back to article Brian Krebs criticises PayPal’s security as authentication flaws exposed

Enemies of investigative reporter Brian Krebs took over his PayPal account twice on Christmas Eve, but were foiled on both occasions in their attempts to transfer funds to an account associated with an assassinated jihadist hacker, he said. Krebs, who has been the target of several previous unsuccessful attempts to discredit …

  1. Anonymous Coward
    Anonymous Coward

    The problem with entirely online companies....

    You can't turn up somewhere, with a passport plus other ID, to prove who you are. Hence relatively weak security, at least if you're a target of the bad people.

    1. DaLo

      Re: The problem with entirely online companies....

      Why could they not do one of the following:

      Ask for the 2FA code

      Call him back on his registered phone number

      Ask for the last x Pay Pal transaction

      Ask for his last login time/date

      Mark his account as supervisor changes only with extra verification required

      etc etc

      Basically things that aren't public record.

      1. TReko
        FAIL

        Re: The problem with entirely online companies....

        >Why could they not do one of the following:

        because it is not their money, it is yours, and PayPal don't really care about security, they just want to look secure, which is much cheaper and easier than actually being secure.

      2. Mark 65

        Re: The problem with entirely online companies....

        2FA is only ever any good if the security it offers cannot be overridden by a fucking idiot at the end of a phone line, as was the case in this instance. Dumb human overrides any security measure.

        1. Anonymous Coward
          Anonymous Coward

          Re: The problem with entirely online companies....

          The suggestions were:

          Ask for the 2FA code

          A code I was sent a long time ago which may well be lost, which is why I'm phoning up to regain access to my account. Otherwise a good idea.

          Call him back on his registered phone number

          I don't want to give PayPal a phone number they can sell and so they've got a fake number.

          Ask for the last x Pay Pal transaction

          I don't use PayPal very much but even I can't remember that.

          Ask for his last login time/date

          I certainly can't remember that!

          Mark his account as supervisor changes only with extra verification required

          What extra verification?

  2. Will Godfrey Silver badge
    Unhappy

    No Surprise

    As long as the management suffer no direct consequences, they'll do nothing significant. It's all about profits innit?

  3. Your alien overlord - fear me

    So minimum wage call-centre support staff fell for the old 'pleeeeease' routine and went off-script?

    If the staff at the end of the phone know less about security than they care about security this will always happen. Teach them about security and social engineering for at least half an hour (probably in their lunch break).

  4. Anonymous Coward
    Anonymous Coward

    Standard procedure

    It's standard procedure for crims to attack on holidays when substitute security personnel are often on duty. Beware of changes or charges that occur on all holidays.

  5. Anonymous Coward
    Anonymous Coward

    VIP Security Token

    I wish you good luck trying to enable the VIP Security Token in Paypal -either from Symantec's site or from PayPal's own site. Not working....Are they taking security seriously ?

  6. monty75

    Worse for us

    As far as I can figure out, Paypal's 2FA offering for the UK is a code sent by SMS. If you don't have your phone to hand, or can't be arsed to look at it, you can bypass the whole process by answering two security questions. It's always the same two questions. So, one person peering over your shoulder, a keylogger or just someone who's able to do some basic research to find your mum's maiden name and your 2FA becomes sweet FA.

    1. Intractable Potsherd

      Re: Worse for us

      "It's always the same two questions. So, one person peering over your shoulder, a keylogger or just someone who's able to do some basic research to find your mum's maiden name and your 2FA becomes sweet FA."

      One person peering over your shoulder - who in their right mind allows this to happen?

      A keylogger - difficult to install, and needs a lot of motivation.

      Mum's maiden name - depressing to say, this is a genuine weak point because people *do* use the actual name. I haven't done so for years, but trying to persuade family members not to do so seems to be impossible.

      On the other hand: "If you don't have your phone to hand, or can't be arsed to look at it ...": why sign up for 2FA if you aren't going to use it? If it is inconvenient to look at your phone, wait until it is. However, since any 2FA is, by definition, going to rely on some sort of device (key fob or whatever), you are arguing that no 2FA is going to suit you. Since security is always a trade-off with convenience, you will always be dissatisfied.

      1. monty75

        Re: Worse for us

        You've misunderstood my point. The fact that 2FA can be bypassed by a user leaves open the opportunity for a bad actor to bypass it. It should be 2FA or no access.

