It seems that no matter how complex you make your password, or even if you use a password manager, your online accounts are at risk of being compromised if the company in question’s customer service is at fault. This was the case with famed cybersecurity journalist Brian Krebs, who discovered that someone had managed to attain access to his Paypal account and tried to send funds to a hacker gang tied to terrorist group ISIS.
Krebs, who has made a lot of enemies from his KrebsOnSecurity blog, found that an email address had been added to his PayPal account on Christmas Eve. He logged into his account, changed the password, switched his email back to the primary contact address and contacted PayPal. The company simply told him the attacker had gained access using his username and password and added that it would “monitor the situation.”
Twenty minutes after he contacted PayPal, Krebs received another email, again stating that a new email address had been added to his account. This time, however, the attacker had removed Krebs’ own email address and changed the account’s password.
PayPal only locked the account after the assailant attempted to send money to the email account of a Junaid Hussain, a hacker believed to have been a prominent ISIS propagandist online before he was reportedly killed in a drone strike earlier this year.
Krebs contacted PayPal customer service for the second time and found that the hacker didn’t really discover his password.
"In my second call to PayPal, I insisted on speaking with a supervisor. That person was able to tell me that, as I suspected, my (very long and complex) password was never really compromised. The attacker had merely called in to PayPal's customer support, pretended to be me and was able to reset my password by providing nothing more than the last four digits of my Social Security number and the last four numbers of an old credit card account," Krebs wrote.
Krebs pointed out that using some form of two-factor authentication, such as sending a text message to his phone or a signal to his PayPal app, would have prevented the intrusion, but the company told him that PayPal didn’t have any mobile authentication technologies.
To add insult to injury, PayPal then told Krebs that he would need to send the company a photocopy (or scanned copy) of his driver’s licence in order to unlock the account, which is more authentication than PayPal asked of the original attacker.
The entire incident doesn’t reflect well on PayPal, especially as the person whose account was hacked is such a well-known cybersecurity expert. The company gave a statement regarding the case.
The safety and security of our customers’ accounts, data and money is PayPal’s highest priority. Due to our privacy policies that protect our customers, PayPal does not publicly disclose details about our customers’ accounts or their specific cases. However, it appears that our standard procedures were not followed in this case. While Mr Krebs’ funds remained secure, we are sorry that this unacceptable situation arose and we are reviewing the matter in order to prevent it from happening again.