TechSpot

Cybersecurity journalist's PayPal account hacked, says company needs better authentication system

By midian182
Jan 4, 2016
Post New Reply
  1. It seems that no matter how complex you make your password, or even if you use a password manager, your online accounts are at risk of being compromised if the company in question’s customer service is at fault. This was the case with famed cybersecurity journalist Brian Krebs, who discovered that someone had managed to attain access to his Paypal account and tried to send funds to a hacker gang tied to terrorist group ISIS.

    Krebs, who has made a lot of enemies from his KrebsOnSecurity blog, found that an email address had been added to his PayPal account on Christmas Eve. He logged into his account, changed the password, switched his email back to the primary contact address and contacted PayPal. The company simply told him the attacker had gained access using his username and password and added that it would “monitor the situation.”

    Twenty minutes after he contacted PayPal, Krebs received another email, again stating that a new email address had been added to his account. This time, however, the attacker had removed Krebs’ own email address and changed the account’s password.

    PayPal only locked the account after the assailant attempted to send money to the email account of a Junaid Hussain, a hacker believed to have been a prominent ISIS propagandist online before he was reportedly killed in a drone strike earlier this year.

    Krebs contacted PayPal customer service for the second time and found that the hacker didn’t really discover his password.

    "In my second call to PayPal, I insisted on speaking with a supervisor. That person was able to tell me that, as I suspected, my (very long and complex) password was never really compromised. The attacker had merely called in to PayPal's customer support, pretended to be me and was able to reset my password by providing nothing more than the last four digits of my Social Security number and the last four numbers of an old credit card account," Krebs wrote.

    Krebs pointed out that using some form of two-factor authentication, such as sending a text message to his phone or a signal to his PayPal app, would have prevented the intrusion, but the company told him that PayPal didn’t have any mobile authentication technologies.

    To add insult to injury, PayPal then told Krebs that he would need to send the company a photocopy (or scanned copy) of his driver’s licence in order to unlock the account, which is more authentication than PayPal asked of the original attacker.

    The entire incident doesn’t reflect well on PayPal, especially as the person whose account was hacked is such a well-known cybersecurity expert. The company gave a statement regarding the case.

    The safety and security of our customers’ accounts, data and money is PayPal’s highest priority. Due to our privacy policies that protect our customers, PayPal does not publicly disclose details about our customers’ accounts or their specific cases. However, it appears that our standard procedures were not followed in this case. While Mr Krebs’ funds remained secure, we are sorry that this unacceptable situation arose and we are reviewing the matter in order to prevent it from happening again.

    Permalink to story.

     
  2. Uncle Al

    Uncle Al TS Evangelist Posts: 1,681   +783

    Never trusted Pay Pal and never will .... their reputation over the years is anything but stellar!
     
  3. treetops

    treetops TS Evangelist Posts: 1,953   +162

    So why didn't he change his security question\answer right away?
     
  4. risc32

    risc32 TS Booster Posts: 197   +87

    Question/answer? Did you read the article? Security is rarely beaten head-on, that is, instead of cracking a password, they either find a way around it like this story, or find a way to learn it.
    . Frankly, the password system is ridiculous. All these clever guys around and this is what we've got?
     
  5. Kibaruk

    Kibaruk TechSpot Paladin Posts: 2,517   +505

    I'm really into how simple it is to use paypal but the fact that it doesn't have 2-step authentication has always tingled my spider sense.

    So why didn't you read the post right away?
     
  6. robb213

    robb213 TS Addict Posts: 315   +93

    I'm a broken record now, but the whole SS# system is so flawed it's embarrassing now. Why they won't implement changes to it to help protect people, especially those who have their's in the wild like Krebs, blows my mind. Government always blows my mind though, nothing new...

    Skim the article over again: they don't ask for anything but your SS# and credit card numbers. If someone has that info already, they can keep up with the charade over and over again.
    It does, somewhat. The only 2FA they allow is to send an SMS code to your phone, which you then enter. I wish they'd allow either better or more convenient methods provided by 3rd party apublications though.
     
  7. Kibaruk

    Kibaruk TechSpot Paladin Posts: 2,517   +505

    If there is one I don't have access to it.
     
  8. treetops

    treetops TS Evangelist Posts: 1,953   +162

    I know they did not use his security question, but at first he did not know that. I thought anyone who runs a blog about security would immediately change their security question in case it was compromised or changed.

    "Krebs, who has made a lot of enemies from his KrebsOnSecurity blog, found that an email address had been added to his PayPal account on Christmas Eve. He logged into his account, changed the password, switched his email back to the primary contact address and contacted PayPal. The company simply told him the attacker had gained access using his username and password and added that it would “monitor the situation.” "
     
  9. robb213

    robb213 TS Addict Posts: 315   +93

    Check here: https://www.turnon2fa.com/tutorials/how-to-turn-on-2fa-for-paypal/

    I never noticed it at first. I figured (not too long ago) that I should see if it does because of what PayPal has/does. Then found that site which lists many other sites, their methods, and more.
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...