Weâre all doomed.
It seems like we might as well all set our passwords to âpasswordâ, for all the good a 26 character upper lower case alphanumeric special character password does.
Note that Krebs had his PayPal account hacked not once but twice within 24 hours, once immediately after trying to resecure his account. When I applied for a Chinese tourist visa, my Facebook account was hacked by someone from Hong Kong within hours. All the fancy passwords and authentication nonsense seems to mean nothing in the face of a semi-skilled hacker or his army of trained monkeys.
It seems like the only thing protecting us from these hackers is obscurity and volume.
I gave up on those secondary authentication devices when I realized the page to shut them off requires nothing on the device, presumably to aid people who lose their devices.
I went through a few episodes of DirecTV having people make bogus accounts with my name and SSN at different addresses, then letting the accounts go to collections. Their authentication procedure was tailored to make it easy to set up an account at an address that the customer doesnât live at, but required no verification that the customer on the phone was really the person whose SSN they were just given.
I concluded, after talking with the DirecTV security people, that any company that desires more customers pays fast and loose with security, because security hampers efforts to get more customers. Itâs similar to the fact that all business travelers are allowed to carry dangerous lithium batteries on aircraft in their laptop computers, because those are the people that bring in the most income.
So donât expect this to change.
The batteries arenât THAT dangerous. And luckily they are allowed even in the cattle class of Ryanair. Otherwise Iâd be highly inconvenienced.
PayPal Just Doesnât Care if your money gets shifted to a hackerâs account as long as they still get their cut.
And as far as odds go, Iâve had my money stolen by PayPal itself far more often than by hackers. Never keep much money in there!
And people wonder why I, who am a massive nerd and a lifelong techie who has been in the computing world since the days of dial-up BBSâs and DOS 6.22, absolutely positively refuse to do any kind of online purchasing if it can possibly be avoided.
Well folks, hereâs a few examples why!!!
My other laptop is a hoverboard!
Sir, that is a keyboard.
PayPal is one of the slimiest companies in existence.
Yes! And you can put it on your lap.
In that case, the original laptop is known as a secretary.
I know a guy who owns a desk computer. Not a desktop, but a desk. Itâs an LGP-21. You can find him by Googling it. I found the computer for him by noticing that the table we were examining things upon had a nameplate.
Not in 90s cyberspace, itâs not!
Krebs uses Paypalâs two-factor authentication fob, but for some reason,
Paypal doesnât ask its users to enter a password from it when changing
login details.
This is besides the point. If you actually read the article, the core issue is that the attacker got PayPal to reset the account password with basic info about Krebs:
The attacker had merely called in to PayPalâs customer support, pretended to be me and was able to reset my password by providing nothing more than the last four digits of my Social Security number and the last four numbers of an old credit card account.
The 2nd factor may have prevented the attacker changing the accountâs email to lock him out the second time but it is far from the biggest issue here - both factors were bypassed by a social engineering attack very similar to one that GoDaddy was slammed for 2 years ago, and in which PayPal was implicated for not considering one of those same details secret. PayPal should know way better - not only did this attack receive a lot of attention, itâs implication of PayPal should have got them thinking âat least we didnât do as badly there as GoDaddy, better not do that in the future!â
Worth noting that Lithium batteries have actually caused plane crashes, where as (for instance) civilian drones have not.
When I google phrases from this comment it get tons of hits. WTF is this?
When they roll out a yoga mat - maaaybe Iâll think about it.
#everybodyliedownonthefloorandkeepcalm
Yeah, sorry about the repetition but my hobby is responding, and providing a counter, to the constant stream of disingenuous nonsense that constantly flows from the eBay/PayPal âdepartments of spinâ and their paid shills and naĂŻve fanboys âŚ