Tuesday 17 November 2009

hail to the thief...

Statistically, I suppose it was always bound to happen sooner or later: after more than ten years happily buying stuff over the internet, this weekend I was finally the victim of that online identity theft and attempted fraud you read so much about.

I was down in Oxford for the weekend, so I didn't pick up my emails until Sunday morning after a distinctly leisurely start to the day. What I saw quickly snapped me out of my slightly fuzzy, morning after the night before kind of a mood. Amongst the usual pre-Christmas marketing guff, a few emails caught my eye: one was a confirmation from PayPal saying that I'd authorised a payment from Dabs.com, then there was an email from PayPal saying they'd limited access to my account, then there was an order confirmation from Dabs.com and finally there was an email confirming a change to my account details at Dabs.com.


This was strange and alarming because I had no recollection of placing any kind of order with anyone, and I haven't actually used Dabs.com at all for more than five years. A quick read of the emails and my fears were realised: someone had placed an order for two Playstation 3s -- worth £598 -- using my long dormant account on Dabs.com and had paid for it using my PayPal account. There was my name and address on the invoice, right above a delivery address somewhere in Telford.

I wasn't immediately sure what to do, but quickly made my way straight to the money and tried to report the fraudulent transaction to PayPal. They were way ahead of me, it seemed, and even as I looked at my account, the transaction was being removed from my account before my eyes. Pausing only to change my PayPal logon and password, I then went off to Dabs to make sure that the order was cancelled at their end. Here I had less joy. Dabs.com may well be very cheap, but one of the ways that they appear to have saved money (and they're hardly alone in this) is by making it impossible to contact them directly: any question has to be put to them either through email or via a "live link" to a customer services operator. According to their site, all their customer service advisors were busy, so I had to fire off an email and hope they got back to me.

It turns out, as I found out on Monday when I tried contacting them again when they hadn't bothered to reply to my email by lunchtime, that the customer service advisors at Dabs were not busy on Sunday at all... they just weren't there full stop... they shut for the weekend (perhaps explaining why the fraudulent order was placed at 7pm on Friday night, when I would have no chance of getting the order cancelled until Monday morning). My email would be responded to, the online advisor told me, but she insisted that she couldn't tell me anything about the status of my order. By now I was reasonably sure that I wouldn't lose any money as a result of this attempted fraud, but I was becoming increasingly frustrated at the lack of communication from Dabs when it was clear that the attack had started on their website with someone hacking my account. They may well have spotted this order as fraudulent the moment it was placed, and it may well actually have been them that cancelled the transaction with PayPal, but they were giving me - the victim here - no sign that they cared about me at all. At one point, the advisor told me that the Web Accounts team had sent me an email to my new registered address.... an address that had been changed by the fraudster when they changed my account details to prevent me cancelling the order myself.

In the end, they sent me an email confirming that the order had been cancelled and that they had deleted my account. The sign off was priceless:

"I am sorry that you have been a victim, but would like to highlight that dabs.com Plc is one of the most secure e-commerce companies in the UK, unfortunately identity theft can be the hardest type of Fraud to detect."

Right, so in spite of the fact that my details have been hacked out of your systems and someone has tried to steal £600 from me, you'd like to tell me how secure your site is?

How reassuring.

So I'm cross. I'm cross that someone tried to steal from me like this; I'm cross that they were nearly able to; I'm cross that Dabs.com have made it as difficult for their customers to contact them as they possibly can and that they clearly haven't cared about how they handle their customers; I'm delighted that PayPal seemed to react so swiftly to kill the order and were available to me on the phone on a Sunday morning, but I'm a bit cross that my account access has now been limited (even though I was still able to access it fully and change all my account details on Sunday morning.... and if I could, then presumably the fraudster could have done too). Above all, I'm cross that I probably put myself in this position by being lazy with my online passwords and not changing them around enough to make it as difficult as possible for someone to crack them and try to steal from me.

The internet remains an amazing resource and a great place to find and buy the most obscure things at the best possible prices....I'm hardly likely to be giving that up anytime soon. There are, after all, thieves in the offline world too.

But, all the same..... grrr!

In short: go change your passwords and under no circumstances shop at Dabs.com. In fact, if you have an account with Dabs.com - even if you haven't used it in years - I suggest you go and delete it.


  1. This happened to me earlier this year - my thief ordered various bits of equipment for their fishtank to the tune of several hundred quid. The money was all refunded, but it was a massive inconvenience as I had to cancel my bank and credit card, as well as change every one of my passwords. I had a virus called something like "info miner" on my laptop, despite up to date virus protection software, regular scans etc which might be worth keeping an eye out for. I'd used Paypal to order some cards on the Saturday, and my account was used on the Monday on a completely different site. (I am not a regular shopper on the marine aquatics sites!)

    I now add and delete my cards manually to Paypal every time I use it, which is a total pain, but makes me feel better.

  2. ...I've now added that feature on paypal where it texts you a security number before you can complete a transaction. Overkill, perhaps, but I feel better because of it.

    I use a mac, and I'm behind a hardware firewall, so viruses have never really been a problem... touch wood, etc. I imagine it was an old account and that it probably had the same password as my paypal account did. Stupid, and I should have known better, but it happens.

    I suppose I'm lucky they didn't do more.