Skype Billing Gone Haywire For Some Users

Cousin Scuzzy writes "This morning I awoke to 26 e-mail messages from Skype and PayPal notifying me of multiple payments for my Skype account that had been charged to my credit card and subsequently refunded. At first I suspected that this was a new wave of spam that had slipped through my defenses, but it quickly became apparent that they were legitimate messages. I then began to worry that my Skype account had been compromised. The first message from Skype thanked me for setting up their "Auto-Recharge" service which automatically purchases Skype credit when the balance falls below a certain amount. This was very suspicious, as I had never requested this service. Based on posts to Skype's forum, it now appears that there have been serious billing problems at Skype relating to Auto-Recharge for over a month. Although I believe that all unauthorized charges to my credit card have been refunded, it is worrisome that Skype, or anyone, would charge my account erroneously. Skype, for their part, has not yet e-mailed me an explanation or posted one online. This problem reinforces my aversion to automatic bill payment services that give companies the authority to draw money from my bank account at their discretion." For all the Skype users out there, have you experienced this? For what it's worth, the company's own response on the linked forum thread says that the problem is now solved.

Skype isn't known for being forthcoming...

[mister_playboy]

I'm sure they will explain this situation right around the time they make a 64bit release for Linux... or release a version for Linux and Mac OS X that isn't horribly outdated in comparison to the Windows version.

I hate Skype in many ways, but the plain fact is that Ekiga on Windows is worse than Skype on Linux, and I never managed to get one successful call to my girlfriend or family via Ekiga.

If anyone knows of a cross-platform VOIP/webcam program that is better than Skype, I'd love to hear about it.

Re:Skype isn't known for being forthcoming...

Have you tried Gizmo5?
http://gizmo5.com

Re:Skype isn't known for being forthcoming...

There's zoiper (http://www.zoiper.com/) which is known to work well with these guys - http://www.voipfone.co.uk/
Account sign up is free and calls to other users are free.

(I work for them now but used their service for years before getting my current job).

going on for months/years

This happened to a friend of mine about a month ago. He got logged out of skype and couldn't get back in. Then he starts getting emails from Paypal about charges from his skype account for phone calls to somewhere in eastern Europe.

He got his account and money back but his contacts had all been wiped.

There is either a hole in skype or a piece of malware out there harvesting skype credentials. Google "lost skype account" or something like that.

Re:going on for months/years

[je+ne+sais+quoi]

Then he starts getting emails from Paypal about charges from his skype account for phone calls to somewhere in eastern Europe.

I had this happen to me as well about a year ago. It looks like somebody is running a big scam in Eastern Europe. The strange thing is that I don't have a skype account, nor did I think I had a paypal account. In the end, I found out that at one point I bought an ELER t-shirt where the guy required that I create a paypal account and then I forgot I had created that. It took a frustratingly long time to get my paypal account canceled, and skype is still bugging me about returning their e-mails about getting my "skype account" (which never existed) straightened out. The nice thing about this whole shenanigan was that my credit card company immediately contacted me and in short order created a different account number for me. I'll think twice before ever creating either a skype or a paypal account ever again though, that's for sure.

Re:going on for months/years

[Cousin+Scuzzy]

Looking into this further, it does appear that my Skype account was compromised last night. There were 428 international calls made with SkypeOut in a 13 minute period. And yes, Skype has my PayPal information, which in turn is linked to my credit card.

In retrospect I was responsible for leaving a trail of financial data that allowed this to happen. Skype deserves credit for stopping the illegal activity so quickly. However, I'd prefer that Skype send me an e-mail for confirmation whenever account changes such as signing up for Auto-Recharge are requested. And obviously if an e-mail account change is requested I should get notified at my old address as well.

This certainly showed me that I need to be more vigilant about protecting any account that is linked in any way to my bank and credit accounts. I had considered Skype to be a very low risk account, but that changed when I signed up for SkypeOut.

Yes I have experienced it...

