Remembering when hackers stole from our savings account

Allow me to paint a picture.

Many years ago late one night, my wife and I were sitting up in bed using our respective devices when we were hit with the familiar PayPal notification and accompanying ping sound. I swiped it away without looking, assuming it either just another software sale notification from the website, or her managing our financials as she often does (I affectionally call her the CFO).

She queried:

“Did you just transfer $500 to someone?”

“Ah, no?”

*Ping*

“Well, someone did, and another $500 just now”

“What?!” I jumped out of bed and dashed into the adjoining study to turn my PC on.

*Ping*

“Another $500!”

“I know – I heard it too!”

With the PC still booting while I was simultaneously freaking out, it occurred to me that I didn’t have enough in the PayPal account to cover what was being stolen, so I figured the funds were probably being siphoned from our connected bank account. Recalling a feature on the banking app that lets you block access to your account, I opened it, enabled the block feature just as my PC finally booted.

We didn’t hear the “ping” sound again, relieved the terrifying drama appeared to have come to an end. But also shaken at the realisation that if we weren’t awake and able to quickly react, our entire savings would have been stolen. It still makes me feel sick in the stomach thinking about it today.

Immediate aftermath

I logged into my PayPal account, changed my password, logged back in and started looking for anything suspicious. Checking my transaction history revealed that indeed three lots of $500 had been transferred to a PayPal account belonging to a Danica Cochrane, a name I’ve never heard before and that was now also in my PayPal contacts list.

I contacted PayPal and was eventually paired up with one of their digital forensics experts. After explaining what had happened, he promised to investigate and get back to me. A day later we were in contact again but the news was not good.

According to his research, the transaction was initiated from my IP address and my PC. I said that was impossible because my PC was off at the time, and I know this for a fact because I had to turn it on when as the drama was unfolding. I said I could even provide a Windows log file to prove it. But it was apparently not necessary to continue with the investigation because they already concluded that I or someone else transferred the funds while logged into my PayPal account from my PC. Basically, either I was lying or I was unaware. Either way was not PayPal’s problem. Also, the recipients PayPal account no longer existed, so that looked suspicious from a money laundering perspective.

The next day I had a similar conversation with a digital forensics person at my bank, and he concluded that everything looked legit at their end and there was nothing they could do.

I won’t go into the details of my many attempts to appeal both decisions, suffice to say that was that. We were down $1,500 but if the timing was different, they would have completely wiped us out. The only good thing that came of it was this cautionary tale.

Who is ultimately responsible?

It’s easy to argue both ways, either the bad actor is responsible or I am. Untimely I accepted that if I had 2FA enabled, this wouldn’t have happened. I can’t explain why it wasn’t enabled, other than me at the time confidently believing a very long and complex password was good enough, and the additional step of having to enter a 2FA code was an inconvenience I didn’t need. Ignorant, I know.

But even if I had 2FA enabled, that still leaves one question: how did they get my password in the first place?

I don’t think I’ll ever have an answer to that question and given the PayPal forensics guy insists that it all occurred on my PC, I could only operate under the assumption that it had some form of malware. And maybe my PC was turned on remotely while I was in bed, and then shut down before I noticed. It seems highly unlikely, because my wife and I both would have heard it (there’s a very loud fan noise when it first turns on) and noticed the light emanating from my monitor. I’ll concede that during the initial panic, maybe we just didn’t notice. I’m also saying there’s a less than 1% chance of this being the case.

Without even bothering to do a malware scan (I was only using Windows Defender at the time) I threw in a new m.2 drive, installed a fresh instance of Windows 10 and purchased some proper malware protection (Bitdefender).

For good measure I also did the same for the other PCs in the house and changed our Wifi passwords.

And of course, I enabled 2FA on my PayPal account and made sure my wife and kids enabled it on their PayPal accounts too, and on every other account that I have if the option exists.

Lesson learned

Don’t be a fool like me. If the option is available, enable 2FA or MFA on all your accounts, especially ones that are connected to your finances. Trust me, you’ll sleep better.