Paypal rolls out the welcome mat for hackers

It's not bad enough that Paypal is prone to shutting down your account and seizing your dough if you have a particularly successful fundraiser -- they also have virtually no capacity to prevent hackers from changing the email address, password and phone numbers associated with your account, even if you're using their two-factor authentication fob.

Independent security researcher Brian Krebs is frequently targetted for harassment by the criminals he exposes -- one sent him heroin, another swatted him -- and on Christmas Eve, someone took over his Paypal account and tried to send his money to a jihadi hacker.

Krebs caught the warning that a new email address had been added to his account, deleted it and called up Paypal and was assured that the account would be "monitored" by Paypal against future shenanigans. 20 minutes later, the same attacker broke into Krebs's account, locked him out of it, and tried to make payments to a dead ISIS propagandist called Junaid Hussain.

Krebs uses Paypal's two-factor authentication fob, but for some reason, Paypal doesn't ask its users to enter a password from it when changing login details. The company says he can have his account back when he sends them a photocopy of his driver's license (something that's trivial to fake).

PayPal does offer additional security protections — including a PayPal Security Key fob that periodically generates a new one-time password which needs to be entered at login in addition to a username and password. I’ve used this solution since shortly after the company began offering it almost a decade ago, but a fat lot of good it does if PayPal is going to continue letting users reset their passwords by regurgitating static data that is trivial to purchase from the cybercrime underground.

Many companies will offer customers more account security options, but only if asked. Most often, when companies are asked for non-standard security precautions it is because the account holder has stated that he or she was previously the target of cyber stalking or concerted harassment or threats online. I can recall doing this with most of the utilities we use — including our ISP — after having ne’er-do-wells try to shut off our power, phone and water service by calling in with those static identifiers. None of those companies offered more advanced authentication options — such as mobile device authentication — but most would let me place a flag on my account that no changes were to be made unless I showed up at the utility’s offices in person and presented a photo ID and my username and password.

2016 Reality: Lazy Authentication Still the Norm [Brian Krebs/Krebs on Security]

Update: A PayPal spokesperson issued the following statement, attributed to Anuj Nayar, Senior Director of Global Initiatives at PayPal.

"The safety and security of our customers’ accounts, data and money is PayPal’s highest priority. Due to our privacy policies that protect our customers, PayPal does not publicly disclose details about our customers’ accounts or their specific cases. However, it appears that our standard procedures were not followed in this case. While the funds remained secure, we are sorry that this unacceptable situation arose and we are reviewing the matter in order to prevent it from happening again."
-->

Notable Replies

  1. It seems like we might as well all set our passwords to "password", for all the good a 26 character upper lower case alphanumeric special character password does.

    Note that Krebs had his PayPal account hacked not once but twice within 24 hours, once immediately after trying to resecure his account. When I applied for a Chinese tourist visa, my Facebook account was hacked by someone from Hong Kong within hours. All the fancy passwords and authentication nonsense seems to mean nothing in the face of a semi-skilled hacker or his army of trained monkeys.

    It seems like the only thing protecting us from these hackers is obscurity and volume.

  2. I went through a few episodes of DirecTV having people make bogus accounts with my name and SSN at different addresses, then letting the accounts go to collections. Their authentication procedure was tailored to make it easy to set up an account at an address that the customer doesn't live at, but required no verification that the customer on the phone was really the person whose SSN they were just given.

    I concluded, after talking with the DirecTV security people, that any company that desires more customers pays fast and loose with security, because security hampers efforts to get more customers. It's similar to the fact that all business travelers are allowed to carry dangerous lithium batteries on aircraft in their laptop computers, because those are the people that bring in the most income.

    So don't expect this to change.

  3. PayPal Just Doesn't Care if your money gets shifted to a hacker's account as long as they still get their cut.

    And as far as odds go, I've had my money stolen by PayPal itself far more often than by hackers. Never keep much money in there!

  4. My other laptop is a hoverboard!

Continue the discussion bbs.boingboing.net

16 more replies

Participants