My Skype account was broken into a few days back. The password wasn't changed, but after a flurry of email notifications from Paypal telling me that my account had been debited twice for Skype credit purchases, I logged into my Skype account and found that my email address had been changed to a nonsense Gmail address. My call history now showed a long list of numbers I'd never seen before, places like Afghanistan, Ethiopia and the States.
Later I put one of the numbers from the US into Google. It came back with the name of a man in Maryland.
At the time, my blood ran cold. I'm not what you'd call a naive user. My password wasn't quite random and could have been changed more often, admittedly. I'd never given it out.
The last time I used Skype, in fact the last time I'd used it in months, was about four days before it had been used to steal funds from my Paypal account.I'd used the iPhone app to check my voicemail. Previously, I'd used it from my Mac. While both these platforms have vulnerabilities, it makes a Skype password stealing trojan much more unlikely.
I wasn't logged into a public wifi network, and there's a few layers of security controls on my WLAN. In any event, my own analysis of the packets exchanged when a user logs on to Skype indicates that the usernames and passwords are not sent in cleartext.
I hastily changed the email address and then the password. I then logged into Paypal, changed *that* password (though the account looked okay) and disputed the transactions. Paypal hasn't gotten back to me on those yet, according to the status they're waiting for Skype to get back to them. I also cancelled the billing agreement with Skype from Paypal.
There's several worrying aspects to Skype's service, from the perspective of a paying user. For one thing, Skype don't seem to provide any notification when the contact email address is changed.
I changed my password a couple of times, after I noticed the hijack, and again after I installed and logged in to Skype from my netbook to see if there were any obvious clues as to how the account got hijacked. I recieved no notifications from Skype that my password was changed.
Skype *do* notify you when they change the billing currency on your account, and add credit to your account from Paypal. By the time you get these notifications though, the fraud has already taken place and you're left submitting a trouble ticket via their website.
Skype don't seem to send you any notification when you submit a trouble ticket. From other forums, it seems the average response time is about four days. Its strange that there's no number for a company that sells a phone service.
Skype don't support two-factor authentication that eBay and sister company Paypal, frequent fraud targets themselves, do support.
Paypal and eBay aren't perfect, but any account change generates an email.
When I hurriedly installed the VeriSign OTP app for iPhone over 3G to use with these services, my iPhone deleted the app and the token details when synced back to iTunes (my advice, install your apps from iTunes). Paypal required a good bit of personal data and access to my email address to log in and activate a new token. eBay sent me a one-time security code to get back into my account via autodialling my *phone number* on file.
Interesting points -
My account got compromised a few days after running the iPhone app. I'm not alone in having this happen to me (see http://gigaom.com/2009/03/30/review-skype-for-iphone-verdict-awesome/#comment-935445 , among others ) . Is the vector the iPhone app itself, or is there another method of compromise, an exploit that is triggered only when the user goes online?
A key exchange takes place when a user logs on, between the client and a Skype supernode (see http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-biondi/bh-eu-06-biondi-up.pdf). Is the iPhone implementation using a weaker implementation of the password hashes or keys?
Would a brute-force attack work on Skype via their API? Do they permit a large amount of password retries?
For the short amount of time before I got my Skype account locked out, there were an incredible number of calls made to a variety of different numbers, all of them apparently real. Who was calling, who was being called, and why? Are cracked Skype accounts a business model for some crooks selling international call credit? Are they being used by call centers?
While many users in a similar situation had their password reset, I hadn't. Perhaps the thieves didn't change it to avoid tipping me off that the account had been hacked, when I found myself unable to log in.
Security tips -
Here's a couple of security pointers that I learned the hard way -
If you refill your Skype account infrequently, and you're not on a regular plan, and you're using Paypal, don't leave them with access to Paypal. If a billing agreement exists at Paypal for your Skype account, CANCEL IT NOW. Read the Paypal help on how to view your billing agreements and how to cancel them. This limits your exposure to only the funds in your Skype account. Attackers immediately turn auto-renew on, and Skype will happily start draining your Paypal account via this existing agreement. Although this is a change to the way you are billed, and there are financial transactions taking place, SKYPE WILL NOT ASK FOR VERIFICATION VIA EMAIL.
If your account is hijacked, the most useful thing you can do is dispute the charges, either at your credit card issuer or at Paypal. Paypal immediately started a chargeback from Skype once I disputed the charges. I'm still awaiting the results of their investigation, so I don't know if I'll get the funds back. Disputing the charges though results in Skype cancelling the credit in your account, and locking out all pay services. You want this, especially if you're not especially confident your account won't get broken into again.
I'll update my blog to let readers know how this all shakes out, Skype are silent so far.
I'm continuing to research Skype and the way it actually works, and other cases like my own, to try to answer my own questions. I can say, though, that given the choice, I wouldn't let Skype anywhere near a network I manage. It's a closed source vendor with support that's not quite up to Open Source, and there are security issues even as a free product.
