Although Paypal's new take-it-or-leave-it terms-of-service give it the right to give robocallers your phone number for endless harassment, the FCC has warned the company that this idea isn't just stupid and evil, it's also illegal. Read the rest
Naoki Hiroshima was lucky enough to snag a one-character Twitter username: @N. Over the years, he'd been offered large sums -- as much as $50,000 -- for the name, but he kept it. Then, according to a horrifying first-person account, a hacker socially engineered the last four digits of his credit-card out of Paypal, used that information to seize control of his Godaddy account, and threated to trash all of Hiroshima's websites unless Hiroshima transferred @N to the hacker. The hacker also seized control of Hiroshima's Facebook account. The attack took place over the Martin Luther King, Jr day holiday, and Hiroshima couldn't get his case escalated to anyone at Twitter, Godaddy or Paypal while it was taking place, and so he lost his domain. All three companies now say that they're looking into his story. Hiroshima offers some helpful advice on avoiding his fate (use two-factor authentication, mostly).
Security researcher Brian Krebs got a look at the auction prices at iProfit.su, a criminal marketplace where you can buy hacked and phished PayPal accounts; he discovered that the going account for 100 zero-balance verified PayPal accounts is a mere $50 -- that's 50 cents per account.
Read the rest
Accounts are sold with or without email access (indicated by the “email” heading in the screenshot above): Accounts that come with email access include the username and password of the victim’s email account that they used to register at PayPal, the site’s proprietor told me via instant message. The creator of iProfit.su told me the accounts for sale were stolen via phishing attacks, but the fact that accounts are being sold along with email access suggests that at least some of the accounts are being hijacked by password-stealing computer Trojans on account holders’ PCs.