Krebs got his Id stolen, and you won't believe how easy it was!

[Chuckanut]

I almost checked to see if it was April 1 when I read this blog entry by the security guru Krebs.

Quote:

The attacker had merely called in to PayPal’s customer support, pretended to be me and was able to reset my password by providing nothing more than the last four digits of my Social Security number and the last four numbers of an old credit card account.

http://krebsonsecurity.com/2015/12/2...till-the-norm/

[M Paquette]

Executive summary: PayPal's 'identity verification' for folks calling about an account relies on information readily available, and they are trivially hacked by basic social engineering schemes. Taking over an account is easy. (Imagine my surprise... There's a reason I refuse to use them any more.)

[audreyh1]

That's really bad. So much for strong passwords. If customer service can override it - forget it. I'm glad I (deliberately) don't have any linked bank accounts - only credit cards.

[aja8888]

Quote:

Originally Posted by Chuckanut I almost checked to see if it was April 1 when I read this blog entry by the security guru Krebs. http://krebsonsecurity.com/2015/12/2...till-the-norm/

Thanks!

Wow! Just WOW!

So much for me using PayPal anymore and I have been a user since they started. Interesting read, but continue on and read the "comments" after the article. Very eye-opening that PayPal has dropped 2FA (two factor authentication).

[Chuckanut]

I never link my checking acct to anything. I use the bank's online payment system to tell the bank what to pay. The idea of any organization telling my bank "Take $230 from Chuckanut's account and send it to me" is just plain scary.

[audreyh1]

What's incredible is his two-factor authentication was disabled. Was that just by someone calling customer service? Crazy!

[Christine]

I hope it was a glitch and that the customer support person got sacked. Mine is linked to my credit card so I have extra protection.

[target2019]

Note to self: delete PayPal acct. Rarely used.

[aja8888]

Quote:

Originally Posted by target2019 Note to self: delete PayPal acct. Rarely used.

Ditto. I think I used it twice this year so I'll be cancelling also.

[REWahoo]

I just checked my rarely used PayPal account and deleted the two (expired) credit cards that had been linked. As others have said, I would never permit PayPal access to my bank account.

[easysurfer]

Quote:

Originally Posted by audreyh1 That's really bad. So much for strong passwords. If customer service can override it - forget it. I'm glad I (deliberately) don't have any linked bank accounts - only credit cards.

I always think it is funny how site recommend and/or force using a strong complex password, then use simple challenge questions like "What city were you born?" I use to answer those questions with accurate answers but now just use randomly generated pins kept in an encrypted password manager.

2FA is the way to go.

[Lsbcal]

Quote:

Originally Posted by Chuckanut I never link my checking acct to anything. I use the bank's online payment system to tell the bank what to pay. The idea of any organization telling my bank "Take $230 from Chuckanut's account and send it to me" is just plain scary.

I've linked a few regular service providers to our checking account for many years now. I'd rather not but this is so convenient. Accounts like the utility company, water company, etc. have been no problem. Some bills it seems cannot be read by my bank and seem to require manual monthly on line payment but if I could automate this I would.

One alternative is to monitor more frequently. That is something others here have done and I've picked up on those comments (thanks everyone). To that end I've used Lastpass a lot with fingerprint ID on a phone (Nexus 6P). Works great for quick logins and viewing.

[Chuckanut]

Quote:

Originally Posted by easysurfer I always think it is funny how site recommend and/or force using a strong complex password, then use simple challenge questions like "What city were you born?" I use to answer those questions with accurate answers but now just use randomly generated pins kept in an encrypted password manager.

+1

Given all the corporate and government institutions that have let criminals stroll through their computer systems gleaning our private information, that is a good idea.

[audreyh1]

Quote:

Originally Posted by easysurfer I always think it is funny how site recommend and/or force using a strong complex password, then use simple challenge questions like "What city were you born?" I use to answer those questions with accurate answers but now just use randomly generated pins kept in an encrypted password manager. 2FA is the way to go.

Krebs had 2FA on his Paypal account.

But guess what - the customer service people disabled it.

What use is 2FA if a company service rep turns if off?

[Willers]

Wow. Thanks for posting this. I use PP on ebay occasionally, but removed the links and will add them only when needed. Thanks to this my checking account is no longer linked.

Just another example of how effective social hacking can be...

Thanks again!

[easysurfer]

Quote:

Originally Posted by audreyh1 Krebs had 2FA on his Paypal account. But guess what - the customer service people disabled it. What use is 2FA if a company service rep turns if off?

Always that human element involved that the hackers exploit .

[Rustic23]

closed paypal account yesterday.

[audreyh1]

Quote:

Originally Posted by easysurfer Always that human element involved that the hackers exploit .

It's just incredible to me that a CSR would override the 2FA.

[MichaelB]

Quote:

Originally Posted by audreyh1 It's just incredible to me that a CSR would override the 2FA.

Yes, and equally incredible that a CSR has the authority to do so.

[audreyh1]

Quote:

Originally Posted by MichaelB Yes, and equally incredible that a CSR has the authority to do so.

Exactly!