Paypal rolls out the welcome mat for hackers


[Read the post]


We’re all doomed.


It seems like we might as well all set our passwords to “password”, for all the good a 26 character upper lower case alphanumeric special character password does.

Note that Krebs had his PayPal account hacked not once but twice within 24 hours, once immediately after trying to resecure his account. When I applied for a Chinese tourist visa, my Facebook account was hacked by someone from Hong Kong within hours. All the fancy passwords and authentication nonsense seems to mean nothing in the face of a semi-skilled hacker or his army of trained monkeys.

It seems like the only thing protecting us from these hackers is obscurity and volume.


I gave up on those secondary authentication devices when I realized the page to shut them off requires nothing on the device, presumably to aid people who lose their devices.


I went through a few episodes of DirecTV having people make bogus accounts with my name and SSN at different addresses, then letting the accounts go to collections. Their authentication procedure was tailored to make it easy to set up an account at an address that the customer doesn’t live at, but required no verification that the customer on the phone was really the person whose SSN they were just given.

I concluded, after talking with the DirecTV security people, that any company that desires more customers pays fast and loose with security, because security hampers efforts to get more customers. It’s similar to the fact that all business travelers are allowed to carry dangerous lithium batteries on aircraft in their laptop computers, because those are the people that bring in the most income.

So don’t expect this to change.


The batteries aren’t THAT dangerous. And luckily they are allowed even in the cattle class of Ryanair. Otherwise I’d be highly inconvenienced.


PayPal Just Doesn’t Care if your money gets shifted to a hacker’s account as long as they still get their cut.

And as far as odds go, I’ve had my money stolen by PayPal itself far more often than by hackers. Never keep much money in there!


And people wonder why I, who am a massive nerd and a lifelong techie who has been in the computing world since the days of dial-up BBS’s and DOS 6.22, absolutely positively refuse to do any kind of online purchasing if it can possibly be avoided.

Well folks, here’s a few examples why!!!


My other laptop is a hoverboard!


Sir, that is a keyboard.


PayPal is one of the slimiest companies in existence.


Yes! And you can put it on your lap.


In that case, the original laptop is known as a secretary.


I know a guy who owns a desk computer. Not a desktop, but a desk. It’s an LGP-21. You can find him by Googling it. I found the computer for him by noticing that the table we were examining things upon had a nameplate.


Not in 90s cyberspace, it’s not!


Krebs uses Paypal’s two-factor authentication fob, but for some reason,
Paypal doesn’t ask its users to enter a password from it when changing
login details.

This is besides the point. If you actually read the article, the core issue is that the attacker got PayPal to reset the account password with basic info about Krebs:

The attacker had merely called in to PayPal’s customer support, pretended to be me and was able to reset my password by providing nothing more than the last four digits of my Social Security number and the last four numbers of an old credit card account.

The 2nd factor may have prevented the attacker changing the account’s email to lock him out the second time but it is far from the biggest issue here - both factors were bypassed by a social engineering attack very similar to one that GoDaddy was slammed for 2 years ago, and in which PayPal was implicated for not considering one of those same details secret. PayPal should know way better - not only did this attack receive a lot of attention, it’s implication of PayPal should have got them thinking ‘at least we didn’t do as badly there as GoDaddy, better not do that in the future!’


Worth noting that Lithium batteries have actually caused plane crashes, where as (for instance) civilian drones have not.


When I google phrases from this comment it get tons of hits. WTF is this?


When they roll out a yoga mat - maaaybe I’ll think about it.



Yeah, sorry about the repetition but my hobby is responding, and providing a counter, to the constant stream of disingenuous nonsense that constantly flows from the eBay/PayPal “departments of spin” and their paid shills and naïve fanboys …