Monthly Archives: September 2013

Skype (in)Security

It had been a long time since there was a security breach on any of my accounts, but it’s now the in-thing for cyber security and it appears to be the Russians or at least someone pretending to be that is leading the charge.

A number of months back my Electronic Arts Origin account was hijacked, I suspect this was through something on the Origin website that just allowed a bypass into the account as I received no notifications aside from when my e-mail address was changed on the account. The bot or person then changed all the details and settings into Russian and did nothing else aside from remove my friends from the friends list. At that time I had very few games on there and no associated details, so I didn’t mind.

Before that happened the only security breach I had was in the days of using ICQ regularly when I was foolish to have the same password for it as I had set for a forum. I learnt then and kept everything separate since.

So wonder be to my surprise when I’m notified that my e-mail address for my Skype account was changed.

“Here we go again”

I’ve used this account for a long time, I haven’t used it on an actual computer for years and it resides on a Skype phone, a DualPhone 3088 now a 4088. Only I use the account and I don’t login to a computer for it, why would I need to? It has an auto renewing, auto filling skype subscription. It solved itself.

This is where it goes sour of course. I had it linked with PayPal. No sooner as I discovered my password had changed on the account and that the e-mail was changed that I checked my PayPal balance and, low, the “Russian” had pulled £90+ in Skype credit, but only onto the phone. Why? I’m not sure, there was a perfectly good subscription there.

So I attempt to recover from this; Skype do not have a phone number you can contact them on. They only have a ‘live chat’ for ‘premium users’, was I a premium user? I have no idea. So I managed to get through to a person whose first language was definitely not English (was it Russian?) who then proceeded to not grasp that the e-mail address on my account had changed and so just resetting my password wasn’t going to cut it.

At this point, might I add, that Skype’s recovery process entirely relies upon the thought that you only ever have one Skype account and that you’re able to access said account to report any problems in the trouble-shooting process before you even get through to an advisor. So I wasn’t a ‘premium user’ on the Skype account I could actually log in with.

While clarifying which account I couldn’t access and trying to get over the language barrier the person in control of my account had spent a further £20 bringing the total to over £100. I’m now thinking that the Russians aren’t entirely bright.

I answer the security questions and attempt to have my account reset, but all the while the advisor can’t confirm to me the e-mail address they’ve set it to, because of “security” and they can’t escalate the request to someone else (or won’t, I’m not sure). So I’m getting pretty frustrated and my “tokens have exceeded the amount given for that e-mail address” to be able to reset my password.

I’m forced to resolve to “contact us again in 24 hours, until then the account is suspended”. My cries of “which account and which e-mail address?” cannot be confirmed, for security reasons.

So, I’m sat here quite fraught with concern and so I decide to contact PayPal. Once logged into my account I find the contact details and there’s a number I can actually call (real people ahoy!) with a verification number so I don’t have to mess about. The menu system uses voice recognition so I don’t have to mess about with the numbers and I find that ‘claims and fraud’ line is only open until 8.30pm – well by now it’s quite late. Crap. So “Okay, let’s think about this another way” I figure. My Skype account was ‘linked’ to PayPal, surely they can severe the link?

Yes. This was the key, I got through to a nice pleasant person who was actually sympathetic, said they were going to severe the link now and push forward to Skype to refund my money. Though, sadly, they stated they couldn’t do a great deal because it was “completed” already. Still, I’m satisfied that the little Russian can’t take my funds any more.

A few hours pass and I get an e-mail through, it’s the password reset token. In Russian, then, in English. The delay only confirms to me that they’re having some great struggle. I can finally get into my account and it’s pre-loaded with £100+ and nothing else appears to be touched and no apparent calls made.

So I’m not entirely sure how they managed to get into my account as it wasn’t a compromise on my computer, I’m pretty certain. Of course my e-mail account is a suspect but it shows no sign of foul access and I go between various phases of obscure methods of security with it. However, while it was nice at the time to have my Skype automatically renew the Skype Pro subscription you can’t get any longer; I’m certainly going to revise the best practices.

Computing is still in its infancy and this was one, far too easy way to access my bank funds indirectly.

Maybe I can call my family in Australia?