Sometimes when I talk to security people, I am astonished, how self-confident they are that they will not be victimized by fraud or identity theft. There is a very good chance that the barrier to get into my identities is higher than with others but not impossible. Let me tell you a story:
I have two kids which play their fair share of Mindcraft. To simplify the processes, the older was allowed to open a PayPal account and got my wife’s credit card attached to it. This worked fairly well over the last twelve months. He spent part of his money on add-ons (and some other games), we got charged and got the money from him. So far, so good.
Sunday I did some in-house admin stuff (I love that L) and wanted to pay the bills. When I was looking at the credit card statement, I was surprised by the amount of transactions (sheer number as well as the money) on my wife’s credit card. Something to investigate â€“ especially as my wife very rarely uses her card. Looking into it, these were all PayPal transactions. So, there were two options:
- My son started to buy stuff excessively
- His account got compromised
After some very serious discussions, I started to look at his PC and there was a Trojan on it â€“ it seems that this was the root cause (besides some transactions he forgot to tell usâ€¦).
Besides all the work which came with it (I was positively surprised by the goodwill of the shops to refund the money) like filing claims, re-stating the PC, changing all the password etc., I tried to figure out, what happened. Even though there was a lot of crap on the PC, the root cause as far as I could see was â€“ once again â€“ Java. The update process of Java is confusing, something I have seen with several users. It is unclear to people that just clicking on the pop-up telling you that there is an update to Java is not good enough. You have to go to the website and download the update and install it (and make sure you do not install the Ask toolbarâ€¦). My son’s PC had an outdated Java installation and I tell you, they are really drilled to patch their machines but both did not realize what they need to do to stay safe.
It was an interesting experience to us. I guess he got compromised by a single person, looking at the transactions but how big are the chances of a legal case? Well, I am not too optimistic and who does the forensic in such a case.
So far it turned out that the impact to us was minimal and we all learned something. And my son asked me to write a blog â€“ maybe others can learn as wellâ€¦