  7. DerekCurrie
    WTF?

    The Hackers Were Brian Krebs More Easily Than I Was Myself...

    Early in December, while using a VNP client, I attempted to buy some software over the Internet while using an exit node located in another country. The location of the exit node lead my attempt to use PayPal into a black hole. It refused to work properly. I ended up buying the software via a credit card instead.

    Over the course to two attempts to sort out the lock out from my account via phone reps at PayPal, I ran into incessantly hellish interrogation, including not just Brian's questions, but obscure questions with answers 'collected from the Internet' that I literally could not answer, they were so outrageously obscure. My second attempt to battle through their phone system lead me up FIVE (5) levels of tech support until I finally got a very kind and coherent fellow who, at long bloody last, knew exactly what hat happened, why it had happened, and was able to repair the situation.

    IOW: My impression was that using even straight, honest, 'yes this is damned well ME!' attempts to access my own PayPal account was utterly futile until I was furious enough to want to yell into the phone for supervisor after supervisor after supervisor. If these hackers got away with merely answering four digits of both a social security number and credit card (which I too was asked at level 1 of PayPal support), some phone representative NOT following the PayPal protocols I encountered EARLIER in December was being incredibly lazy on the phone.

    Conclusion: Bravo to PayPal for having beyond-sane stringent rules for resetting accounts. BOO to PayPal for obviously NOT making this the case across their entire phone rep bank. A phone rep at PayPal is, from my evidence, to blame for falling for the social engineering while ignoring PayPal protocols.

    :-Derek Currie

  8. Donsharrow81

    This guy should have went stealth and protected his identity a bit. If you don't know stealth, look up the Aspkin forums. That explains it all. If Paypal feels security is no big deal, then I am going to need to do what I can to protect myself.

  9. Winkypop Silver badge
    Alert

    PayPal

    Best avoided.

    1. Anonymous Coward
      Anonymous Coward

      Re: PayPal

      As are credit cards unless you are fiscally prudent. Short of bank transfers which some banks charge a fortune for, paypal, for all its faults IS very convienient, IS accepted nearly everywhere and, other than social engineering hacks, hasn't been hacked*.

      I have to say, they are pretty compelling reasons to use paypal given the lack of alternatives.

      *yet!!!

      1. Winkypop Silver badge

        Re: PayPal

        At least with a credit card and a no-show item or bogus purchase, all it takes is a call to the bank and it's all sorted. Transaction denied, no need to pay.

        Try that with PayPal.

        Especially outside the US.

  10. a_yank_lurker

    Proper Method for Changing

    Banks in the US use either one's cell phone or registered email before allowing changes or logging in from an "unknown" computer. When I switch browsers I need to set the 2FA cookie via a text message.

  11. Anonymous Coward
    Anonymous Coward

    You didn't pay for that

    Security, that is.

    The fact is that people take a lot for granted. For example, that a subsistence wage call center worker in India or the Philippines is going to be able to handle a social engineering attack with the sophistication of a security analyst who has been doing the work for a decade and has an income in the mid six figures.

    Last I checked PayPal doesn't charge any kind of fee to maintain a personal account with them the way most banks in the US do. Even at that, the people answering the phones at those US banks are also all low wage employees who don't enjoy the health benefits, stock options and year-end bonuses that the executives running things get. They might be called "associates", but they're really just checkout clerks.

    Bottom line is that until the people on the front lines of financial institutions, online or brick-and-mortar, start getting paid commensurate with the impact their actions can have on the customer's privacy and security, nothing is going to change.

    Simply forcing them to watch several more hours of instructional videos won't do the trick..

  12. Anonymous Coward
    Anonymous Coward

    "But he didn't lose money"

    Just watch your accounts like a hawk, don't sleep or do holiday things, and you'll be fine. Mmmkay.

    You know what else I hate about Paypal? Having to answer trick questions for every purchase. "Would you like to pay for this using your PP balance? Would you like to pay for this by signing up for a PP credit card?" Enough with the bullshit already!

  13. FlamingDeath Silver badge

    Passwords

    I complained once to paypal because it doesn't allow you to copy and paste passwords, either when creating one, or authenticating with one.

    Their logic was that copy and pasting passwords is "insecure"

    My passwords are 16 character pseudo random passwords, not something you want to be typing in!

    Safe to say, I dont use Paypal anymore

  14. sgp

    I would think if you ask to reset the password, they would e-mail you a reset link to your registered e-mail address.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon