Beware Recurring Preapproved Payments on PayPal – Skype Account Hacked

Tonight, I got several email confirmations for separate €25 Paypal payments to “Skype Communications Sarl”. Thing is, I haven’t used Skype in years. At first I thought it was just another phishing attempt. But the domain on the e-mail checked out. I logged into my account (manually) and saw that multiple $35 charges did indeed go through. How? Was my PayPal account hacked? I changed my password, and then another unauthorized payment went through!

paypalpre2

Long story short, it was my Skype account that was hacked. I didn’t even know this, but PayPal has a program of “preapproved” payments where a merchant can repeatedly charge your account without the need to type in your PayPal password. This is meant for monthly subscriptions and the sort. Although I have bought credit from Skype before, I don’t ever recall signing up for any of these subscription-style plans at any merchant. My suspicion is that it was buried somewhere into a default checkbox that I didn’t undo, or worse it was just hidden in the terms and conditions fine print. (I am usually really careful about this sort of thing, so I am quite mad at myself!)

Lesson #1: If you use PayPal at all, check your preapproved merchant list immediately. To find this list, log into your account and then go to My Account > Profile > My money > My preapproved payments. You should see a screen like this:

paypalpre

My recommendation is to make every single one inactive immediately. If not, you should treat your accounts at those merchants as carefully as your bank accounts, because they literally have access to every linked bank account and credit card at PayPal. I had no idea that buying one joke bumper sticker from Zazzle in 2009 could be the equivalent of an open wallet.

Apparently, I’ve been vulnerable for years but I never noticed until now. I bet there are a lot of abandoned Skype accounts with simple or unsecure passwords. The criminals gain access, change the linked e-mail and password so the original owner has no access, and can then sell or use the Skype credit. There are also several other reports of unauthorized Skype/Paypal charges on the Skype forums.

Lesson #2: Never use PayPal to buy things online instead of a credit card unless absolutely necessary, usually for eBay. The big thing is that Paypal is NOT regulated like banks or credit cards. There is no federal law that says you are not liable for unauthorized PayPal charges. Instead, they just claim that you are “protected” when in reality they have all the power to decide if you ever see your money again. I had to open a dispute with PayPal online as they don’t have 24/7 customer service (again, unlike credit cards). If I had just used a credit card, even if the number was stolen, I could be confident that I would get my money back in a timely manner. I’ve already had other bad experiences with PayPal, but we’ll see what happens.

Comments

  1. Wow, thanks for the heads up. Went in and had several (including skype) preapproved payments active as far back as 2010.

    Years ago(possibly 2006 or so) I randomly had a paypal account get frozen, it’s still frozen and I still don’t know why. Luckily I had no money in the account.

    • I guess your situation is similar to mine.

      Several years ago, PayPal contacted me via e-mail that it was changing its procedures and asked me to do something–I don’t remember exactly–something about verifying my PayPal account information online. I did nothing and since then my account was “frozen”. If I wanted to access my account, all I would need to do was to go to my PayPal account, agree on some kind of “terms and condition”, my account would become accessable.

      The point is, PayPal wanted to handle all the “agreement” things online (electronically). So, if we agree to handle things electronically, we need to go online. Otherwise, we have no access to the account–frozen.

  2. I usually use Paypal but the financing source is a credit card, that way I get the points that count towards cash and if there is any problem the credit card company will deal with it. I am sure if you file a dispute with Paypal (because Skype might not be so easy to contact, open a ticket they might respond in a day or two) Skype will understand and everything will be taken care of. As for subscriptions, sometimes they are just necessary depending on who you deal with and for what, typically, however they are not problematic. I get emails right away when any financial activity occurs for some that are not online every day I recommend not using these things at all!

  3. Similar thing happened to my Skype account in last November in $10 increments but my account had a limit of $10 per day. I filed a dispute with Paypal, and they credited the amount. Though I cancelled my future payments to Skype on 12/13/2013, I still see it as inactive on summary page. I cancelled recurring payments to Sugarsync annual subscription.