[blahplusplus]

.. In my opinion skype is being hacked enormously. If you have a skype client open it is also a gateway to your computer. I had never put my credit card # in skype's billing database, but I DID have it on my computer in a text file, my best guess is that Skype is being massively hacked and be weary of using the skype client on your computer if you value your security.

transaction processing

[Red+Flayer]

This is what happens when transactions are done based on results of database queries and/or spreadsheet analysis. One error is made, someone attempts to reverse the batch of transactions to correct the error, and makes another error. Then someone else steps in, and compounds the problem. In the end, the only way to get it back to some semblance of the correct state is to go back and run the transactions in opposite amounts from the top of the stack (LIFO).

This is what happens when you have technical people (especially not-so-competent technical people) handling financial transactions.

Workflow for payments and other financial transactions should come from your source document (it doesn't have to be a literal document, it can be an authorization entry, etc). The accuracy of the data capture at this point is essential. If you use a key value to grab most of the data needed, validation needs to be very strong.

Source --> Data Capture --> Validation --> Set-up of transactions --> Validation --> Execution --> Data capture of results --> Validation --> Update file --> Validation .

I personally have seen many failures because of errors in validation, and the ensuing mess as well-meaning people try to correct the error. Nothing like 36 db entries and half a wasted day just to correct a single error that a user offshore made overnight, then compounded with the "helpful" input of his team members... and then the ensuing clusterfuck of explaining to the client what had happened, what we'd done to ensure it wouldn't happen again, and many, many apologies.

It can't mean that! Can it?

I am afraid to have to say that the Belgian police agree with me that the situation can only mean one thing, that my password was obtained by thieves from Skype: I hold a post which means that security is a day-to-day habit, and passwords are not written down anywhere as a result at my end. My usage pattern is such that it is very clear both the fraudulent attempts to extract funds from my account and the fraudulent use of my phone subscription were not of my doing, that the data could not possibly have been extracted by any means as it has not been input in years, and that it is just not credible to put this down to a software fault as a result: telephones don't suddenly start calling the other side of the world at the same instant money takes itself into its own head to start paying itself to both PayPal and VISA. Similarly, the many other similar complainants indicate that this is not the users' fault, but Skype's. As a result, a dossier has been opened for theft and you should be hearing from the Belgian Police and Luxemberg Banking Regulators in the near future.

Actually, it can mean more than one thing. It can mean that Ebay/Skype do not employ any sort of heuristics to watch the treasure trove of unlimited VoIP minutes available to those who can hack the database of user/passwords. It can mean that the PayPal/Skype agreement is triggered by the "need" to refill each account as it is depleted of funds. Therefore, though all accounts have not been effected yet, this may be true only because there are a limited number of minutes that the hackers can use at any given time. I can mean that Skype accounts are being traded online through hacker networks. And it can mean that "automatic" payment accounts should require confirmation as a matter of reasonable security. It can also mean that a man-in-the-middle attack was used to collect passwords. (It must be a nightmare to investigate that from Luxemborg.)

Who knows, it might also mean that the NSA's telecommunications budget was skipped over in the last round of appropriations....

No. That last bit is completely out of the question.

/. Genius Bar

[mpapet]

This should look *remarkably* familiar to some of you. http://www.counterpath.net/x-lite.html&active=4

It's clear by the number of comments looking for a 'good' voip client you may not have a handle upstream issues. The only way to actually get a handle on it is to debug the UDP traffic.

1. NATing Most home networking devices have poor support for media NATing. (RTP/UDP The ones that have decent support are cursed with firmware supporting a single VOIP provider. This is where a device you can install a Linux distro on is helpful, but only the first step. http://www.iptel.org/sipalg/ I've had problems on Cisco devices too, so don't think you can spend your way out of the problem.

2. ISP issues. I have seen ISP issues with VOIP media that does not originate from the ISP's VOIP service.

A simpler shot in the dark is to use an SIP proxy to handle the call. (STUN server) In some cases this works because the proxy goes to great effort to keep the connection alive at all times. Can you proxy a Skype call? Dunno if they support plain-vanilla SIP.

Welcome to VOIP!