Pages in topic:   [1 2 3 4] >
Beware of Moneybookers: they do not refund your money when it is stolen by hackers!...
Thread poster: Gaetano Silvestri Campagnano

Gaetano Silvestri Campagnano  Identity Verified
Italy
Local time: 15:20
Member (2005)
English to Italian
+ ...
Nov 3, 2008

On last 18th September 2008, while I was unfortunately not at home, a hacker stole 200 Euro from my account in Moneybookers, after being incredibly able to change my password without knowing it!... Indeed, if this hacker had known my password, he/she would not have needed to change it and use a new password to access my account.

This fraud clearly happened due to a serious flaw in Moneybookers' security, also because my password was quite complex and not very easy to guess, and I had never given it to anyone, nor, obviously, I had written it in any part of my PC, but I only kept it in my mind. Furthermore, I checked my PC very accurately, and no virus or Trojan horse was found.

Yet, notwithstanding all my complaints and inquiries, Moneybookers only refunded me the ridiculous amount of 37.72 Euro, and always refused to refurbish the remaining money, denying their apparent responsibility in the fraud, and even absurdly blaming me for that!

For this reason, I would like to warn all ProZ.com colleagues that have an account in Moneybookers to close immediately their accounts with that provider. Indeed, Moneybookers cannot guarantee the safety of their users' money, and, what's worst, they also refuse to refund the money when it is stolen by hackers, that take advantage of this provider's very weak security system.

Furthermore, I would be grateful to all the colleagues, specially those that may have had the same misadventure, if they could suggest a possible legal action (or hopefully, even a "class action") that could be taken against Moneybookers in order to force them to refund the money. For example, the guide to complaints, downloadable from Moneybookers Website, includes a link to the British Financial Ombudsman, the only authority recognised by Moneybookers in case of legal disputes:

http://www.financialombudsman.org.uk

Thank You Very Much in Advance to Everyone,

Gaetano

[Modificato alle 2008-11-03 10:30]


Direct link Reply with quote
 
FarkasAndras
Local time: 15:20
English to Hungarian
+ ...
- Nov 3, 2008


This fraud clearly happened due to a serious flaw in Moneybookers' security, also because I had never given my password to anyone, and my password was quite complex and not very easy to guess. Furthermore, I checked my PC and no virus or trojan horse was found.


Sorry to say this so bluntly, but: Oh really?

How do you know? Just because you didn't find a trojan doesn't mean there isn't one. There are a couple of different ways to steal a password.
It seems quite possible to me that someone stole your pw, then changed it while they figured out what to do with the account.

How much information did you manage to get out of Moneybookers? According to their records, did someone use your correct password? IP address? Time, location? What did they do with the money? There should be some way of tracking down where it went, moneybookers obviously knows where it was (first) sent.

Best of luck


Direct link Reply with quote
 

Mahmoud Rayyan  Identity Verified
Egypt
Local time: 15:20
English to Arabic
So sad for this bad news Nov 3, 2008

Actually I am so sad to hear that bad news and I wish you could find any solution to get back your money, but allow me to raise a question, how could this hacker stole the money, I mean can't you trace the last money action and discover to whom he send the money,
In your account you can only withdraw the balance to your bank account or send a credit to another mail or buy something (as far as I know) and we can eliminate the first option, then, can't we try to trace the money and get it back?
I know that my question might be naive but I am not an expert in such things


Direct link Reply with quote
 

Gaetano Silvestri Campagnano  Identity Verified
Italy
Local time: 15:20
Member (2005)
English to Italian
+ ...
TOPIC STARTER
It's Moneybookers' fault and not mine Nov 3, 2008

FarkasAndras wrote: Sorry to say this so bluntly, but: Oh really?

How do you know? Just because you didn't find a trojan doesn't mean there isn't one. There are a couple of different ways to steal a password.
It seems quite possible to me that someone stole your pw, then changed it while they figured out what to do with the account.


Hello Farkas

I am sorry that you share the same incredible statements that I read in the probably semi-authomatic replies that I received from Moneybookers: I had never imagined that a colleague that should know all the faults and problems of that provider would have spoken in the same way as Moneybookers's staff!!

It is clear that the fraud was due to the big flaws in Moneybookers' security system: all our colleagues that have an account in Moneybookers unfortunately know well the weakness of Moneybookers' Website, as you can read in some recent threads posted in this forum. And If I had known about these issues before undergoing the theft, I would have surely prevented it, transferring all my money to my bank account!...

Furthermore, I also have an account in Paypal: therefore, if the fraud had really been due to issues of my system's security, why I never had any problem in PayPal?

