Paypal rolls out the welcome mat for hackers

online_payment (2)

It's not bad enough that Paypal is prone to shutting down your account and seizing your dough if you have a particularly successful fundraiser -- they also have virtually no capacity to prevent hackers from changing the email address, password and phone numbers associated with your account, even if you're using their two-factor authentication fob.

Independent security researcher Brian Krebs is frequently targetted for harassment by the criminals he exposes -- one sent him heroin, another swatted him -- and on Christmas Eve, someone took over his Paypal account and tried to send his money to a jihadi hacker.

Krebs caught the warning that a new email address had been added to his account, deleted it and called up Paypal and was assured that the account would be "monitored" by Paypal against future shenanigans. 20 minutes later, the same attacker broke into Krebs's account, locked him out of it, and tried to make payments to a dead ISIS propagandist called Junaid Hussain.

Krebs uses Paypal's two-factor authentication fob, but for some reason, Paypal doesn't ask its users to enter a password from it when changing login details. The company says he can have his account back when he sends them a photocopy of his driver's license (something that's trivial to fake).

PayPal does offer additional security protections — including a PayPal Security Key fob that periodically generates a new one-time password which needs to be entered at login in addition to a username and password. I’ve used this solution since shortly after the company began offering it almost a decade ago, but a fat lot of good it does if PayPal is going to continue letting users reset their passwords by regurgitating static data that is trivial to purchase from the cybercrime underground.

Many companies will offer customers more account security options, but only if asked. Most often, when companies are asked for non-standard security precautions it is because the account holder has stated that he or she was previously the target of cyber stalking or concerted harassment or threats online. I can recall doing this with most of the utilities we use — including our ISP — after having ne’er-do-wells try to shut off our power, phone and water service by calling in with those static identifiers. None of those companies offered more advanced authentication options — such as mobile device authentication — but most would let me place a flag on my account that no changes were to be made unless I showed up at the utility’s offices in person and presented a photo ID and my username and password.

2016 Reality: Lazy Authentication Still the Norm [Brian Krebs/Krebs on Security]

Update: A PayPal spokesperson issued the following statement, attributed to Anuj Nayar, Senior Director of Global Initiatives at PayPal.

"The safety and security of our customers’ accounts, data and money is PayPal’s highest priority. Due to our privacy policies that protect our customers, PayPal does not publicly disclose details about our customers’ accounts or their specific cases. However, it appears that our standard procedures were not followed in this case. While the funds remained secure, we are sorry that this unacceptable situation arose and we are reviewing the matter in order to prevent it from happening again."
-->

Start the discussion at bbs.boingboing.net