Your PayPal account may not be as invulnerable as you think, according to security expert and blogger Brian Krebs. On Monday, he wrote about his own experience in having his PayPal account hacked on Christmas Eve, and then hacked again 20 minutes after PayPal said it would monitor the account for suspicious activity.
It wasn't through a sophisticated computer hacking program - here's how the fraudster managed the account takeover according to Krebs:
"The attacker had merely called in to PayPal's customer support, pretended to be me and was able to reset my password by providing nothing more than the last four digits of my Social Security number and the last four numbers of an old credit card account."
Where people might not provide their full account numbers online or over the phone, many people feel comfortable providing the last four numbers of such accounts when seeking customer service assistance. But the problem goes well beyond that.
Krebs says static identifiers (address, social security number, date of birth, phone number, credit card number, etc. are no longer secret and are available for sale in the cybercrime underground. (He should know, he's been intimately involved in sniffing out fraud for many years.)
His conclusion: "Most organizations - including many financial institutions - remain woefully behind the times in authenticating their customers and staying ahead of identity thieves."
He has some advice for PayPal - you can read the full post on the Krebs on Security blog
. And we've asked PayPal for a response and asked if there are there measures users could take to protect themselves from the type of fraud Krebs encountered.
Update 12/30/15: PayPal provided us with the following statement:
"The safety and security of our customers' accounts, data and money is PayPal's highest priority. Due to our privacy policies that protect our customers, PayPal does not publicly disclose details about our customers' accounts or their specific cases. However, it appears that our standard procedures were not followed in this case. While the funds remained secure, we are sorry that this unacceptable situation arose and we are reviewing the matter in order to prevent it from happening again."