    • Hi Chandra,
      I’m wondering how you were able to ultimately cancel all of your recurring SugarSync payments – I’ve had a beast of a time trying to get them to stop charging me (all are unauthorized because they’re using an expired/cancelled card attached to an account I cancelled way back in 2012 so am looking for any advice to this situation. I’m reporting them to BBB right now but I this won’t stop them from hurting other people.

      THanks in advance!

  4. Jonathan, thanks very much for sharing this. Sorry for your experience; let us know how it comes out. I checked and found 4 of these “pre-approved payments” including eBay shipping and eBay seller fees. None of them had been used in years. I canceled all four. The eBay seller fees entry was the only one with a “billing limit” – - $300,000.00 USD (per month)!

  5. Thank you so much for sharing this. I found several active accounts with a very high billing limit per month. Cancelled them all. Thanks again for the heads up.

  6. Laurie Pysczynski says:

    THANK YOU! I checked mine and sure enough I had several “active” accounts in paypal preapproved payments! I cancelled them all. I love getting useful info. that I didn’t even know I was missing! Love your blog and all the PRACTICAL ideas!

  7. Paypal is a must on Ebay and I have used it on other sites when making purchases only when it really simplifies the checkout. Is there any safe way to use Paypal?

    Does a debit card have same protections of a credit card. I only use debit cards.

    By the way I didn’t have any preapproved payments set up in my Paypal. so that is good at least.

    • Using debit card is NOT as safe as using a credit card. When fraud occurs with a credit card, the credit card company is out of their money (you pay credit card balance later). With debit card, you are out of your money (from your bank account) so there is really very little incentive for a bank to spend their money to investigate your problem at that point. Also, most debit cards don’t offer warranty extension, price matching, and other similar benefits as credit cards do (or not to the same extend). Lastly, very few debit cards have award program to reward your spend in any meaningful way.

      ALWAYS use a credit card as long as you are disciplined to pay it off and not carry a balance.

    • I would say that not linking your primary bank account or one with a large balance would be the best idea, although it is less convenient. At least if something goes awry PayPal is just trying to suck money out of an unused, almost-empty account.

      Debit cards don’t have the same level of limited liability under federal law, so it is more up to the bank you use to provide refunds. They may be as easy to deal with as a credit card or they may not be. Paypal itself isn’t even a bank.

  8. Paypal changed their menus so you need to go to Profile, My Money, and then to the preapproved payments. FYI

  9. Thanks for posting this. I also had no idea this existed, but when I checked, I had a similar listing of merchants going back to 2008. You may have saved me some money and headaches. Thanks again!

  10. When using Paypal, the only safe way to make payments is via Credit Card. Should any dispute arise with the vendor you purchased products from, you have the ability to circumvent Paypal’s dispute resolution process thru your credit card company.

    I’ve heard too many horror stories of people getting held up/dealt with unfairly during their dispute resolution… after all, doesn’t Paypal want to encourage the vendors to stick around and accept Paypal instead of switching over to a different CC transaction company?

  11. Thanks for the heads-up, Jonathan! Just to clarify, the path to change these options in PayPal is My Account –> Profile –> My money –> My pre approved payments.

  12. I was just about to post what Andrew said – took me a bit to figure out how to find my pre approved settings. For me it is also under Profile –> My Money –> My pre approved payment

    Thanks for bringing it up, I never knew about these pre approved payments. I only use paypal for ebay purchases, too many horror stories otherwise.

  13. wow, the same thing happened to me yesterday morning; I got 5 emails from paypal saying that $20 had been charged to my account from itunes; I immediately called paypal and they cancelled the autopay from
    itunes, and reversed the charges; the CSR told me someone had opened an auto pay from itunes to my paypal account just that morning; today I went in closed some of the other autopay I had setup;

    I used to think that paypal was safer than credit cards, but not anymore; paypal is convenient but not that secured;

  14. Thank you Jonathan! I had Skype in my list and another company in my list and had no idea of the consequences.

  15. Holy Crap! Done!!!

    Woot could have charged up to $15K a month from my paypal account!!! Insane shiat.

