For Sale Beware, Buyers - Account Takeover?

[ic-racer]

In this particular case, it looks like the member whose account was hacked hadn't been active on Photrio for two years.
That leads me to the suggestion that if you are concerned, check the seller's recent activity.
In addition, and the rangefinder aficionados can correct me if I am wrong, the sale listing looked to me to be too good to be true.
And you know what they say about things that are too good to be true...

Ok, I see.
Also, correct me if I am wrong, but the only way to 'hack' an account is to guess the password, right?. Photrio does not have an accessible 'back door' to everyone's passwords unless they guess Seans administrator password, right?

 

[markjwyatt]

If they insist on Friends and Family and you want to test proceeding forward, just say, I will pay normal, but add the N% into the payment. See how they react. If they refuse this, then it is not the fee they are after.

 

[4season]

I didn't even think to check serial #s but if you're referring to the ad I think you're referring to, the camera + lens looked very similar to one that I purchased from someone here back on September 2, 2020, right down to the tiny wrinkle in the shutter curtain. I think I got a good deal, but not $100 good. Serial number of mine is ****78 for the body, ****56 for the lens.

 

[mshchem]

If they insist on Friends and Family and you want to test proceeding forward, just say, I will pay normal, but add the N% into the payment. See how they react. If they refuse this, then it is not the fee they are after.

Good idea. I think the fees are something like 3% if not using credit card.

 

[Auer]

https://www.ncsc.gov.uk/blog-post/the-logic-behind-three-random-words

 

[beemermark]

I use F&F a lot - if I trust the buyer. But curious, if you buy something from a non-business using the regular payment method are you protected. I'd like to hear from someone that bought used gear from a seller and was ripped off, then made good through PayPal.

To the OP, I collect firearms and the top auctions site is Gunbroker.com. Over the last year the scams have over taken the web site as to were most people will no longer do business there. Not only are accounts hacked (i.e. seller has high feedback but is not the real seller) but actual photos and descriptions are lifted from other sites. The scams are beautifully done and I almost got snookered on a $3K Colt SAA. But when the seller asked for PayPal F&F that's when i started asking questions. Seller even sent me a photo of his store in Long Island that wasn't really his store. Bottom line is be weary doing any business on the web. It's sad.

 

[janew]

I, for one, am surprised that you can’t really dispute a PayPal payment sent as Friends & Family. At least PayPal has sided with the fraudsters up to this point.

You can't dispute anything with Paypal. I'm convinced that Paypal's customer service is a very shoddy AI -- you're on your own with them.

 

[Sean]

Hi All, this has been a very rare thing to happen. Since 2002, I may have seen this 2 or 3 times max. We do have 2-factor Authentication for Photrio if it worries you (as seen here):

We got onto this pretty quick and got the hacked account locked out. I also went through any PMs and contacted those the scammer had contacted.

This type of scam usually happens (unknown in this case) when someone uses the same password for multiple sites. It just takes one of those sites to be hacked and a hacker obtains your "common" password that you use everywhere. They then try that password against email accounts (gmail, etc) and gain access to your email. They then use your email account to find scam opportunities.

Best basic advice is to use different complex passwords for every site, and also to use 2 factor authentication when it's available.

I also never use any type of payment method with risks. I'll use regular paypal, or an escrow agent etc. A huge red flag is usually some sort of odd ball payment method + a deal too good to be true.

 

[AgX]

We do have 2-factor Authentication for Photrio if it worries you.

How does this work? I look at it and do not understand your wording.

 

[Sean]

How does this work? I look at it and do not understand your wording.

It's basically the same with any 2FA site. I use this app: https://authy.com

once you have the app, on the Photrio verification page select enable "Verification Code via App" then use the Authy App to set it up.

The app generated a random changing code. So if your password gets leaked, the hacker still needs your app code to login.

 

[AgX]

But on that Photrio menu to my understanding it says it would work without an App too.

 

[Sean]

But on that Photrio menu to my understanding it says it would work without an App too.

It can send a code to your email, but if your email is compromised the scammer will obtain the code there. So email method has never been my preferred method, but it's better than nothing.

 

[AgX]

Now I understand.

 

[jeffreyg]

You might ask the seller to post different views or documentation of the equipment that are not currently on the original post. They could search the net for such views but the background might not be the same raising a red flag..

http://www.jeffreyglasser.com/

http://www.sculptureandphotography.com/

 

[Vaughn]

I, for one, am surprised that you can’t really dispute a PayPal payment sent as Friends & Family. At least PayPal has sided with the fraudsters up to this point.

Unfortunately the 'victim' is also committing fraud against PayPal by using F&F, so why should Paypal reward (side with) either side?

 

[rknewcomb]

You can't dispute anything with Paypal. I'm convinced that Paypal's customer service is a very shoddy AI -- you're on your own with them.

1) I have had Paypal help me several times when a seller (not here on Apug) did not send the item purchased. Paypal has been very good !

2) Paypal provides a service for a modest fee. If one uses the Family & Friends method of payment to avoid the fee during a transaction purchase that is stealing pure and simple. Don't you like to get paid for work services that you provide?

 

[removed account4]

Unfortunately the 'victim' is also committing fraud against PayPal by using F&F, so why should Paypal reward (side with) either side?

+1

 

[pentaxuser]

Ok, I see.
Also, correct me if I am wrong, but the only way to 'hack' an account is to guess the password, right?.

This prompts me to ask a related question: If a member does not use his password each time to login in but is always logged in is that actually an extra safeguard or does it make no difference or make it less secure?

Thanks

pentaxuser

 

[peoplemerge]

Unfortunately the 'victim' is also committing fraud against PayPal by using F&F, so why should Paypal reward (side with) either side?

