|
|
Krebs got his Id stolen, and you won't believe how easy it was!
12-28-2015, 03:25 PM
|
#1
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: Aug 2011
Location: West of the Mississippi
Posts: 17,259
|
Krebs got his Id stolen, and you won't believe how easy it was!
I almost checked to see if it was April 1 when I read this blog entry by the security guru Krebs.
Quote:
The attacker had merely called in to PayPal’s customer support, pretended to be me and was able to reset my password by providing nothing more than the last four digits of my Social Security number and the last four numbers of an old credit card account.
|
http://krebsonsecurity.com/2015/12/2...till-the-norm/
__________________
Comparison is the thief of joy
The worst decisions are usually made in times of anger and impatience.
|
|
|
|
Join the #1 Early Retirement and Financial Independence Forum Today - It's Totally Free!
Are you planning to be financially independent as early as possible so you can live life on your own terms? Discuss successful investing strategies, asset allocation models, tax strategies and other related topics in our online forum community. Our members range from young folks just starting their journey to financial independence, military retirees and even multimillionaires. No matter where you fit in you'll find that Early-Retirement.org is a great community to join. Best of all it's totally FREE!
You are currently viewing our boards as a guest so you have limited access to our community. Please take the time to register and you will gain a lot of great new features including; the ability to participate in discussions, network with our members, see fewer ads, upload photographs, create a retirement blog, send private messages and so much, much more!
|
12-28-2015, 03:31 PM
|
#2
|
Moderator Emeritus
Join Date: Oct 2007
Location: Portland
Posts: 4,946
|
Executive summary: PayPal's 'identity verification' for folks calling about an account relies on information readily available, and they are trivially hacked by basic social engineering schemes. Taking over an account is easy. (Imagine my surprise... There's a reason I refuse to use them any more.)
|
|
|
12-28-2015, 03:37 PM
|
#3
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: Jan 2006
Location: Rio Grande Valley
Posts: 38,139
|
That's really bad. So much for strong passwords. If customer service can override it - forget it. I'm glad I (deliberately) don't have any linked bank accounts - only credit cards.
__________________
Retired since summer 1999.
|
|
|
12-28-2015, 03:48 PM
|
#4
|
Moderator Emeritus
Join Date: Apr 2011
Location: Conroe, Texas
Posts: 18,727
|
Quote:
Originally Posted by Chuckanut
|
Thanks!
Wow! Just WOW!
So much for me using PayPal anymore and I have been a user since they started. Interesting read, but continue on and read the "comments" after the article. Very eye-opening that PayPal has dropped 2FA (two factor authentication).
__________________
*********Go Yankees!*********
|
|
|
12-28-2015, 04:09 PM
|
#5
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: Aug 2011
Location: West of the Mississippi
Posts: 17,259
|
I never link my checking acct to anything. I use the bank's online payment system to tell the bank what to pay. The idea of any organization telling my bank "Take $230 from Chuckanut's account and send it to me" is just plain scary.
__________________
Comparison is the thief of joy
The worst decisions are usually made in times of anger and impatience.
|
|
|
12-28-2015, 05:32 PM
|
#6
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: Jan 2006
Location: Rio Grande Valley
Posts: 38,139
|
What's incredible is his two-factor authentication was disabled. Was that just by someone calling customer service? Crazy!
__________________
Retired since summer 1999.
|
|
|
12-29-2015, 07:05 AM
|
#7
|
Full time employment: Posting here.
Join Date: Dec 2014
Posts: 670
|
I hope it was a glitch and that the customer support person got sacked. Mine is linked to my credit card so I have extra protection.
|
|
|
12-29-2015, 08:44 AM
|
#8
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: Dec 2008
Location: On a hill in the Pine Barrens
Posts: 9,719
|
Note to self: delete PayPal acct. Rarely used.
|
|
|
12-29-2015, 08:54 AM
|
#9
|
Moderator Emeritus
Join Date: Apr 2011
Location: Conroe, Texas
Posts: 18,727
|
Quote:
Originally Posted by target2019
Note to self: delete PayPal acct. Rarely used.
|
Ditto. I think I used it twice this year so I'll be cancelling also.
__________________
*********Go Yankees!*********
|
|
|
12-29-2015, 09:03 AM
|
#10
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: Jun 2002
Location: Texas: No Country for Old Men
Posts: 50,021
|
I just checked my rarely used PayPal account and deleted the two (expired) credit cards that had been linked. As others have said, I would never permit PayPal access to my bank account.
__________________
Numbers is hard
|
|
|
12-29-2015, 09:33 AM
|
#11
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: Jun 2008
Posts: 13,143
|
Quote:
Originally Posted by audreyh1
That's really bad. So much for strong passwords. If customer service can override it - forget it. I'm glad I (deliberately) don't have any linked bank accounts - only credit cards.
|
I always think it is funny how site recommend and/or force using a strong complex password, then use simple challenge questions like "What city were you born?" I use to answer those questions with accurate answers but now just use randomly generated pins kept in an encrypted password manager.
