Updates to this story
After experiencing first-hand what Skype's attitude to fraud is, how it approaches its users' security, and what kind of system is in place for refunding fraudulent calls made through its service - we're frankly worried.
First, some background. On January 13 a number of fraudulent calls appeared on my account when I logged in. These were made to Indonesia and Egypt to numbers I did not recognise. They were also made when I was offline. Further calls were made when I was online, until I changed my password, which logged both me and the hacker out.
Not only was my Skype credit depleted as a result of the unauthorised calls, the Auto-recharge feature, which I had disabled, had been turned on and was used to charge the credit card which was stored in my Skype account - so that further credit could be bought and used without my permission.
Obviously fraud is something that happens, regardless of how safe we attempt to be or think we are, but what we do to prevent it and fix the situation when it arises is important. This is where Skype failed to such a large extent that a question mark was raised, at least for this scribbler, on the security of using its service and how well its customer support treats its paying customers.
When I reported the fraud to Skype, it was suggested that a keylogger may be on my computer or that I may have been the victim of a phishing site, which, while valid concerns, simply were not the case. Not only do I keep regularly updated antivirus, anti-spyware, firewalls and similar software, my passwords are all different for different sites and services, are difficult to guess or bypass through brute force, and are frequently changed.
I ran all of my security software immediately after becoming aware of the hack and tried alternatives to see if a keylogger was on my computer, but nothing turned up. My email was not compromised, nor was anything else that I use, which means that the issue was with Skype alone.
Skype also refused to refund the fraudulent calls, saying: “Unfortunately, Skype is unable to refund any money that may have been lost because of this incident.” As you can imagine, this is not a satisfactory response for a customer - Skype was the vehicle through which the fraudulent calls were made.
I pushed the matter further, asking numerous questions about Skype's security, particularly why multiple people could sign into a single account at the same time. It was only after mentioning that I was a journalist that I got a “We've had to reverse your order” email three days later, refunding the charge to my card that was fraudulently made through Auto-recharge.
However, Skype was still refusing to refund my initial balance, which was now wiped to €0. The log of the calls to Indonesia and Egypt was also now inaccessible, making it impossible for me to view them and calculate how much was spent on my account.
I decided to escalate the matter to Skype's public relations team. Skype Support proved so unsatisfactory. I raised the point that since Auto-recharge could not be permanently disabled and since Skype allows credit card details to be stored within its system and charged via Auto-recharge, it appears that it is facilitating this form of fraud.
When coupled with the fact that Skype was so vehemently refusing to refund the amount, it also appeared that Skype was happy to take illicitly gained dosh from me.
TechEye spoke to Adrian Asher, Chief Information Security Officer at Skype, who denied this. “I can assure you that Skype does not profit from nor intends to profit from fraudulent activity,” he said. “We take instances of customer fraud very seriously and continue to invest significantly in anti-fraud measures to protect them.”
Asher also addressed a number of other concerns I raised over the security of using Skype. I was particularly concerned over multiple simultaneous logins to a single account and the inability to permanently disable Auto-recharge.
Skype Support told me that multiple logins to a single account is a “deliberate feature” and that “no security risk is posed”. It was not explained to me how this was safe, given another individual was able to use my account while I was online.
Asher gave a more detailed response on this concern. “Multi-IP log-ins are designed to allow a user to log-in to Skype from multiple devices no matter where they are. This is designed to be a feature that allows convenience and accessibility. Many Skype customers utilise this functionality to its full capacity. Our product teams continue to refine these features so that we can ensure situations like yours don't occur. Auto-recharge is another example of an intuitive function designed to make life easier for customers with the aim to ensure that they have Credit readily available to make calls. Again, while there are pitfalls we want to fix them where possible.”
I'm sure this is a very useful feature for some, but my concern was that if I can log in from multiple locations, even at the same time, it opens more doors for abuse by hackers without it kicking you offline or telling them “You are already logged in.”
I pressed this issue further with Asher, asking why it never showed up on Skype's fraud radar that I had logged in from Ireland and another location at the same time. He said: “Using geographical data to track log-in locations is an area that has been considered. However, the fact that a large percentage of our user-base travels between countries extensively means that we do not currently offer this functionality to restrict which country your account can be logged in from. Our security systems constantly analyse and attempt to identify any out of pattern behaviour to try and minimise any impact of a customer’s account being taken over.”