Ah so we blame victims now? Yes I should have been less hasty and asked more questions first (I had a screaming toddler's bedtime distracting me). Mea culpa. As I mentioned previously, I've made friends here on Photrio dating about a decade. How am I committing fraud?

If one of you used the same password here (without 2fa) as at least one more website, there's a good chance your password is on one of these long lists hackers have put together that they try on every website until they get a hit (I presume that's how they got in). Any of your friends and acquaintances on Photrio can be defrauded thus. Tut, let's not lock them up just yet.

2) Paypal provides a service for a modest fee. If one uses the Family & Friends method of payment to avoid the fee during a transaction purchase that is stealing pure and simple. Don't you like to get paid for work services that you provide?

Ah, yet PayPal is amply paid as it is. For sending $100, I am charged $8.19 to pay with a Visa card (I had figured another layer of protection is good = yes, I'm disputing that charge). It would have been $4.09 through a checking account. This is vastly more than what PayPal pays Visa. One service they provide is fighting fraud, which they are required to do by law. Those of us defrauded just asking them to obey the law and common sense in preventing themselves from facilitating fraud. They will.

I have no problem taking some of my time fighting this. I do so partly for your benefit and for the safety of our community.

 

[Vaughn]

Not blaming the victim -- I am saying the 'victim' also broke the rules, yet expects to pay no penalty for doing so. You are playing the victim. Stretch the concept of 'friend' all you want, I certainly do not expect Paypal to buy it.

 

[peoplemerge]

Thanks. I agree there is gray area. But I've had people meet me to school me on film, and I've had people from here at my house. I admit I've never met the owner of the hacked account in person.

The penalty I'm paying is the hours of paypal calls, FBI forms, possibly reporting via local law enforcement, away from my family, the anxiety, etc. I don't have a problem paying an $8. I would like to get my $100 back, but if I don't, I accept it as the price of my PayPal training (grin).

I certainly don't want the thief to get it. That would put you all at risk if I allowed that, it would advertise we are easy targets here.

 

[BrianShaw]

People merge… that’s a basic tenet of American law… not victim blaming. Ask Judge Judy, or Judge Milian, or Judge Jerry, or

Vaughn is probably correct that if PayPal knew money was sent to a “friend” in exchange for merchandise advertised for sale then it would be viewed very differently than, say, sending money to a friend who is splitting a bar tab with you.

Please keep us informed of your progress. I really do understand how difficult it is to get screwed like you did.

 

[pentaxuser]

It can send a code to your email, but if your email is compromised the scammer will obtain the code there. So email method has never been my preferred method, but it's better than nothing.

There are some us who have never used such a thing but looking at the video I take it that any mobile phone will do? When you attempt a login the auty site appears to send a message to your phone that asks you if you are attempting to log in?
If I have got this right then it wasn't clear what you do then. It looked as simply as texting Yes or pressing a button on your phone keypad but this is an assumption on my part as it wasn't clear to me.

Can you or some other knowledgeable person clarify matters for me

Thanks

pentaxuser

 

[removed account4]

Thanks. I agree there is gray area. But I've had people meet me to school me on film, and I've had people from here at my house. I admit I've never met the owner of the hacked account in person.

The penalty I'm paying is the hours of paypal calls, FBI forms, possibly reporting via local law enforcement, away from my family, the anxiety, etc. I don't have a problem paying an $8. I would like to get my $100 back, but if I don't, I accept it as the price of my PayPal training (grin).

I certainly don't want the thief to get it. That would put you all at risk if I allowed that, it would advertise we are easy targets here.

hi peoplemerge

from what I know and understand from PayPal ( I have called them recently regarding fees &c ) domestic use ( that is you sending someone in the us ) is typically 2.9+30cents, out of the country is a bit more something like 4%+30cents ( if done friends and family you the sender gets billed the fees ). the extra 5$ you were charged, from my own barely understood understanding of the complicatedness of all these things, is your credit card/bank your CC is issued on, not PayPal .. some credit cards ( no clue which ones ) actually charge a fee on top of the 3% that PayPal charges. I've used PayPal for more than 20 years and I just look at all those fees as annoying and the cost of doing business. I sell things regularly to people outside the us, and within the us and don't really pay attention to the fees, but once in a while I call PayPal to make sure the terms and conditions haven't changed. people have asked if they can send me money F+F and I typically refused and say no incase something goes wrong ( its usually when one least expects something to go wrong that it gets to be FUBAR ) so I'd rather be honest upfront, and have them with the extra security that if something gets lost in the mail or the box is ruined or whatever they have a course of action, ... but it never usually gets to that seeing if something never shows up ( with covid this has happened a few times ), I just replace the things ( have done this with a 76$ items as well as a 240$ items ) even if it is user error I have replaced things at no cost. I just trust people ( as you seem to do ) and figure it's not worth the hassle of dealing with nonsense.

sorry if it seemed my +1 was blaming you, its the situation .. the scammer telling you to break the safety net PayPal has specifically for situations like this, and as a result has caused you a lot of BS to deal with as they do whatever illegal stuff they are doing. good luck getting this all sorted out !

 

[BrianShaw]

Pentax… Usually, you start logging on and you get a message like, “Authorization code has been sent”. When it arrives by text message or email you copy that code into the page your are logging on.

it works great as long as you have connectivity to whatever device/system you are receiving the authentication code. If not… heartbreak. For instance, I received authentication code for Norton Antivirus to my company cell phone. When I retired and surrendered the phone and phone number, I could no longer log onto my Norton account. Even Norton gurus couldn’t fix that for me; I had to open a new account and then they could transfer my balance from locked-out account to new account.