2FA is the way to go.
__________________
Have you ever seen a headstone with these words
"If only I had spent more time at work" ... from "Busy Man" sung by Billy Ray Cyrus
|
|
|
12-29-2015, 09:44 AM
|
#12
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: May 2006
Location: west coast, hi there!
Posts: 8,809
|
Quote:
Originally Posted by Chuckanut
I never link my checking acct to anything. I use the bank's online payment system to tell the bank what to pay. The idea of any organization telling my bank "Take $230 from Chuckanut's account and send it to me" is just plain scary.
|
I've linked a few regular service providers to our checking account for many years now. I'd rather not but this is so convenient. Accounts like the utility company, water company, etc. have been no problem. Some bills it seems cannot be read by my bank and seem to require manual monthly on line payment but if I could automate this I would.
One alternative is to monitor more frequently. That is something others here have done and I've picked up on those comments (thanks everyone). To that end I've used Lastpass a lot with fingerprint ID on a phone (Nexus 6P). Works great for quick logins and viewing.
|
|
|
12-29-2015, 10:05 AM
|
#13
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: Aug 2011
Location: West of the Mississippi
Posts: 17,259
|
Quote:
Originally Posted by easysurfer
I always think it is funny how site recommend and/or force using a strong complex password, then use simple challenge questions like "What city were you born?" I use to answer those questions with accurate answers but now just use randomly generated pins kept in an encrypted password manager.
|
+1
Given all the corporate and government institutions that have let criminals stroll through their computer systems gleaning our private information, that is a good idea.
__________________
Comparison is the thief of joy
The worst decisions are usually made in times of anger and impatience.
|
|
|
12-29-2015, 10:08 AM
|
#14
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: Jan 2006
Location: Rio Grande Valley
Posts: 38,139
|
Quote:
Originally Posted by easysurfer
I always think it is funny how site recommend and/or force using a strong complex password, then use simple challenge questions like "What city were you born?" I use to answer those questions with accurate answers but now just use randomly generated pins kept in an encrypted password manager.
2FA is the way to go.
|
Krebs had 2FA on his Paypal account.
But guess what - the customer service people disabled it.
What use is 2FA if a company service rep turns if off?
__________________
Retired since summer 1999.
|
|
|
12-29-2015, 10:17 AM
|
#15
|
Full time employment: Posting here.
Join Date: May 2013
Posts: 727
|
Wow. Thanks for posting this. I use PP on ebay occasionally, but removed the links and will add them only when needed. Thanks to this my checking account is no longer linked.
Just another example of how effective social hacking can be...
Thanks again!
__________________
“If you don't do it this year, you will be one year older when you do.” - Warren Miller
|
|
|
12-29-2015, 10:35 AM
|
#16
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: Jun 2008
Posts: 13,143
|
Quote:
Originally Posted by audreyh1
Krebs had 2FA on his Paypal account.
But guess what - the customer service people disabled it.
What use is 2FA if a company service rep turns if off?
|
Always that human element involved that the hackers exploit .
__________________
Have you ever seen a headstone with these words
"If only I had spent more time at work" ... from "Busy Man" sung by Billy Ray Cyrus
|
|
|
12-29-2015, 12:20 PM
|
#17
|
Thinks s/he gets paid by the post
Join Date: Dec 2005
Location: Lake Livingston, Tx
Posts: 4,204
|
closed paypal account yesterday.
__________________
If it is after 5:00 when I post I reserve the right to disavow anything I posted.
|
|
|
12-29-2015, 12:30 PM
|
#18
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: Jan 2006
Location: Rio Grande Valley
Posts: 38,139
|
Quote:
Originally Posted by easysurfer
Always that human element involved that the hackers exploit .
|
It's just incredible to me that a CSR would override the 2FA.
__________________
Retired since summer 1999.
|
|
|
12-29-2015, 12:38 PM
|
#19
|
Administrator
Join Date: Jan 2008
Location: Chicagoland
Posts: 40,708
|
Quote:
Originally Posted by audreyh1
It's just incredible to me that a CSR would override the 2FA.
|
Yes, and equally incredible that a CSR has the authority to do so.
|
|
|
12-29-2015, 01:29 PM
|
#20
|
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Join Date: Jan 2006
Location: Rio Grande Valley
Posts: 38,139
|
Quote:
Originally Posted by MichaelB
Yes, and equally incredible that a CSR has the authority to do so.
|
Exactly!
__________________
Retired since summer 1999.
|
|
|
|
|
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
|
|
Thread Tools |
|
Display Modes |
Linear Mode
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
» Recent Threads
|
|
|
|
|
|
|
|
|
|
|
|
|
» Quick Links
|
|
|