After experiencing an account takeover of his PayPal account, security expert and blogger Brian Krebs said the incident demonstrates how most organizations are behind the times in keeping customer accounts safe.
Most organizations, including many financial institutions, remain woefully behind the times in authenticating their customers and staying ahead of identity thieves, he claims.
The incident occurred on Christmas Eve when PayPal sent him an email notifying him that an email address had been added to his account. Here is his understanding of what occurred after it happened a second time – 20 minutes after he fixed the original account hijacking:
“The attacker had merely called in to PayPal’s customer support, pretended to be me and was able to reset my password by providing nothing more than the last four digits of my Social Security number and the last four numbers of an old credit card account.”
Krebs knows the cyber criminal underground well, and he says static identifiers are routinely bought and sold online.
To its credit, PayPal offers 2-factor authentication, as a reader pointed out in the comments section of Krebs’ blog post – “unfortunately, you are a target for obvious reasons and I agree PayPal should have even more sophisticated authentication methods than it does,…but it does at least have 2 factor, which will not allow un-recognized devices or computers to login, even with your password unless they have the code.”
In response, Krebs said that was missing the point in this case. “I had two-step authentication (PayPal security key fob) enabled, and the attacker got past that. I don’t know if PayPal simply didn’t require it when the password was reset, but the point is that two-factor is kind of useless when someone can just call in and reset your password verbally by answering a couple of out-of-wallet questions.”
We’ve asked PayPal for a response (see below), in the meantime, let us know what you think on the AuctionBytes Blog.
Comment on the AuctionBytes Blog.
Update 12/30/15: PayPal provided us with the following statement:
“The safety and security of our customers’ accounts, data and money is PayPal’s highest priority. Due to our privacy policies that protect our customers, PayPal does not publicly disclose details about our customers’ accounts or their specific cases. However, it appears that our standard procedures were not followed in this case. While the funds remained secure, we are sorry that this unacceptable situation arose and we are reviewing the matter in order to prevent it from happening again.”