Finally, I find incredible that you also reflect the most absurd of all the hypotheses made by Moneybookers' staff: the use of my real password by the hacker in order to change it and have access to my account: apart from the fact that this is clearly the most illogical scenario, you probably did not read what I wrote in the beginning of my post:

Indeed, if this hacker had known my password, he/she would not have needed to change it and use a new password to access my account.


Regards,

Gaetano


[Modificato alle 2008-11-03 11:55]


Direct link Reply with quote
 

Gaetano Silvestri Campagnano  Identity Verified
Italy
Local time: 15:20
Member (2005)
English to Italian
+ ...
TOPIC STARTER
The whole story in detail Nov 3, 2008

Hello Mahmoud

To answer your questions, I will explain how things went in detail.

---

The day when I underwent the fraud, as soon as I went back home and turned the PC on, I realised that, about three hours before, Moneybookers had notified me by e-mail that my password had been modified successfully!... Those messages were followed by other e-mails, in which Moneybookers informed me that some attempts to access my account had been made. So I immediately tried to access my account, but I could not do it, being my password actually changed by the hacker. Therefore, in order to access my account, I changed my password again with the usual procedure, and, after been finally able to complete the login, I detected two unauthorised transfers of 100 Euro each, both towards the e-mail address of a Russian gambling Website... This hacker had been incredibly able to change my password without knowing it!... Indeed, if he/she had known my password, there would have been no need to change it and use a new password to access my account.

Consequently, I immediately sent an e-mail to Moneybookers' Security Department, asking them to write off those transactions and restore the relevant amounts as soon as possible. In their reply, Moneybookers' Security staff asked me to change my e-mail address and my password again, and to send them the scanned copies of my identity card and of another document with my postal address, e.g., a telephone bill. I did it very soon and Moneybookers promised to do their best to address that issue.

A few days later, I found a strange incoming transaction in my account: 37.72 Euro, from an e-mail address belonging to the same Russian gambling Website to which the fraudulent transfers had been made. Following my inquiry, Moneybookers' staff replied that the mentioned transfer had been made by the same Moneybookers, which were cooperating with the Russian Website (that I had believed to be an illegal site) in order to find the hacker who stole my money. Yet, they added that, for that moment, that small amount was the only one that they had been able to refund, and promised to restore the remaining amount very soon.

Nevertheless, almost 10 days passed and I received no further money on my account. After some new inquiries that I sent to Moneybookers, they incredibly replied that the very small amount of Euro 37.72 was the only one that they could refund, and that they could not restore the remaining amount of Euro 162.28.

For this reason I lodged a series of complaints and sent several messages to Moneybookers, in order for my money to be completely refunded, but they always replied that they could do nothing. Moreover, in more recent messages, they also absurdly added that the fraud was due to a disclosure of my password to other people, a fault in my PC's safety, a worm, Trojan horse or a reply to a phishing message, all things that are completely false...

Indeed, with these incredible statements, Moneybookers showed to completely ignore even what I had repeatedly explained them before, i.e. that I had not given my password to anyone, that my password was very complex, that I did not have any virus or similar in my PC in the period of the fraud, and that I am not so fool as to be swindled by a phishing message...

Besides, the hacker did not actually use my password, but even managed to change it to access my account, which clearly shows a big fault in Moneybookers' security, and their clear responsibility in this fraud...

In the meantime, I also realised that my account was blocked (Incredibly, this had not happened when the hacker entered the account, but now that the money had already been stolen...). Therefore, I repeatedly wrote to Moneybookers, in order for them to unlock my account, also reminding them that I had already sent them all the identity document that they requested. Finally, they unlocked the account, and I immediately transferred all the remaining money to my personal bank account.

Yet, in spite of this, Moneybookers went on refusing to refund the remaining stolen money, denying their very clear responsibility in that theft.

---

I hope that this explanation will help to better clarify the issue.

Kind Regards,

Gaetano

[Modificato alle 2008-11-03 11:35]


Direct link Reply with quote
 

José Henrique Lamensdorf  Identity Verified
Brazil
Local time: 10:20
English to Portuguese
+ ...
Moneybookers and online gambling Nov 3, 2008

Just FYI, I work for a very good translation agency in the USA. They are particularly flexible and interested in alternative payment options; always trying to find what's the most convenient method for each translator.

So one piece of information I got from them is that they cannot pay translators via Moneybookers, because their bank will not transfer any money there, since it's known to be connected with online gambling, and it's strictly forbidden by the bank's policies to have any connection with that.

If you need some evidence:
http://www.online-gambling-insider.com/online-moneybookers-casinos.asp
http://www.casinowatchdogs.com/Moneybookers-Casino.aspx
http://sunshine-slots.com/moneybookers-casinos.html

A Google search for [moneybookers online gambling] will produce 160,000 hits.

