Skype disappoints us, disappointingly - Skype

After experiencing first-hand what Skype's attitude to fraud is, how it approaches its users' security, and what kind of system is in place for refunding fraudulent calls made through its service - we're frankly worried.

First, some background. On January 13 a number of fraudulent calls appeared on my account when I logged in. These were made to Indonesia and Egypt to numbers I did not recognise. They were also made when I was offline. Further calls were made when I was online, until I changed my password, which logged both me and the hacker out.

Not only was my Skype credit depleted as a result of the unauthorised calls, the Auto-recharge feature, which I had disabled, had been turned on and was used to charge the credit card which was stored in my Skype account - so that further credit could be bought and used without my permission.

Obviously fraud is something that happens, regardless of how safe we attempt to be or think we are, but what we do to prevent it and fix the situation when it arises is important. This is where Skype failed to such a large extent that a question mark was raised, at least for this scribbler, on the security of using its service and how well its customer support treats its paying customers.

When I reported the fraud to Skype, it was suggested that a keylogger may be on my computer or that I may have been the victim of a phishing site, which, while valid concerns, simply were not the case. Not only do I keep regularly updated antivirus, anti-spyware, firewalls and similar software, my passwords are all different for different sites and services, are difficult to guess or bypass through brute force, and are frequently changed. 

I ran all of my security software immediately after becoming aware of the hack and tried alternatives to see if a keylogger was on my computer, but nothing turned up. My email was not compromised, nor was anything else that I use, which means that the issue was with Skype alone.

Skype also refused to refund the fraudulent calls, saying: “Unfortunately, Skype is unable to refund any money that may have been lost because of this incident.” As you can imagine, this is not a satisfactory response for a customer - Skype was the vehicle through which the fraudulent calls were made. 

I pushed the matter further, asking numerous questions about Skype's security, particularly why multiple people could sign into a single account at the same time. It was only after mentioning that I was a journalist that I got a “We've had to reverse your order” email three days later, refunding the charge to my card that was fraudulently made through Auto-recharge. 

However, Skype was still refusing to refund my initial balance, which was now wiped to €0. The log of the calls to Indonesia and Egypt was also now inaccessible, making it impossible for me to view them and calculate how much was spent on my account.

I decided to escalate the matter to Skype's public relations team. Skype Support proved so unsatisfactory. I raised the point that since Auto-recharge could not be permanently disabled and since Skype allows credit card details to be stored within its system and charged via Auto-recharge, it appears that it is facilitating this form of fraud.

When coupled with the fact that Skype was so vehemently refusing to refund the amount, it also appeared that Skype was happy to take illicitly gained dosh from me.

TechEye spoke to Adrian Asher, Chief Information Security Officer at Skype, who denied this. “I can assure you that Skype does not profit from nor intends to profit from fraudulent activity,” he said. “We take instances of customer fraud very seriously and continue to invest significantly in anti-fraud measures to protect them.”

Asher also addressed a number of other concerns I raised over the security of using Skype. I was particularly concerned over multiple simultaneous logins to a single account and the inability to permanently disable Auto-recharge.

Skype Support told me that multiple logins to a single account is a “deliberate feature” and that “no security risk is posed”. It was not explained to me how this was safe, given another individual was able to use my account while I was online.

Asher gave a more detailed response on this concern. “Multi-IP log-ins are designed to allow a user to log-in to Skype from multiple devices no matter where they are. This is designed to be a feature that allows convenience and accessibility. Many Skype customers utilise this functionality to its full capacity. Our product teams continue to refine these features so that we can ensure situations like yours don't occur. Auto-recharge is another example of an intuitive function designed to make life easier for customers with the aim to ensure that they have Credit readily available to make calls. Again, while there are pitfalls we want to fix them where possible.”

I'm sure this is a very useful feature for some, but my concern was that if I can log in from multiple locations, even at the same time, it opens more doors for abuse by hackers without it kicking you offline or telling them “You are already logged in.”

I pressed this issue further with Asher, asking why it never showed up on Skype's fraud radar that I had logged in from Ireland and another location at the same time. He said: “Using geographical data to track log-in locations is an area that has been considered. However, the fact that a large percentage of our user-base travels between countries extensively means that we do not currently offer this functionality to restrict which country your account can be logged in from. Our security systems constantly analyse and attempt to identify any out of pattern behaviour to try and minimise any impact of a customer’s account being taken over.”

The problem with Auto-recharge I found was that, in my case, I had disabled it - but it was so easily re-enabled at the click of a button. A Skype spokesperson initially tried to suggest that this could only be accessed after entering your password, but if your account has been hacked your password has already been compromised and offers no additional layer of protection for setting up the service.

Why isn't it possible to permanently disable Auto-recharge? On two grounds: to prevent this kind of fraud abuse and as a parental control system. For example, it could easily be used by kids using their parent's Skype account to charge their parent's card for calls to friends.

In response to this Asher said: “I understand the risk that you are detailing here and must admit that this is one of the first requests that we’ve had for this capability to be locked out. Auto-recharge has been developed, like all of our features, to meet customer demand. One way to achieve what you are describing would be to add your credit card to a PayPal account and then you can perform funding via this method. As long as you don’t set up a PayPal agreement there is no ability for repeat billing.

“As a parent of a ten year old boy I am all too aware of the potential dangers of the internet so I appreciate the scenario that you are detailing. Our advice in the first instance is always that young children should not be left unsupervised to use the Internet. That having been said, the balance of a child’s account could be provided via PayPal, which as before would remove the capability to auto top up.”

This is a kind of work-around which will disable Auto-recharge, but it also means that there will be PayPal fees involved. It's also a particularly inelegant way to avoid the problems at hand, but at least there is an option available for those like me who would like to use Skype, but are concerned about storing their details and having them abused through Auto-recharge.

I was getting conflicting and contradictory messages from Skype Support and Skype's public relations team. It should be noted that at this stage, after having contacted Skype PR, my Skype Credit balance was fully refunded for those fraudulent calls - despite Skype Support telling me it would not be refunded.

In fact, on the same day I contacted Skype PR I decided to contact Skype Support again about the issue of them not refunding me. It took two days for them to respond, by which time a refund was already given from contacting PR. Yet, Skype Support still told me: “Unfortunately we are not able to refund any money that may have been lost due to this incident.” We appreciate the help of the PR team but at the same time the average user is likely to lose out.

Interestingly, the reason for the delayed response from Skype Support given was: “We apologise for the delay in our response, due to an unexpected increase in the number of recent inquiries, it has taken us longer than usual to respond to you.” We can only guess what these “recent inquiries” are.

I asked Asher why contradictory messages on refunds were given from different departments within Skype, to which he responded: “We always intend to resolve every customer service issue to the customer’s satisfaction, regardless of who they are. Given that you were not satisfied with the outcome on this occasion we dealt with this case exactly as we would any other, and hope that you will continue to use Skype.”

As for whether or not I will continue to use Skype, I will. We use it at TechEye to share ideas, comments, and general chit-chat. What has changed for me is that I am no longer willing to store my credit card details in Skype, but will use PayPal instead. If a refund was not afforded, however, I would have been reluctant to buy Skype Credit - since it could easily have been wiped again.

I was also left wondering if this situation would have remained unresolved for me if I had not escalated it and if I was not a journalist. Skype Support proved unhelpful and uncooperative. I would like to think that an average customer would have found the same resolution as I did, with card charges and credit balances refunded and restored, because every customer deserves this kind of satisfactory treatment. I cannot honestly say that I believe this would be the case.

The question still hangs over the cases of other customers who were faced with the cut and paste “no refunds” policy.