Capitec/Paypal - Fraud/Scam/Stolen Money

[Baaardman]

Hi Everyone...

so I'm a little bewildered now and not really sure what to ask or what to do.
but hopefully by explaining and venting a bit I might get some answers..

I bank with capitec, and I had an Paypal account that I havent used in a looong time...
In April, I was gaming and all of a sudden I got emails and SMS's stating that I had payed money to a "Mary Olsen",into Paypal from my capitec account..

Hope this explaining makes some sense but I don't even know, How this happened...

First Two emails was from Paypal:
Stating I added two separate Bank accounts to my Paypal account..
Then I got three emails stating that I payed money into my Paypal from Capitec, and directly after that payed it over to "Mary Olsen.
amount Being 18USD x 3 off...
Then SMS's from Capitec Stating the amounts being deducted from my account...
Lastly I got an Email stating that I closed my Paypal account...

All of these coming through at pretty much the same time...
Thing is, I never approved any of the Adding of Accounts, Transferring of money or closing of my account...

I immediately contacted Capitec and flagged it as Fraud, Which they then investigated and subsequently payed back the money into my account...
Thought that was it and that the Fraud was picked up and rectified...

Now today I get a call from the bank stating that Paypal provided evidence that I did approve these transactions and that I will have to pay back the money that Capitec reimbursed me with...

But im so lost now...
the IP on PayPal's evidence that they provided is for Los Angeles, California, United States...
But the Bank states because my name and email is on the Evidence provided it means that, those transactions where made from my account and thus valid,
PayPal does not use 3D authentication so that is why I also never got any SMS's to approve before it was made...

I cant access my Paypal as the account has been closed so cant provide them with any evidence from there...

Can anyone please help me with just understanding what happened?

I dont even know where, how or when any of my details got out into the Interverse.. haha...

Hope this makes sense, if not im sorry, will try and explain as much as I can if there are any questions...

Thank you for the long read if you got this far...

 

[D4RK_S0LD13R]

Personally never experienced like that or heard of (yet).

But if I were you, I would start from: Have I Been Pwned: Check if your email has been compromised in a data breach and see whether any leaked info exists.
Now, check whether any of those websites has/had same password as paypal.
If any matches, then you know where the password is leaked.
If none, then it can be from somewhere else (now this is the tricky one,,)

Also, you should have reported to Paypal also not just Capitec, that your account was hacked etc etc. Obviously hacker knows your 1. Email (login details) 2. Bank account linked (it is easy to see what bank is linked or card is linked on paypal page)

 

[Baaardman]

Personally never experienced like that or heard of (yet).

But if I were you, I would start from: Have I Been Pwned: Check if your email has been compromised in a data breach and see whether any leaked info exists.
Now, check whether any of those websites has/had same password as paypal.
If any matches, then you know where the password is leaked.
If none, then it can be from somewhere else (now this is the tricky one,,)

Also, you should have reported to Paypal also not just Capitec, that your account was hacked etc etc. Obviously hacker knows your 1. Email (login details) 2. Bank account linked (it is easy to see what bank is linked or card is linked on paypal page)

Thanks, Just Checked the Site..
it gives me the following:

Oh no — pwned!​

Pwned in 6 data breaches and found no pastes (subscribe to search sensitive breaches)

Does that mean my email is out in 6 places?
Guessing that would be the List of names that pop up underneath?
1.Anti Public Combo List - Date:2016
2.Canva- Date:2019
3.Data Enrichment Exposure From PDL Customer: - Date:2019
4.Onliner Spambot - Date:2017
5.Twitter (200M) - Date:2023
6.Verifications.io - Date:2019

Looking at that it would seem that it was leaked from Twitter?

I have changed my email password since then, not sure if that will help?

I should have contacted Paypal, but having my account closed I cant log in to get contact details and the 1 402 517 4519 number you get when googling it does not work...
So dumb me just left it...

Any advice on securing myself any better?
or handeling that list of items?