On a final note, I never had one red cent, either sent or received via Moneybookers.


Direct link Reply with quote
 

Lori Cirefice  Identity Verified
France
Local time: 15:20
French to English
e-mail hacked? Nov 3, 2008

Sorry to hear about that!

Now I could be wrong, I'm not familiar with Moneybookers security or password retrieval system, but it seems like perhaps it was your e-mail that was hacked, and not your Moneybookers account.

The hacker must have clicked on the "forgot my password" link from the Moneybookers login page, and then entered your e-mail address (the current password is not required in order to retrieve it, otherwise how would you have been able to change your password again later?)

Then they (somehow) hacked into your e-mail account and got the new password from the e-mail that was sent to you. This supposes that indeed the security on Moneybookers is low, if they give out new passwords by e-mail without requiring an answer to the "secret question" that some websites use (like my online banking service).

Even if I'm wrong, you might want to change your e-mail passwords as well, to be on the safe side.


Direct link Reply with quote
 

Samuel Murray  Identity Verified
Netherlands
Local time: 15:20
Member (2006)
English to Afrikaans
+ ...
Some thoughts Nov 3, 2008

Gaetano Silvestri Campagnano wrote:
Indeed, if this hacker had known my password, he/she would not have needed to change it and use a new password to access my account.


What if the hacker changed the password on purpose, to prevent you from accessing your account? It is not inconceivable that the hacker did know your password, and that he changed the password to give himself more time to transfer money from your account. Remember, by changing the password, the hacker prevents you from accessing your account and withdrawing your money to a safe place.

Furthermore, I checked my PC very accurately, and no virus or Trojan horse was found.


Trojans can delete themselves after they've served their purpose.

Also check your e-mail account and/or e-mail system for any suspicious forwarding or redirecting rules -- one way hackers get access to your stuff is via your own e-mail, if your e-mail program or system is compromised and forwards stuff (eg confirmation links typically sent when people change their passwords).


Direct link Reply with quote
 

Samuel Murray  Identity Verified
Netherlands
Local time: 15:20
Member (2006)
English to Afrikaans
+ ...
Gambling links Nov 3, 2008



None of those URLs prove anything. Those are gambling sites that use Moneybookers. Those sites are not affiliated to Moneybookers -- they simply use Moneybookers as you and I would use Moneybookers.


Direct link Reply with quote
 

Michele Johnson  Identity Verified
Germany
Local time: 15:20
German to English
+ ...
Hack cpanel/email account + delete evidence? Nov 3, 2008

Lori Cirefice wrote:
Now I could be wrong, I'm not familiar with Moneybookers security or password retrieval system, but it seems like perhaps it was your e-mail that was hacked, and not your Moneybookers account.


My thoughts exactly. Hack the email account, request a new Moneybookers password via email, once it arrives delete the message from the inbox to hide any traces and delay discovery. I'd strongly consider this possibility.

I see you host at proz.com? I assume the security of their systems has not been compromised but it might be worth asking. All the hacker would need is your login and password to http://www.yourdomain.com/cpanel - you're sure that password is adequately secure as well? Does proz.com allow you to change it to your own?


Direct link Reply with quote
 

Tom in London
United Kingdom
Local time: 14:20
Member (2008)
Italian to English
How people find out your password Nov 3, 2008

Gaetano Silvestri Campagnano wrote:

... This hacker had been incredibly able to change my password without knowing it!...


Gaetano, you should never type your password. Keep it somewhere else and copy/paste it when you need to.

There are people out there using keystroke logging software that can record every key you hit, and from this it's easy to get your password.

Just a handy tip


Direct link Reply with quote
 
Charlie Bavington  Identity Verified
Local time: 14:20
French to English
Logic failure Nov 3, 2008

Gaetano Silvestri Campagnano wrote:

Therefore, in order to access my account, I changed my password again with the usual procedure, and, after been finally able to complete the login, I detected two unauthorised transfers of 100 Euro each, both towards the e-mail address of a Russian gambling Website... This hacker had been incredibly able to change my password without knowing it!...


Which was exactly what you were able to do.
The "hacker" changed your password to one you didn't know.
By going through the "usual procedure", you were able to change your password from a password that you did not know to one that you selected.
That is, therefore, what the hacker must have done.
Therefore, the hacker must know the things that you need to know in order to comply with the "usual procedure".
I don't know what they are (don't use Moneybookers), but I would imagine it must be things like your date of birth, mother's maiden name, address/post code... all that kind fo thing.

Moneybookers are, I would guess, reasoning that if the hacker knew everything he/she needed to know in order to successfully change your account password (in exactly the same way as you did subsequently), the security lapse must be on your side.


