecure one!

        1. Anonymous Coward
          Anonymous Coward

          Re: Why magnetic stripe?

          Visa have such a card - VPay - EMV card with no mag stripe - its up to your bank to decide whether to use them.

          1. Frankee Llonnygog

            Re: Why magnetic stripe?

            You can always run a magnet over the strip if you're sure you'll never need to use it

  12. Firvulag

    Paypal was not secure a few years ago.

    I had a super secure password yet over £200 was charged to my credit card for an identity lookup service ( which I had never used. When I searched it appears to me that I was not the only one and the attack was inside paypal not via a password compromise.

    After Paypal's woeful response I got the money back (via my credit card provider) and cleared out my details. I now never store any details with them and will certainly never validate my account against my current account.

    Id rather take my chance with skimmers

    a) you can check for them to some extent

    b) you don't involve paypal t&c

  13. Ross K

    "My card (with EMV chip) got skimmed while in the UK. Ton of fraudulent txns. Wouldn't have happened if merchant accepted PayPal,"

    Maybe the merchant doesn't like paying 3.4%+20p on each transaction, or having his Paypal account frozen for some arbitrary reason?

  14. 7-zark-7

    Sub headline

    Excellent sub headline Reg. Not read the article yet just thought i'd congratulate you first.

    1. Vociferous

      Re: Sub headline

      This. So verily this.

  15. Midnight

    He's right about that.

    "My card (with EMV chip) got skimmed while in the UK. Ton of fraudulent txns. Wouldn't have happened if merchant accepted PayPal"

    Indeed. PayPal would have pocketed the money long before any lesser thieves could have gotten to it.

  16. Anonymous Coward

    Re: Wouldn't have happened if merchant accepted PayPal

    What would have happened instead is that I would have walked out of the shop empty-handed because PayPal would have locked, suspended or otherwise denied me access to my funds in my account the name of "my safety" and whatever other colossal Godzilla dung.

    Kinda a small little bit of detail missing eh Mr Marcie?

  17. JCitizen

    Yeah - if only Chip-N-Pin!!!

    I get SOOOoo tired of hearing that!! - VISA is supposedly forcing the issue in North America so my rant is probably a waste of time, but for the expense of converting the entire quadrant of our globe we get something that has already been hacked - several times. Is it REALLY worth it??

    February 2008

    February 2010

    February 2010

    September 2012

    Video summary of above report

    I hope we are smarter than that and adopt something like a combination of MagnePrint®, which cannot be replayed, and whose infrastructure is basically already there with slightly different hardware POS tech, and also Pass Window, which is a much cheaper, but highly scalable 3rd factor authentication technology.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2022