The problem with Auto-recharge I found was that, in my case, I had disabled it - but it was so easily re-enabled at the click of a button. A Skype spokesperson initially tried to suggest that this could only be accessed after entering your password, but if your account has been hacked your password has already been compromised and offers no additional layer of protection for setting up the service.
Why isn't it possible to permanently disable Auto-recharge? On two grounds: to prevent this kind of fraud abuse and as a parental control system. For example, it could easily be used by kids using their parent's Skype account to charge their parent's card for calls to friends.
In response to this Asher said: “I understand the risk that you are detailing here and must admit that this is one of the first requests that we’ve had for this capability to be locked out. Auto-recharge has been developed, like all of our features, to meet customer demand. One way to achieve what you are describing would be to add your credit card to a PayPal account and then you can perform funding via this method. As long as you don’t set up a PayPal agreement there is no ability for repeat billing.
“As a parent of a ten year old boy I am all too aware of the potential dangers of the internet so I appreciate the scenario that you are detailing. Our advice in the first instance is always that young children should not be left unsupervised to use the Internet. That having been said, the balance of a child’s account could be provided via PayPal, which as before would remove the capability to auto top up.”
This is a kind of work-around which will disable Auto-recharge, but it also means that there will be PayPal fees involved. It's also a particularly inelegant way to avoid the problems at hand, but at least there is an option available for those like me who would like to use Skype, but are concerned about storing their details and having them abused through Auto-recharge.
I was getting conflicting and contradictory messages from Skype Support and Skype's public relations team. It should be noted that at this stage, after having contacted Skype PR, my Skype Credit balance was fully refunded for those fraudulent calls - despite Skype Support telling me it would not be refunded.
In fact, on the same day I contacted Skype PR I decided to contact Skype Support again about the issue of them not refunding me. It took two days for them to respond, by which time a refund was already given from contacting PR. Yet, Skype Support still told me: “Unfortunately we are not able to refund any money that may have been lost due to this incident.” We appreciate the help of the PR team but at the same time the average user is likely to lose out.
Interestingly, the reason for the delayed response from Skype Support given was: “We apologise for the delay in our response, due to an unexpected increase in the number of recent inquiries, it has taken us longer than usual to respond to you.” We can only guess what these “recent inquiries” are.
I asked Asher why contradictory messages on refunds were given from different departments within Skype, to which he responded: “We always intend to resolve every customer service issue to the customer’s satisfaction, regardless of who they are. Given that you were not satisfied with the outcome on this occasion we dealt with this case exactly as we would any other, and hope that you will continue to use Skype.”
As for whether or not I will continue to use Skype, I will. We use it at TechEye to share ideas, comments, and general chit-chat. What has changed for me is that I am no longer willing to store my credit card details in Skype, but will use PayPal instead. If a refund was not afforded, however, I would have been reluctant to buy Skype Credit - since it could easily have been wiped again.
I was also left wondering if this situation would have remained unresolved for me if I had not escalated it and if I was not a journalist. Skype Support proved unhelpful and uncooperative. I would like to think that an average customer would have found the same resolution as I did, with card charges and credit balances refunded and restored, because every customer deserves this kind of satisfactory treatment. I cannot honestly say that I believe this would be the case.
The question still hangs over the cases of other customers who were faced with the cut and paste “no refunds” policy.
I like a video conferencing tool called VIA3. It is FIPS 140-2 Secure (CERTIFIED!) and it is only $29.95 per month ($19 for Federal agencies) for unlimited meetings and all of the collaboration tools you could possibly need.....including the unlimited recording and playback of meetings! They also have secure instant messaging, meeting chat, whiteboarding, polling, the ability to share desktops and more. You can meet wtih up to 1000 people from anywhere in the world as often as you want with zero hidden charges!
2. How ridiculous is it for Skype to claim that they didn't profit from the fraud on your account? Have the perpetrators found a way to make the fraudulent calls without Skype getting their cut from the carrier? Of course not, so Skype obviously did profit from it.
3. Skype "Support" has been sending out that message about "an unexpected increase in the number of recent inquiries" for at least three years. The outrageously long time required even to get an irrelevant response is standard operation.
4. Blaming the customer for any security problem or fraudulent activity has always been the first response from Skype "support", and is an important part of their strategy in point 1 above.
You were very fortunate that the damage wasn't worse, and that you eventually managed to get your money back.
but i agree that skype should get their act together decide on a refund policy
Then again, if you don't want multiple sign-on, there should be an option to disable this and an ability to name and list all the devices that are logged on at the same time so you can log any of them out. Windows Live Messenger is a good example of proper multiple sign-on.
