auCL-Ed
StaffStaff
CL-Ed's picture
Location: Sydney
Joined: 7 Sep 2007
Posts: 9729
Thanks given: 5684
Thanks received: 4919
11 February 2016 - 7:05am

Skrill warning - hacked accounts, 2 factor, and password resets

65 replies • Last post
Click to show this thread's original post ▼

This week I have been in contact with a high rolling player that has had a scammer gain access to and change the contact details on his Skrill account, then proceed to withdraw a six figure amount over several transfers to different Skrill accounts, all made in quick succession on the same day. None of this triggered any kind of alert, nor did Skrill detect the activity and freeze the account. The account holder was not notified at all that his primary email address had been removed and replaced on his account. The only reason that the intrusion was discovered was pure luck - he logged in and saw what was happening at the time.

As usual with Skrill, trying to contact them and get an answer about anything is an exercise in futility. They must have the slowest and most useless customer support of any company I have ever had to deal with. Emails routinely take weeks for a simple response. Phone calls get through but whoever is on the other end is always quick to fob the problem off to someone else who never gets back to you.

Skrill claims that the scammer must have had access to the player's email account in order to reset the password, but from what we can tell looking through Gmail, there is no evidence that this is the case. Skrill has been unable to provide any evidence of how the account was compromised. In fact, we believe that the scammer may have simply talked his way into access to the account, or gained access through other means. Asking Skrill for copies of any fraudulent emails sent with full headers so we could ascertain where they came from was a waste of time. Apparently Skrill's contact form does not record any details about the submitter such as IP address or location, and the scammer used this as their method of communication. The investigation is ongoing and the player has not recovered his funds.

Next up, we received this email yesterday, ostensibly touting Skrill's new free 2 factor authentication functionality. Previously you had to request and pay for a physical security token, whereas now you can use Google Authenticator on your phone for free, like any other decently secure bank or e-wallet has been doing for years already. The key thing in this email, a recommendation to change your password within 24 hours, is bolded by me:

At Skrill we constantly aim to improve the online security of our merchant accounts.

To help with this, we are introducing two-factor authentication on all our merchant accounts. We STRONGLY recommend that you activate and use two-factor authentication and that you change your user account password within the next 24 hours.

In addition we received another email from Skrill, saying that our "merchant" account (we're not a merchant, but that's another rant for another day) must have an IP address access restriction placed on it.

Dear Merchant,
Action required: Activate login restrictions on your Skrill account.

We would like to remind all merchants that you are required to enable all login restriction tools offered in the "Merchant Tools" section of the Website. This includes restricting the login to your Merchant Account to a single IP address or a range of IP addresses. This functionality is specifically designed to enhance the security of digital wallets used for commercial purposes.

Unless you activate the IP restriction by 12/02/2015 you will no longer be able to use the “Mass Payments” functionality and/or “Send Money” functionality of your Merchant Account.

If you still wish to use these functionalities without any IP login restrictions, then please
click here and carefully read, sign and scan the indemnity letter and return it to your Account Manager or [email protected]

The kicker there is in the last paragraph - if you don't want the IP address restriction, perhaps because you don't have a fixed IP address (like us), they are asking you to absolve them of any responsibility for any fraud that occurs on your account, even if you have a strong password and 2 factor authentication turned on. This is part of the letter they want us to sign. I'm not even sure that it is legal, as you cannot sign away your legal rights in a contract.

4. In consideration of Skrill activating the "Mass Payments" functionality and the "Send Money" functionality of our Merchant Account without IP login restrictions, we agree to indemnify Skrill from and against all claims, including without limitation third party claims, actions, proceedings and demands which may be brought against Skrill and all losses, liabilities, charges, costs, damages and expenses which Skrill may incur as a result of any unauthorized transactions made in relation to our Merchant Account.

Now you may be thinking that I am adding 2 and 2 and getting 5, but consider this next part. After activating 2 factor authentication on our merchant account, I decided to login and do the same on my personal Skrill account. Nope, the account was locked and I was required to change my password immediately. This is a common response to a breach of security - i.e. change everyone's password and force them to choose a new one next time they log in.

So there you go. For me there is too much smoke for there to be no fire. I am almost certain that Skrill has suffered a security breach but is not telling anyone. I would be interested to know if anyone else out there has recently had their personal Skrill account locked and a password reset forced, or whether this is unique to my account. Because I'm far more likely to get an informative and useful response here than I am by waiting for weeks for Skrill's CS to respond.

3 barbadosslim93, sharpe, coolsongss

Always play it safe! Consult our list of rogue casinos and warnings before depositing at a new casino.
Post in our forums to earn CLchips which can be used to buy real prizes in our CLchips shop.

zaLambino
Gold PlayerGold Player
Lambino's picture
Location: SA
Joined: 14 Apr 2015
Posts: 684
Thanks given: 338
Thanks received: 621
15 December 2016 - 12:26am
#61

Couldn't agree with you more Sharpe , well said 👍

sharpe

auCL-Ed
StaffStaff
CL-Ed's picture
Location: Sydney
Joined: 7 Sep 2007
Posts: 9729
Thanks given: 5684
Thanks received: 4919
15 December 2016 - 5:00am
#62

Yes that is Skrill for you. Their customer service is utterly useless and they specialise in lack of communication.

I'm awaiting verification of my docs on my new EcoPayz account.

sharpe

Always play it safe! Consult our list of rogue casinos and warnings before depositing at a new casino.
Post in our forums to earn CLchips which can be used to buy real prizes in our CLchips shop.

bgsharpe
Forum AngelForum Angel
sharpe's picture
Location: Sofia, Bulgaria
Joined: 4 Nov 2014
Posts: 7424
Thanks given: 4051
Thanks received: 1121
15 December 2016 - 10:34pm
#63
CL-Ed wrote:

Yes that is Skrill for you. Their customer service is utterly useless and they specialise in lack of communication.

I'm awaiting verification of my docs on my new EcoPayz account.

Yes it took me 10 minutes just to find a contact form with their support, the feeling is like they hiding something...hopefully you would be able to use EcoPayz as an alternative soon Ed...share your experience...please 🙂

auCL-Ed
StaffStaff
CL-Ed's picture
Location: Sydney
Joined: 7 Sep 2007
Posts: 9729
Thanks given: 5684
Thanks received: 4919
21 December 2016 - 2:34am
#64

Lets keep this thread focused on Skrill and move the EcoPayz discussion to its own thread...
The ecoPayz thread for Neteller and Skrill refugees

sharpe

Always play it safe! Consult our list of rogue casinos and warnings before depositing at a new casino.
Post in our forums to earn CLchips which can be used to buy real prizes in our CLchips shop.

bgsharpe
Forum AngelForum Angel
sharpe's picture
Location: Sofia, Bulgaria
Joined: 4 Nov 2014
Posts: 7424
Thanks given: 4051
Thanks received: 1121
21 December 2016 - 3:53am
#65

So I'm going now that way then... 🙂 There isn't something new (and nice 😉 ) I could say about Skrill...at least for now.