    Thanks bro

  16. While I was updating my “preapproved merchant list” as you suggested I noticed another setting you might want to change. If you scroll your mouse cursor over “profile” a menu will pop up, select “update card.” Near the bottom of that page it will say “credit card preference.” Click “Turn on” This makes it so you have to log in every time a credit card is used through paypal. (I don’t think it works for debit cards or paypal balance.) You’re probably better off not having any debit cards in paypal though.

  17. I think I have new PayPal website, and the way to go per-approved merchants is like this for me:

    My PayPal -> Settings -> Payment preferences -> My preapproved payments

  18. Great post, we just corrected our paypal account just now. (changed password while we were at it)

  19. Jonathan, thanks for the information. My Paypal had COMPUSA.COM and Facebook Payments, Inc. I count myself lucky since that inactive facebook account has since been hacked and I cannot gain access to it (good riddance)

  20. Thanks Jonathan! I just removed my bank account from paypal. I forgot what exposure I had there.

  21. Thank you for reminding us about this one. I just checked on my Paypal account and cancelled my preapproved payments.

  22. I had one open pre approved from 2011, thanks for the timely message to check and close it. I’ll need another next year :).

  23. Thanks! I had numerous accounts listed. I was wondering why my account with Angies List was still active after all this time! They had been siphoning $10 out of my Paypal account. I buy/sell on Ebay and didn’t really keep a close eye on the money in that account. Good info!

  24. I have used Paypal for years and has no idea about preapproved payment! I just checked and see I have 4 lists there. I canceled them all. You save me some future headache. Thanks a lot!

  25. Had a similar instance several years ago, where several charges under recurring payments showed up. Contacted PayPal and they refunded the money, but I was still very concerned about security. You can request a Security Key Card for your account. They send you a physical card (the size of a credit card) that has a button on it that when pressed generates a unique security code (new each time you press button). You activate the card on PayPal, and then each time you log into PayPal, you are prompted to enter a security code after entering your password. If you use PayPal frequently, you might find the extra step to be a pain, but if you use it infrequently (as I do), but don’t want to give up the account altogether, it adds a layer of security that is worth the extra step.

  26. I also had my skype account hacked this month, with an moderately safe password so i suspect that someone found a vulnerability in skypes login system. In my case luckily the credit card associated with skype was expired so they couldnt charge anything, but they did change the email and password and contact some of my contacts asking for money.

    I would change your password for skype to be very secure or cancel your account and use something like google hangouts where the security is a few steps ahead of the hackers.

    Using paypal safely also looks hard.

  27. Paypal responded on 2/17. They deemed the payment “authorized” as opposed to authorized but they still refunded the payment this time. Definitely cancel those pre-authorization agreements!

    “Dear Jonathan Ping,

    We’ve finished our investigation into your unauthorised payment report.

    The payment was sent as part of a billing agreement and is considered to be
    an authorized payment. We have issued a refund of the payment. If this
    payment was sent using your debit or credit card, the refund is credited
    back to that card. If your bank account or the balance from your PayPal
    account was used the payment is refunded back to your PayPal balance.

    We suggest you contact the merchant to make sure your account with them is
    secure. You can also cancel the billing agreement linked with your PayPal
    account.

    To cancel a billing agreement:

    1. Go to http://www.paypal.com and log into your PayPal account.
    2. Click on ‘Profile’ near the top of the page.
    3. Click ‘My Money.’
    4. Click ‘Update’ near ‘My preapproved payments.’
    5. Find the merchant whose agreement you want to cancel.
    6. Select the merchant’s name or email address.
    7. Click ‘Cancel.’ “

  28. Joshua Katt says:

    As a merchant, I have to accept PP and have figured out the way to play it properly. Have your balance transferred nightly to a bank account automatically. If forced to pay for something through PP, first drain your account to zero immediately via manual transfer (midday), then CHANGE the funding source to a points rewarding credit card for the rewards and “double” protection. You must transfer it manually first then change the source (its pretty well hidden) to a credit card otherwise the payment will net against your balance driving any accounting nuts.

  29. aruba19 says:

    OOOOPS. Accidentally deactivated the wrong pre-approved payment and broke an account which needs that. Can’t find a way on PayPal to either reactivate it or delete it so I can set it up again. Anybody know how?

Speak Your Mind

*