Join Early Retirement Today
Reply
 
Thread Tools Search this Thread Display Modes
Krebs got his Id stolen, and you won't believe how easy it was!
Old 12-28-2015, 04:25 PM   #1
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
Chuckanut's Avatar
 
Join Date: Aug 2011
Location: West of the Mississippi
Posts: 6,318
Krebs got his Id stolen, and you won't believe how easy it was!

I almost checked to see if it was April 1 when I read this blog entry by the security guru Krebs.

Quote:
The attacker had merely called in to PayPal’s customer support, pretended to be me and was able to reset my password by providing nothing more than the last four digits of my Social Security number and the last four numbers of an old credit card account.
http://krebsonsecurity.com/2015/12/2...till-the-norm/
__________________

__________________
The worst decisions are usually made in times of anger and impatience.
Chuckanut is offline   Reply With Quote
Join the #1 Early Retirement and Financial Independence Forum Today - It's Totally Free!

Are you planning to be financially independent as early as possible so you can live life on your own terms? Discuss successful investing strategies, asset allocation models, tax strategies and other related topics in our online forum community. Our members range from young folks just starting their journey to financial independence, military retirees and even multimillionaires. No matter where you fit in you'll find that Early-Retirement.org is a great community to join. Best of all it's totally FREE!

You are currently viewing our boards as a guest so you have limited access to our community. Please take the time to register and you will gain a lot of great new features including; the ability to participate in discussions, network with our members, see fewer ads, upload photographs, create a retirement blog, send private messages and so much, much more!

Old 12-28-2015, 04:31 PM   #2
Moderator Emeritus
 
Join Date: Oct 2007
Posts: 4,929
Executive summary: PayPal's 'identity verification' for folks calling about an account relies on information readily available, and they are trivially hacked by basic social engineering schemes. Taking over an account is easy. (Imagine my surprise... There's a reason I refuse to use them any more.)
__________________

__________________
M Paquette is offline   Reply With Quote
Old 12-28-2015, 04:37 PM   #3
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
audreyh1's Avatar
 
Join Date: Jan 2006
Location: Rio Grande Valley
Posts: 16,456
That's really bad. So much for strong passwords. If customer service can override it - forget it. I'm glad I (deliberately) don't have any linked bank accounts - only credit cards.
__________________
Well, I thought I was retired. But it seems that now I'm working as a travel agent instead!
audreyh1 is offline   Reply With Quote
Old 12-28-2015, 04:48 PM   #4
Moderator Emeritus
aja8888's Avatar
 
Join Date: Apr 2011
Location: The Woodlands, TX
Posts: 7,142
Quote:
Originally Posted by Chuckanut View Post
I almost checked to see if it was April 1 when I read this blog entry by the security guru Krebs.



http://krebsonsecurity.com/2015/12/2...till-the-norm/
Thanks!

Wow! Just WOW!

So much for me using PayPal anymore and I have been a user since they started. Interesting read, but continue on and read the "comments" after the article. Very eye-opening that PayPal has dropped 2FA (two factor authentication).
__________________
......."Everybody has a plan until they get punched in the face." -- philosopher Mike Tyson.
aja8888 is offline   Reply With Quote
Old 12-28-2015, 05:09 PM   #5
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
Chuckanut's Avatar
 
Join Date: Aug 2011
Location: West of the Mississippi
Posts: 6,318
I never link my checking acct to anything. I use the bank's online payment system to tell the bank what to pay. The idea of any organization telling my bank "Take $230 from Chuckanut's account and send it to me" is just plain scary.
__________________
The worst decisions are usually made in times of anger and impatience.
Chuckanut is offline   Reply With Quote
Old 12-28-2015, 06:32 PM   #6
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
audreyh1's Avatar
 
Join Date: Jan 2006
Location: Rio Grande Valley
Posts: 16,456
What's incredible is his two-factor authentication was disabled. Was that just by someone calling customer service? Crazy!
__________________
Well, I thought I was retired. But it seems that now I'm working as a travel agent instead!
audreyh1 is offline   Reply With Quote
Old 12-29-2015, 08:05 AM   #7
Recycles dryer sheets
Christine's Avatar
 