Direct link Reply with quote
 

Gaetano Silvestri Campagnano  Identity Verified
Italy
Local time: 15:20
Member (2005)
English to Italian
+ ...
TOPIC STARTER
The flaw is on Moneybookers' side Nov 3, 2008

Charlie Bavington wrote:
Moneybookers are, I would guess, reasoning that if the hacker knew everything he/she needed to know in order to successfully change your account password (in exactly the same way as you did subsequently), the security lapse must be on your side.


I do not agree with this final statement, that could be even too convenient for Moneybookers (and for this reason they go on affirming it). If the usual procedure was so simple for the hacker, the security flaw was on Moneybookers' side and not on my side, also because this kind of information is stored on their site and it is up to the provider to avoid that everyone can access those data in my place.

This is also the reason why, on the contrary, as I also mentioned before, I never had any problem in PayPal, even if, in that site, the basic user procedures are essentially the same.

Gaetano

[Modificato alle 2008-11-03 15:19]


Direct link Reply with quote
 

Denis HAY  Identity Verified
Local time: 15:20
English to French
Exactly Nov 3, 2008

Samuel Murray wrote:



None of those URLs prove anything. Those are gambling sites that use Moneybookers. Those sites are not affiliated to Moneybookers -- they simply use Moneybookers as you and I would use Moneybookers.



I completely agree with Samuel on this. Not only those link don't prove anything, but you can find exactly the same kind of links for Paypal. Non-US Paypal users can also pay gambling sites. The restriction is only valid for US accounts.

Horror stories can be found on Paypal too. And quite easily at that. Searching for [Paypal online gambling] does even show a lot more than 160 000 hits…

And… Moneybookers, UNLIKE Paypal, is a financial institution regulated by the Financial Services Authority (FSA) in the UK.

Gaetano got shitty customer service to say the least. And there's little email exchanges can do in such situations. I would recommend him to contact British authorities and lodge a formal complaint on Moneybookers. If a robber robs a bank, do you expect the bank to tell its customers that they'll not get a refund?

On top of that, the security breach that allowed a hacker to directly get a password modification email has been around for quite a while and only publicly fixed recently, so yes, security breaches do exist with Moneybookers, just as with almost any other online banking system. The only annoyance here is that this known exploit required someone duly logged in on Moneybookers while browsing on a hacked site at the same time using another tab/page. But I guess that other exploits might exist.

My advice it to get to the authorities. You don't have to prove anything to Moneybookers, THEY have to prove it was you in the first place.

As a general rule of thumb, never leave your money on ANY web wallet system. Whether using Paypal or Moneybookers, as soon as your client's payment arrives, transfer it to your regular bank account in the next few minutes. Would you leave a wallet with bank notes in your front yard expecting no one to touch it?

Kind regards,
Denis Hay


[Edited at 2008-11-03 15:01]


Direct link Reply with quote
 

Katherine Mérignac  Identity Verified
France
Local time: 15:20
Member (2004)
French to English
But could a hacker get money out of your account? Nov 3, 2008

Denis HAY wrote:

As a general rule of thumb, never leave your money on ANY web wallet system. Whether using Paypal or Moneybookers, as soon as your client's payment arrives, transfer it to your regular bank account in the next few minutes. Would you leave a wallet with bank notes in your front yard expecting no one to touch it?


I fully agree, and never leave any money in my Moneybookers account, but I'm beginning to worry about the possibility of a hacker transferring money from my bank account. Moneybookers don't send e-mail confirmations when sums of money are transferred/withdrawn/uploaded, and so I wouldn't be aware of any 'theft' until it was too late. I've withdrawn my credit card from the account (despite the palaver of having it validated) for the same reason - but am now seriously considering shutting the account altogether and paying bank transfer fees if customers insist rather than risking leaving my business account in the hands of Moneybookers.

Are my worries unfounded?

K


Direct link Reply with quote
 
Pages in topic:   [1 2 3 4] >


To report site rules violations or get help, contact a site moderator:


You can also contact site staff by submitting a support request »

Beware of Moneybookers: they do not refund your money when it is stolen by hackers!...

Advanced search







TM-Town
Manage your TMs and Terms ... and boost your translation business

Are you ready for something fresh in the industry? TM-Town is a unique new site for you -- the freelance translator -- to store, manage and share translation memories (TMs) and glossaries...and potentially meet new clients on the basis of your prior work.

More info »
Wordfast Pro
Translation Memory Software for Any Platform

Exclusive discount for ProZ.com users! Save over 13% when purchasing Wordfast Pro through ProZ.com. Wordfast is the world's #1 provider of platform-independent Translation Memory software. Consistently ranked the most user-friendly and highest value

More info »



Forums
  • All of ProZ.com
  • Term search
  • Jobs
  • Forums
  • Multiple search