 

[goldfritter]

Thanks, Just Checked the Site..
it gives me the following:

Oh no — pwned!​

Pwned in 6 data breaches and found no pastes (subscribe to search sensitive breaches)

Does that mean my email is out in 6 places?
Guessing that would be the List of names that pop up underneath?
1.Anti Public Combo List
2.Canva
3.Data Enrichment Exposure From PDL Customer:
4.Onliner Spambot
5.Twitter (200M)
6.Verifications.io


I have changed my email password since then, not sure if that will help?

I should have contacted Paypal, but having my account closed I cant log in to get contact details and the 1 402 517 4519 number you get when googling it does not work...
So dumb me just left it...

Any advice on securing myself any better?
or handeling that list of items?

If you used the same password on any of those 6 accounts, as on your PayPal account - that is how they got in.

They don't care about your data on those random sites. But they will try the password they cracked on sites where they can get money out of you.

If you're using the same password on multiple websites - that is the hole in your personal security. You need to use different passwords for each site. Consider a password manager, look up which ones you think will work for you, it's worth a Google and an afternoon of reading.

 

[Baaardman]

If you used the same password on any of those 6 accounts, as on your PayPal account - that is how they got in.

They don't care about your data on those random sites. But they will try the password they cracked on sites where they can get money out of you.

If you're using the same password on multiple websites - that is the hole in your personal security. You need to use different passwords for each site. Consider a password manager, look up which ones you think will work for you, it's worth a Google and an afternoon of reading.

Was just discussing the Password manager with a collogue..

Sjis, I always thought I was so smart with this type of stuff but realizing now that 2000 and 2023 is far apart so I need to get educated as I was Blissfully ignorant.

Im not even sure what my twitter account is as I dont use it, but can imagine it was the same as all the other...
Just tried to log in and it states the password is incorrect, so it seems it was infact not the same as the other..
FML...

 

[D4RK_S0LD13R]

Thanks, Just Checked the Site..
it gives me the following:

Oh no — pwned!​

Pwned in 6 data breaches and found no pastes (subscribe to search sensitive breaches)

Does that mean my email is out in 6 places?
Guessing that would be the List of names that pop up underneath?
1.Anti Public Combo List
2.Canva
3.Data Enrichment Exposure From PDL Customer:
4.Onliner Spambot
5.Twitter (200M)
6.Verifications.io


I have changed my email password since then, not sure if that will help?

I should have contacted Paypal, but having my account closed I cant log in to get contact details and the 1 402 517 4519 number you get when googling it does not work...
So dumb me just left it...

Any advice on securing myself any better?
or handeling that list of items?

As what @goldfritter says above.
Plus, this is not just your email address, it can be any data including password to phone number etc etc. It could have been encrypted data, but sometimes they use shitty one and can be cracked easily.

 

[Switch]

Was the capitec account already linked to your paypal, and how was it linked? If you linked with a card and your card has expired since then, you shouldn't be able to get any transactions on that card. If you linked your capitec account directly then unfortunately it's school fees, the hackers simply hacked your paypal, nothing needed to be done on the capitec side.

 

[Baaardman]

As what @goldfritter says above.
Plus, this is not just your email address, it can be any data including password to phone number etc etc. It could have been encrypted data, but sometimes they use shitty one and can be cracked easily.

Seems like I need to educate myself..

Just regarding the Password Manager,
If I use that would that not open my up to some trouble if that gets hacked?
meaning they will be able to get that password and access that account and then get my passwords to all the other accounts?

 

[Baaardman]

Was the capitec account already linked to your paypal, and how was it linked? If you linked with a card and your card has expired since then, you shouldn't be able to get any transactions on that card. If you linked your capitec account directly then unfortunately it's school fees, the hackers simply hacked your paypal, nothing needed to be done on the capitec side.

That is the thing, I dont even remenber ever linking the Capitec account to my Paypal?
Capitec I opened in 2020ish and as far as I am concerned it was never linked..
paypal I used to buy Drone parts from china way back in 2018 or so, when I was still using FNB...

But apparently Capitec was Linked?

It is school fees as you say, that is very true...
Canceled the Card since then and got a new card....

 

[goldfritter]

Seems like I need to educate myself..

