sschluet wrote:
To warn you all.
We just had an very serious situation caused by the paypal system.
It seems, that some criminal individuals used some hacked paypal accounts to load credit to created accounts in my a2billings. They used faked names and addresses (i guess). But just one email address.
In total they loaded 400Euros and used about 200Euro in the next few hours. They used the web "phone-to-phone" method to call several number in lilechtenstein?!?!
Naturally the owners of the paypal accounts blocked the payment and paypal started a conflict.
So the incoming money was freezed.
So i called paypal. But they told me, that the customer will be refunded and the money for me is gone as i sell immaterial goods.
But i had significant costs as my credit at my wholesale account is down now!
Finally i decided to deactivate paypal for now, because there is no possibility to avoid this situation as the paypal accounts were real and valid! And i have no chance to check if there are hacked or not.
I asked paypal for a fair solutions for both, but i really think, that they will let me alone with that!
Now i am thinking what is best to do! I guess a really important thing is to adjust a2billings to check the email address during the signup process if there is already a registred user with it (no double used email addresses).
I also will reduce credit amount for paypal to 10Euros.
AND: I guess the best thing would be to check the paypal account against the email-address of the customer. (I know that then people with a different email address then the paypal registered one can't pay, but that's worth it)
But until know i am not sure if I'm willing to give paypal a second chance!
so far....
Sebastian
Dear Sebastian,
We had exactly a similar case, however to me it sounded like a person tried to either damage our company's fund or tried to send traffic to Sierra Leone telecom.
They used hacked paypal account and they also used faked email address.
I think for security reason, we must have a couple of option to avoid this.
The paypal account and the email registerred on the account must be same so we know for sure it is not just paypal hacked, also the email is verified.
- The number of call-back through web must be limited.
- We had to choose simultenaous-call enabled because single call always wend into error and a2billing was not properly detecting so the person made 70 simultenaous call.
- I wish we could limit that. and if a user uses more than X amount of credit per hour, we must receive an alert.
We have hired two php programmer to help us and I hope we can contribute back to the project.
Regards