Then again, if you don't want multiple sign-on, there should be an option to disable this and an ability to name and list all the devices that are logged on at the same time so you can log any of them out. Windows Live Messenger is a good example of proper multiple sign-on.
Craziness!
Their security system and customer service really sucks.
I have no trust in them at all.
Skype refused to do anything. I disputed the charge with PayPal and Skype magically responded, although the money still hasn't been refunded. Skype refused to do anything about the Skype credit I'd lost.
One of the credit cards charged doesn't even seem to be mine, and I changed the password on the account while the balance was still $46 US - much higher than my previous balance. It will be interesting to see if Skype removes this credit.
Thanks for your article - well done.
Using PayPal for about 99.999999% of all online transactions is really the only way .. coupled with this I use 3 different email accounts with different mail providers - gmail, yahoo etc - one to log on to websites and create accounts with so all transcational information with that website goes to that email - the second email address to interact with paypal, such as password changes and such, but NOT recieve Reciepts of payment through PayPal - and the third for the actual financial transactions through PayPal.
I have a fourth email account as the 'verification' email address for all 3 of these email addresses should any security, personal information or password changes occur on any of the 3 email addresses.
This layering of personal security and counter controlling of my information online is about the only way I would ever consider doing anything such as using my Credit Card online.
I don't use Skype for the reason of lax security and deeply unhelpful features.. etc etc...
Skype were not very helpful, although I got the rebate on my card eventually but not the credit that was lost on account making calls to Iran and Tunisia.
Skype told me it was not aware of such problems previously but a number of people I was in contact with had exactly the same issues.
Customer Services send canned replies all the time as their replies actually conflict with what you have sent them.
I still use Skype but only the free version as they are so bad in there customer service and wholly unreliable at protecting their customers in the pay services
The Skype customer response came quick,but the email just contain rubbish. I know for sure there is no problem in my network.I don't use ,have all the latest updates installed and never entered my password and username on any other computer than at home.
I feel very annoyed and let down by the arrogant way the customer service desk is working. Hard to find as well on their webpage.
The perpetrators apparently used multiple log ins ,I sent the details to the customer service.
They told me that they do not record the I.P.numbers from manual attempts or succeeded transactions of buying credit. A certain Mr Mustafa just ignores these questions. A Mrs Charlene answered me that that I.P.numbers are not recorded. Even though I.P. numbers can be spoofed, I find this another floor in their security.
Invitation to join a Skype Manager
You have been invited to join the Skype Manager called Katoli Consulting Ltd.
This is administered by rachael.sturley, adrian.sturley
When you become a member of a Skype Manager, the administrator(s) can allocate credit and products for you to use. The administrator(s) will be able to view your credit balance, products used and some other details.
and then assigned credit
see below
Skype Credit allocation from Skype Manager
The administrator - Adrian Sturley - of the Skype Manager called Katoli Consulting Ltd has allocated you some Skype Credit. You can start using this feature immediately.
Here's what you have been allocated:
Skype Credit amount: GBP6.69
which was immediately used to make a dozen calls to Indonesia.
This is an internal Skype problem and they are currently unable to stop it happening. I would advise anyone with an auto recharge facility to cancel it immediately.
If you google skype problems/ fraud/ hacking etc..loads of similar cases have happened recently. Although refunded my losses I have yet to receive any explanation from Skype or reassurance that it is safe to use autorecharge. It isn't.
Invitation to join a Skype Manager
You have been invited to join the Skype Manager called Katoli Consulting Ltd.
This is administered by rachael.sturley, adrian.sturley
When you become a member of a Skype Manager, the administrator(s) can allocate credit and products for you to use. The administrator(s) will be able to view your credit balance, products used and some other details.
and then assigned credit
see below
Skype Credit allocation from Skype Manager
The administrator - Adrian Sturley - of the Skype Manager called Katoli Consulting Ltd has allocated you some Skype Credit. You can start using this feature immediately.
Here's what you have been allocated:
Skype Credit amount: GBP6.69
which was immediately used to make a dozen calls to Indonesia.
This is an internal Skype problem and they are currently unable to stop it happening. I would advise anyone with an auto recharge facility to cancel it immediately.
If you google skype problems/ fraud/ hacking etc..loads of similar cases have happened recently. Although refunded my losses I have yet to receive any explanation from Skype or reassurance that it is safe to use autorecharge. It isn't.