Krebs got his Id stolen, and you won't believe how easy it was!

Chuckanut

Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Joined
Aug 5, 2011
Messages
18,064
Location
West of the Mississippi
Executive summary: PayPal's 'identity verification' for folks calling about an account relies on information readily available, and they are trivially hacked by basic social engineering schemes. Taking over an account is easy. (Imagine my surprise... There's a reason I refuse to use them any more.)
 
That's really bad. So much for strong passwords. If customer service can override it - forget it. I'm glad I (deliberately) don't have any linked bank accounts - only credit cards.
 
I never link my checking acct to anything. I use the bank's online payment system to tell the bank what to pay. The idea of any organization telling my bank "Take $230 from Chuckanut's account and send it to me" is just plain scary.
 
What's incredible is his two-factor authentication was disabled. Was that just by someone calling customer service? Crazy!
 
I hope it was a glitch and that the customer support person got sacked. Mine is linked to my credit card so I have extra protection.
 
Note to self: delete PayPal acct. Rarely used.
 
I just checked my rarely used PayPal account and deleted the two (expired) credit cards that had been linked. As others have said, I would never permit PayPal access to my bank account.
 
That's really bad. So much for strong passwords. If customer service can override it - forget it. I'm glad I (deliberately) don't have any linked bank accounts - only credit cards.

I always think it is funny how site recommend and/or force using a strong complex password, then use simple challenge questions like "What city were you born?" I use to answer those questions with accurate answers but now just use randomly generated pins kept in an encrypted password manager.

2FA is the way to go.
 
I never link my checking acct to anything. I use the bank's online payment system to tell the bank what to pay. The idea of any organization telling my bank "Take $230 from Chuckanut's account and send it to me" is just plain scary.
I've linked a few regular service providers to our checking account for many years now. I'd rather not but this is so convenient. Accounts like the utility company, water company, etc. have been no problem. Some bills it seems cannot be read by my bank and seem to require manual monthly on line payment but if I could automate this I would.

One alternative is to monitor more frequently. That is something others here have done and I've picked up on those comments (thanks everyone). To that end I've used Lastpass a lot with fingerprint ID on a phone (Nexus 6P). Works great for quick logins and viewing.
 
I always think it is funny how site recommend and/or force using a strong complex password, then use simple challenge questions like "What city were you born?" I use to answer those questions with accurate answers but now just use randomly generated pins kept in an encrypted password manager.

+1

Given all the corporate and government institutions that have let criminals stroll through their computer systems gleaning our private information, that is a good idea.
 
I always think it is funny how site recommend and/or force using a strong complex password, then use simple challenge questions like "What city were you born?" I use to answer those questions with accurate answers but now just use randomly generated pins kept in an encrypted password manager.

2FA is the way to go.
Krebs had 2FA on his Paypal account.

But guess what - the customer service people disabled it.

What use is 2FA if a company service rep turns if off? :confused:
 
Wow. Thanks for posting this. I use PP on ebay occasionally, but removed the links and will add them only when needed. Thanks to this my checking account is no longer linked.

Just another example of how effective social hacking can be...

Thanks again!
 
Krebs had 2FA on his Paypal account.

But guess what - the customer service people disabled it.

What use is 2FA if a company service rep turns if off? :confused:

Always that human element involved that the hackers exploit :facepalm:.
 
Maybe the Paypal policies are driven by the profit motive? Could it be profit over strick security?

I did not see that Krebs was suggesting people close their Paypal account. Could that also be driven by the profit motive?
 
Thank you for this thread. I just removed my bank info from my PayPal account.
 
This thread is a blessing in disguise for me as I was testing the Paypal 2FA on my Tracfone but didn't receive any sent texts. Looks like my trusty Tracfone isn't so trusty and can't make or receive calls. So, now I have a ticket with Tracfone tech support hopefully to fix what's wrong. Better fix this now than away and REALLY needing to make a call.
 
I foolishly had 2 bank accounts connected. I could delete one, but I can't delete the main one. It says there is a pending transaction, but I don't see any. The last transaction was taken out of my bank account on 11/30. I was able to login to paypal so my account hasn't been hacked. Anyone else see this? I put a tickler on my calendar to try again in a few days.
 
I foolishly had 2 bank accounts connected. I could delete one, but I can't delete the main one. It says there is a pending transaction, but I don't see any.

Yes, I get the same thing. Says there is a pending transaction, but there isn't one. I was going to leave it for a few days and then try again.
 
Back
Top Bottom