Monday, January 10, 2011

Skype Account Compromised

Oh no!

My Skype account was compromised this afternoon; I never realised until I got an email through on my phone stating an auto recharge was successful. Odd I thought given there was a few euros in the account and I have my subscription gives me free UK calls... and nobody was using it! Thankfully I get my emails on my phone else I may not have discovered it until too late.

I acted the moment I discovered it by signing into Skype and changing my password - this logged my home phone out so presumably whomever was abusing my account also got kicked. I then disabled auto recharge; given hindsight this could have easily drained my bank account via paypal - how dangerous is that option?

Since Skype is a prepay service I doubted I would get any compensation and ultimately I lost 5 euros which is a small price to pay for a reevaluation of security. I contacted Skype support anyway and got an almost robotic response that it is my responsibility about ensuring my password is safe, there are no spyware applications running or keyloggers and helpfully gave me advice about phishing. That didn't wash with me and quickly got bored of the automaton on Skype's chat. My faith in Skype has somewhat tarnished, I'm a very long time user using both SkypeOut and SkypeIn services since they were introduced.

My Skype password has not been changed in years and was very poor (7 chars, no numbers, all lowercase), it was changed to this simple password for a handheld Mylo device which had a complicated password entry mechanism 6 years ago. I assume my password was either brute forced or perhaps stolen from another website where I've used the same "don't care" password and username combination. I use randomly generated secure passwords for meaningful web logins - how Skype escaped I'm not sure... Oops.

Anyway, today I made 18 calls (totalling 25 minutes) to the following countries:
Niger; Rwanda and Burundi; 1 call to a UK phone card reseller and 1 to a US toll free number.

Clearly Skype don't run realtime fraud detection algorithms as this is way off my usual call pattern.

I can only hope the person who made the calls did good with the calls (12:48 to Rwanda and 22:50 to Burundi).

Next time I may not be so lucky...