The Hackers Were Brian Krebs More Easily Than I Was Myself...
Early in December, while using a VNP client, I attempted to buy some software over the Internet while using an exit node located in another country. The location of the exit node lead my attempt to use PayPal into a black hole. It refused to work properly. I ended up buying the software via a credit card instead.
Over the course to two attempts to sort out the lock out from my account via phone reps at PayPal, I ran into incessantly hellish interrogation, including not just Brian's questions, but obscure questions with answers 'collected from the Internet' that I literally could not answer, they were so outrageously obscure. My second attempt to battle through their phone system lead me up FIVE (5) levels of tech support until I finally got a very kind and coherent fellow who, at long bloody last, knew exactly what hat happened, why it had happened, and was able to repair the situation.
IOW: My impression was that using even straight, honest, 'yes this is damned well ME!' attempts to access my own PayPal account was utterly futile until I was furious enough to want to yell into the phone for supervisor after supervisor after supervisor. If these hackers got away with merely answering four digits of both a social security number and credit card (which I too was asked at level 1 of PayPal support), some phone representative NOT following the PayPal protocols I encountered EARLIER in December was being incredibly lazy on the phone.
Conclusion: Bravo to PayPal for having beyond-sane stringent rules for resetting accounts. BOO to PayPal for obviously NOT making this the case across their entire phone rep bank. A phone rep at PayPal is, from my evidence, to blame for falling for the social engineering while ignoring PayPal protocols.