Just regarding the Password Manager,
If I use that would that not open my up to some trouble if that gets hacked?
meaning they will be able to get that password and access that account and then get my passwords to all the other accounts?

You mean, like what has already happened now?

Password managers tackle this problem by having high standards of encryption - higher than normal websites. There's still a single point of failure but it's a much stronger point, stronger than reusing a password everywhere - assuming your master password is very strong.

Another option, legitimately, is to write your unique passwords on a piece of paper that you keep with you at all times. Still a single point of failure but this way it can't be hacked remotely.

In a perfect world you'd have a unique 25-digit password, consisting of a completely random jumble of letters and numbers and symbols, memorised in your brain, different for each site. But that is generally impossible unless you're a super genius.

This marks the end of my experience in cybersecurity. From here you'd have to get info from cleverer people than I.

 

[Confucius]

2FA saves you cash in the long run. I’m pretty sure PayPal has that.

Don’t use the same passwords for all sites. I generally use bullshit passwords for sites that have no financial risk.

For anything to do with finance, have the maximum security you can have enabled and create different passwords for different sites.

 

[Baaardman]

You mean, like what has already happened now?

Password managers tackle this problem by having high standards of encryption - higher than normal websites. There's still a single point of failure but it's a much stronger point, stronger than reusing a password everywhere - assuming your master password is very strong.

Another option, legitimately, is to write your unique passwords on a piece of paper that you keep with you at all times. Still a single point of failure but this way it can't be hacked remotely.

In a perfect world you'd have a unique 25-digit password, consisting of a completely random jumble of letters and numbers and symbols, memorised in your brain, different for each site. But that is generally impossible unless you're a super genius.

This marks the end of my experience in cybersecurity. From here you'd have to get info from cleverer people than I.

Hahahaha exactly like what happened here,
but I like your idea of having a paper or something with the password on it that is only used for that Manager, thus eliminating the chance of having it leak online....

Honestly though I was pretty secure but ja, TOE NOU NIE...

 

[Baaardman]

2FA saves you cash in the long run. I’m pretty sure PayPal has that.

Don’t use the same passwords for all sites. I generally use bullshit passwords for sites that have no financial risk.

For anything to do with finance, have the maximum security you can have enabled and create different passwords for different sites.

Started doing this after my oepsie now...

Anything with money involved changed to something ither than my FB or Reddit Login...
hahaha...

 

[glitchfreak]

Capitec needs to provide you with the evidence.

Ask them to prove that your card was legitimately used.

Also, did the caller prove to you that it's Capitec who is actually calling?

 

[Baaardman]

Capitec needs to provide you with the evidence.

Ask them to prove that your card was legitimately used.

Also, did the caller prove to you that it's Capitec who is actually calling?

They did yes, Got emails and all that from Capitec with ref numbers and all, I did ask them to call me so Im pretty sure it was Capitec,

main thing is that There is no Autentication process from Paypals side to me and thus whomever did this was able to go ahead and do as they pleased...

 

[veez007]

Capitec are biggest thieves, stole 50k from cousin, and that money was on fix deposit. A week before expire date they bought 10k airtime vouchers etc from that account which should be impossible. But the case has been open twice now keep closing it saying she bought the vouchers.

 

[pikolec]

For Password managers, you have two options - online and offline.

I have zero trust in online options. All you need is for a breach and then the attackers have ALL the accounts that you're linked to and you are in proper trouble. [e.g. lastpass breach last year: Yes, It’s Time to Ditch LastPass)

These services are a high-value target, so they are undoubtedly under CONSTANT attack. And quantum computing will make cracking the encryption trivial.

My approach is the offline version with a manual 'sync' to my mobile device. I use keepassx and have a mobile version to reference passwords on the go. The list is mastered on my PC and backed up locally. If my phone is 'liberated', no problem - they can't access the store and even if they could eventyually access it, I have the list of accounts that need password changes on my PC. I've had this strategy for a few years now and I'm amazed at how many passwords I have stored. The app generates a random password so I don't have to remember any [except to the keystore]

Don't forget to add your password to the keystore into your will/keep a copy with friend/lawyers, etc. This will allow loved ones to access accounts to cancel subscriptions and update details. Without the file it is useless and if you want, you can split the password into two to spread your risk....

 

[DubDubZA]

I have been using a password manager in conjunction with 2FA for a long time now. Initially, it takes some getting used to, but now it is second nature for all my accounts.

I genuinely only know one password, and that is my master password, which I change three or four times a year. When I do, I write it down for my wife in a file that is kept in a safe. I have a copy of my latest encrypted KeePass data on two USB sticks, on our separate keychains, my phone, and one cloud copy on Google Drive, which she has access to. When I die, she can easily access all my accounts (strictly speaking, she can do it whenever she wants, I guess...).

Password Manager: KeePassXC (it's "FOSS," and I like that it is not cloud-based. I use it with a strong master password).

Tip: A strong master password is a long password. Leetspeak, numbers, and symbols do not really help. For example, "B04tSm@n!" might seem strong, but with today's computing power, it should not take too long to crack. In comparison, "sixty-nine bottles of beer on the wall" will take a lot longer to brute force. Personally, I also stay away from phrases that could possibly be guessed, so I try to randomize it a bit, like "dog nuts brains monkey doodle bible manual KTM."

Accounts with sensitive financial or personal information have their passwords updated every three months with passwords that are 30+ characters long, generated by KeePassXC (banks, SARS, Medical Aid, PayPal).

Do not reuse passwords!

A few years ago, I bet a colleague that I could probably access at least a few of his accounts if he left his PC unattended for two minutes. He stepped out for two minutes. All I did was open his web browser password manager file (I think it was Firefox), where he had his Google account login stored. Although it was a strong password, he reused it on essentially all of his online accounts... Long story short, he was shocked when I accessed his email, all his social networks, etc. He changed his approach to his passwords since that day. If you use different passwords for all your accounts, you at least reduce the threat of a vectoring attack and compromising all of your accounts. I would never describe myself as an IT boffin (I'm good at Googling and following instructions), so if someone like me can pull off something like that, it scares me to hell what a committed threat actor would be capable of.

 

[DubDubZA]

26 trillion years will do for now...

https://imgur.com/a/OlWXqbT

 

[dalion619]

Capitec needs to provide you with the evidence.

Ask them to prove that your card was legitimately used.

Also, did the caller prove to you that it's Capitec who is actually calling?

The card was legitimately used. The card details were not compromised, the PayPal account was. PayPal is essentially an escrow service, as the merchant they have no reason to accept liability.
If OP’s card was used on someone else’s PP account then from the bank’s POV that would be fraud.

They did yes, Got emails and all that from Capitec with ref numbers and all, I did ask them to call me so Im pretty sure it was Capitec,

main thing is that There is no Autentication process from Paypals side to me and thus whomever did this was able to go ahead and do as they pleased...

I’ve learnt not to expect much from Capitec (it’s a R5 account after all but with a lot of value IMO). When an actual credit card has a fraudulent transaction, it gets treated very differently because it’s not your money vs Capitec’s debt card.
Also 3D secure or whatever the new marketing term is, is only a requirement for SA merchants.
I think PP does it when you first add the card or that bank statement transaction code thing but not after, it would make subscriptions very painful.

26 trillion years will do for now...

https://imgur.com/a/OlWXqbT

Kinda obligatory

Just regarding the Password Manager,
If I use that would that not open my up to some trouble if that gets hacked?
meaning they will be able to get that password and access that account and then get my passwords to all the other accounts?

You need stop thinking about "how do I prevent being hacked?" to when you get hacked that you're "I'm not even mad, I'm impressed.".
Making a process more secure, makes the experience more painful. Using BitLocker means manually typing in the recovery key to get into safe mode etc.
Performing a sim-swap won't get you into my phone which requires a factor that isn't SMSed. Compromising my phone won't get you into my bank account which requires a hardware token (Capitec value).
Having a long password + 2FA won't stop session hijacking.

Hahahaha exactly like what happened here,
but I like your idea of having a paper or something with the password on it that is only used for that Manager, thus eliminating the chance of having it leak online....

Honestly though I was pretty secure but ja, TOE NOU NIE...

I really dislike the term 'master password' when it's more of a secret. You can reset a password, you can't reset a secret. There're tons of support threads of users who didn't RTFM and backup their recovery codes for OTP 2FA.
Instead of typing in the master password which can be key logged, you can use a biometric factor like Windows Hello or TouchID which is normally tied to the device to perform the decryption, so the secret doesn't get leaked.

Since this is Carbonite and you need a key, get a Yubikey https://carbonite.co.za/index.php?threads/yubikeys-now-with-iphone-support.451437
Treat it like a car key, get two. The one you actually use and a spare.
Like an actual key, you need to have it with you and physically used hence it can't be comprised remotely like an OTP. To the uninitiated it looks like a flash drive and without knowing the PIN it's useless.

 

[el3venth]

My password recommendation:
I have a fairly long default password of a couple of semi-random letters. Then I just add the the first and last letter of the website to the end.
So for example hapibdy2u (happy birthday to you, easy to remember, and obviously not this is not it) and this website is carbonite.
So I would make this websites password Hapibdy2uce. Which sounds random, long enough for a brute force to not easily hack, and every website is unique. Any automated bot using the list will just try all the emails/passwords. Not like a person sits there and looks at every password.
And yet I can remember it for every website. And of course 2FA where I can.

Also:

 

[Baaardman]

The card was legitimately used. The card details were not compromised, the PayPal account was. PayPal is essentially an escrow service, as the merchant they have no reason to accept liability.
If OP’s card was used on someone else’s PP account then from the bank’s POV that would be fraud.


I’ve learnt not to expect much from Capitec (it’s a R5 account after all but with a lot of value IMO). When an actual credit card has a fraudulent transaction, it gets treated very differently because it’s not your money vs Capitec’s debt card.
Also 3D secure or whatever the new marketing term is, is only a requirement for SA merchants.
I think PP does it when you first add the card or that bank statement transaction code thing but not after, it would make subscriptions very painful.

Kinda obligatory


You need stop thinking about "how do I prevent being hacked?" to when you get hacked that you're "I'm not even mad, I'm impressed.".
Making a process more secure, makes the experience more painful. Using BitLocker means manually typing in the recovery key to get into safe mode etc.
Performing a sim-swap won't get you into my phone which requires a factor that isn't SMSed. Compromising my phone won't get you into my bank account which requires a hardware token (Capitec value).
Having a long password + 2FA won't stop session hijacking.


I really dislike the term 'master password' when it's more of a secret. You can reset a password, you can't reset a secret. There're tons of support threads of users who didn't RTFM and backup their recovery codes for OTP 2FA.
Instead of typing in the master password which can be key logged, you can use a biometric factor like Windows Hello or TouchID which is normally tied to the device to perform the decryption, so the secret doesn't get leaked.

Since this is Carbonite and you need a key, get a Yubikey https://carbonite.co.za/index.php?threads/yubikeys-now-with-iphone-support.451437
Treat it like a car key, get two. The one you actually use and a spare.
Like an actual key, you need to have it with you and physically used hence it can't be comprised remotely like an OTP. To the uninitiated it looks like a flash drive and without knowing the PIN it's useless.

Thanks for the decent reply, I will work through this and learn from it. hahaha..

Really thought I was "smart" enough to not have this happen to me, but now I realise im just a small fish in a big ocean of sharks...
also makes sense that they dont care about debit cards as its not their money being spent but ja...

I was so surprised at the effeciency of the process of "hacking" and stealing..
Just the fact that they closed my Paypal makes it soooo much harder to do anything about it...

Really smart of them...

 

[Switch]

A few years ago, I bet a colleague that I could probably access at least a few of his accounts if he left his PC unattended for two minutes. He stepped out for two minutes. All I did was open his web browser password manager file (I think it was Firefox), where he had his Google account login stored.

Well that's one of the worst mistakes for cyber security, storing your password on a public pc that has free physical access. If the device is not in your ownership and control to dictate how it should be used, it's in the public domain. Even devices in your control is not 100% secure if you allow people to have physical access, it's called an evil maid attack,

Evil maid attack - Wikipedia

en.wikipedia.org