Skype Billing Gone Haywire For Some Users

Cousin Scuzzy writes "This morning I awoke to 26 e-mail messages from Skype and PayPal notifying me of multiple payments for my Skype account that had been charged to my credit card and subsequently refunded. At first I suspected that this was a new wave of spam that had slipped through my defenses, but it quickly became apparent that they were legitimate messages. I then began to worry that my Skype account had been compromised. The first message from Skype thanked me for setting up their "Auto-Recharge" service which automatically purchases Skype credit when the balance falls below a certain amount. This was very suspicious, as I had never requested this service. Based on posts to Skype's forum, it now appears that there have been serious billing problems at Skype relating to Auto-Recharge for over a month. Although I believe that all unauthorized charges to my credit card have been refunded, it is worrisome that Skype, or anyone, would charge my account erroneously. Skype, for their part, has not yet e-mailed me an explanation or posted one online. This problem reinforces my aversion to automatic bill payment services that give companies the authority to draw money from my bank account at their discretion." For all the Skype users out there, have you experienced this? For what it's worth, the company's own response on the linked forum thread says that the problem is now solved.

going on for months/years

This happened to a friend of mine about a month ago. He got logged out of skype and couldn't get back in. Then he starts getting emails from Paypal about charges from his skype account for phone calls to somewhere in eastern Europe.

He got his account and money back but his contacts had all been wiped.

There is either a hole in skype or a piece of malware out there harvesting skype credentials. Google "lost skype account" or something like that.

Re:going on for months/years

[Cousin+Scuzzy]

Looking into this further, it does appear that my Skype account was compromised last night. There were 428 international calls made with SkypeOut in a 13 minute period. And yes, Skype has my PayPal information, which in turn is linked to my credit card.

In retrospect I was responsible for leaving a trail of financial data that allowed this to happen. Skype deserves credit for stopping the illegal activity so quickly. However, I'd prefer that Skype send me an e-mail for confirmation whenever account changes such as signing up for Auto-Recharge are requested. And obviously if an e-mail account change is requested I should get notified at my old address as well.

This certainly showed me that I need to be more vigilant about protecting any account that is linked in any way to my bank and credit accounts. I had considered Skype to be a very low risk account, but that changed when I signed up for SkypeOut.

Yes I have experienced it...

[blahplusplus]

.. In my opinion skype is being hacked enormously. If you have a skype client open it is also a gateway to your computer. I had never put my credit card # in skype's billing database, but I DID have it on my computer in a text file, my best guess is that Skype is being massively hacked and be weary of using the skype client on your computer if you value your security.

transaction processing

[Red+Flayer]

This is what happens when transactions are done based on results of database queries and/or spreadsheet analysis. One error is made, someone attempts to reverse the batch of transactions to correct the error, and makes another error. Then someone else steps in, and compounds the problem. In the end, the only way to get it back to some semblance of the correct state is to go back and run the transactions in opposite amounts from the top of the stack (LIFO).

This is what happens when you have technical people (especially not-so-competent technical people) handling financial transactions.

Workflow for payments and other financial transactions should come from your source document (it doesn't have to be a literal document, it can be an authorization entry, etc). The accuracy of the data capture at this point is essential. If you use a key value to grab most of the data needed, validation needs to be very strong.

Source --> Data Capture --> Validation --> Set-up of transactions --> Validation --> Execution --> Data capture of results --> Validation --> Update file --> Validation .

I personally have seen many failures because of errors in validation, and the ensuing mess as well-meaning people try to correct the error. Nothing like 36 db entries and half a wasted day just to correct a single error that a user offshore made overnight, then compounded with the "helpful" input of his team members... and then the ensuing clusterfuck of explaining to the client what had happened, what we'd done to ensure it wouldn't happen again, and many, many apologies.