14

I have been the victim of PayPal fraud. I hadn't used PayPal in a year and then within 9 days there were three unauthorized transactions on my account for a total of 150 Canadian dollars and 290 American dollars. I have since been refunded by PayPal. However, through my PayPal account, my e-mail address and phone number have been visible. My family has suggested that I change my bank account number, my debit card, my e-mail address, and phone number.

I have changed my e-mail address once five years ago and it still creates confusion today. I would like to know whether it is truly necessary to change my phone number and e-mail address. How big of a risk is it for fraudsters to have my e-mail and phone number?

Pertinax
  • 243
  • 2
  • 8

2 Answers2

20

Changing your e-mail and phone number is silly. Your phone number, unless unlisted, is a matter of public record and easily discoverable. Even if unlisted, it is still a publicly shared identifier that can be discovered with some investigating. Your e-mail address is also a public identifier and can be discovered with some effort.

Having identifiers in the hands of an attacker is not an immediate threat as long as they don't have access to those identifiers. An attacker knowing your phone number doesn't allow them to use your phone. Similarly, if an attacker has your e-mail address, as long as your password to your e-mail address is secure (change it to be sure) then they can't make use of your e-mail address either.

Both of these can be spoofed, through either caller id spoofing or e-mail sender spoofing, but such spoofing is easily detectible to anyone who knows what to look for (and any high threat target should be aware of these things and check them, or simply have procedures built in to verification to mitigate this.)

When you are comprised, the important part is to remove access from the attacker. Credit card and bank account numbers change because they are used without any authentication, so they act as both identifier and authentication, thus they have to change. Anything that requires a separate authentication (even if simply the physical access) doesn't have to change as long as the authentication can be assured to not be compromised.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
6

If the attacker gained access to your PayPal account via your username and password, the best thing to do is change your email and bank passwords. I'm hoping that you did not use the same password for all of these accounts. If you did re-use your password for PayPal on other accounts (Amazon, Ebay, etc), I would highly recommend changing those passwords as well. When you change these passwords be sure to make each password per account different.

That being said, changing your email address won't change the fact that the attacker has it, or your phone number for that matter. Your phone number is probably on Facebook, if not somewhere else on the internet. There's no reason to change it. Same goes for your email.

The most important thing is securing your e-mail and bank accounts by using different secure passwords. It can't hurt to change your debit card number, although I don't think the entire number is displayed on PayPal.

RoraΖ
  • 12,317
  • 4
  • 51
  • 83