Join Date: Dec 2014
Posts: 155
I hope it was a glitch and that the customer support person got sacked. Mine is linked to my credit card so I have extra protection.
__________________
Christine is offline   Reply With Quote
Old 12-29-2015, 09:44 AM   #8
Thinks s/he gets paid by the post
target2019's Avatar
 
Join Date: Dec 2008
Posts: 3,705
Note to self: delete PayPal acct. Rarely used.
__________________
target2019 is offline   Reply With Quote
Old 12-29-2015, 09:54 AM   #9
Moderator Emeritus
aja8888's Avatar
 
Join Date: Apr 2011
Location: The Woodlands, TX
Posts: 7,142
Quote:
Originally Posted by target2019 View Post
Note to self: delete PayPal acct. Rarely used.
Ditto. I think I used it twice this year so I'll be cancelling also.
__________________
......."Everybody has a plan until they get punched in the face." -- philosopher Mike Tyson.
aja8888 is offline   Reply With Quote
Old 12-29-2015, 10:03 AM   #10
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
REWahoo's Avatar
 
Join Date: Jun 2002
Location: Texas Hill Country
Posts: 42,074
I just checked my rarely used PayPal account and deleted the two (expired) credit cards that had been linked. As others have said, I would never permit PayPal access to my bank account.
__________________
Numbers is hard

When I hit 70, it hit back

Retired in 2005 at age 58, no pension
REWahoo is offline   Reply With Quote
Old 12-29-2015, 10:33 AM   #11
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
easysurfer's Avatar
 
Join Date: Jun 2008
Posts: 7,884
Quote:
Originally Posted by audreyh1 View Post
That's really bad. So much for strong passwords. If customer service can override it - forget it. I'm glad I (deliberately) don't have any linked bank accounts - only credit cards.
I always think it is funny how site recommend and/or force using a strong complex password, then use simple challenge questions like "What city were you born?" I use to answer those questions with accurate answers but now just use randomly generated pins kept in an encrypted password manager.

2FA is the way to go.
__________________
Have you ever seen a headstone with these words
"If only I had spent more time at work" ... from "Busy Man" sung by Billy Ray Cyrus
easysurfer is offline   Reply With Quote
Old 12-29-2015, 10:44 AM   #12
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
Lsbcal's Avatar
 
Join Date: May 2006
Location: west coast, hi there!
Posts: 5,675
Quote:
Originally Posted by Chuckanut View Post
I never link my checking acct to anything. I use the bank's online payment system to tell the bank what to pay. The idea of any organization telling my bank "Take $230 from Chuckanut's account and send it to me" is just plain scary.
I've linked a few regular service providers to our checking account for many years now. I'd rather not but this is so convenient. Accounts like the utility company, water company, etc. have been no problem. Some bills it seems cannot be read by my bank and seem to require manual monthly on line payment but if I could automate this I would.

One alternative is to monitor more frequently. That is something others here have done and I've picked up on those comments (thanks everyone). To that end I've used Lastpass a lot with fingerprint ID on a phone (Nexus 6P). Works great for quick logins and viewing.
__________________
Lsbcal is offline   Reply With Quote
Old 12-29-2015, 11:05 AM   #13
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
Chuckanut's Avatar
 
Join Date: Aug 2011
Location: West of the Mississippi
Posts: 6,318
Quote:
Originally Posted by easysurfer View Post
I always think it is funny how site recommend and/or force using a strong complex password, then use simple challenge questions like "What city were you born?" I use to answer those questions with accurate answers but now just use randomly generated pins kept in an encrypted password manager.
+1

Given all the corporate and government institutions that have let criminals stroll through their computer systems gleaning our private information, that is a good idea.
__________________
The worst decisions are usually made in times of anger and impatience.
Chuckanut is offline   Reply With Quote
Old 12-29-2015, 11:08 AM   #14
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
audreyh1's Avatar
 
Join Date: Jan 2006
Location: Rio Grande Valley
Posts: 16,456
Quote:
Originally Posted by easysurfer View Post
I always think it is funny how site recommend and/or force using a strong complex password, then use simple challenge questions like "What city were you born?" I use to answer those questions with accurate answers but now just use randomly generated pins kept in an encrypted password manager.

2FA is the way to go.
Krebs had 2FA on his Paypal account.

But guess what - the customer service people disabled it.

What use is 2FA if a company service rep turns if off?
__________________
Well, I thought I was retired. But it seems that now I'm working as a travel agent instead!
audreyh1 is offline   Reply With Quote
Old 12-29-2015, 11:17 AM   #15
Recycles dryer sheets
Willers's Avatar
 
Join Date: May 2013
Posts: 480
Wow. Thanks for posting this. I use PP on ebay occasionally, but removed the links and will add them only when needed. Thanks to this my checking account is no longer linked.

Just another example of how effective social hacking can be...

Thanks again!
__________________
“If you don't do it this year, you will be one year older when you do.” - Warren Miller
Willers is offline   Reply With Quote
Old 12-29-2015, 11:35 AM   #16
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
easysurfer's Avatar
 
Join Date: Jun 2008
Posts: 7,884
Quote:
Originally Posted by audreyh1 View Post
Krebs had 2FA on his Paypal account.

But guess what - the customer service people disabled it.

What use is 2FA if a company service rep turns if off?
Always that human element involved that the hackers exploit .
__________________
Have you ever seen a headstone with these words
"If only I had spent more time at work" ... from "Busy Man" sung by Billy Ray Cyrus
easysurfer is offline   Reply With Quote
Old 12-29-2015, 01:20 PM   #17
Thinks s/he gets paid by the post
Rustic23's Avatar
 
Join Date: Dec 2005
Location: Lake Livingston, Tx
Posts: 3,624
closed paypal account yesterday.
__________________
If it is after 5:00 when I post I reserve the right to disavow anything I posted.
Rustic23 is offline   Reply With Quote
Old 12-29-2015, 01:30 PM   #18
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
audreyh1's Avatar
 
Join Date: Jan 2006
Location: Rio Grande Valley
Posts: 16,456
Quote:
Originally Posted by easysurfer View Post
Always that human element involved that the hackers exploit .
It's just incredible to me that a CSR would override the 2FA.
__________________
Well, I thought I was retired. But it seems that now I'm working as a travel agent instead!
audreyh1 is offline   Reply With Quote
Old 12-29-2015, 01:38 PM   #19
Moderator
MichaelB's Avatar
 
Join Date: Jan 2008
Location: Rocky Inlets
Posts: 24,412
Quote:
Originally Posted by audreyh1 View Post
It's just incredible to me that a CSR would override the 2FA.
Yes, and equally incredible that a CSR has the authority to do so.
__________________
MichaelB is offline   Reply With Quote
Old 12-29-2015, 02:29 PM   #20
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
audreyh1's Avatar
 
Join Date: Jan 2006
Location: Rio Grande Valley
Posts: 16,456
Quote:
Originally Posted by MichaelB View Post
Yes, and equally incredible that a CSR has the authority to do so.
Exactly!
__________________

__________________
Well, I thought I was retired. But it seems that now I'm working as a travel agent instead!
audreyh1 is offline   Reply With Quote
Reply

Tags
krebs pay pal


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Hi...Trooper Has His Tail Between His Legs Trooper Hi, I am... 2 11-19-2013 06:52 PM
Can you believe what you see you hear? calmloki Other topics 3 05-18-2011 10:41 AM
Remember The Guy Who Put His SS# On His TV Ads? poboy Other topics 1 05-22-2008 07:16 PM
You won't believe this! (or maybe you will) Jeff55 Hi, I am... 13 03-11-2007 11:26 AM
Covered calls made easy....too easy? laurence FIRE and Money 8 09-13-2005 10:13 AM

 

 
All times are GMT -6. The time now is 04:26 AM.
 
Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.