Think you’ve secured your PayPal account so that hackers can’t hijack it and steal money from your bank account? Well, guess again, as there are ways of getting into your account and PayPal doesn’t appear to have the means or policies to stop them.
Well known cybersecurity expert Brian Krebs says he discovered these flaws after his own account was broken into twice on Christmas Eve, even after he managed to regain access to it.
Even though Krebs is often a target of hackers who hate how he exposes their work, the fact that his PayPal account was hijacked indicates that nobody is safe, no matter how Internet-savvy they are. And it seems that it’s PayPal’s security to blame.
One more important point to note is that hackers likely used information about Krebs that’s publicly available to social engineer this hack, so chances are it won’t happen to regular Joes and Janes, assuming their personal data including Social Security numbers and credit cards aren’t out in the open. But, again, it’s PayPal’s job not to allow this kind of breach.
It seems that the hackers did not use malware or any advanced virus programs to steal Krebs’ PayPal account and password. They simply called in, offered the SSN and the four numbers of an old credit card account, and got in.
“On Christmas Eve morning, I received an email from PayPal stating that an email address had been added to my account,” Krebs explained in a detailed post on the matter. “I immediately logged into my account from a pristine computer, changed the password, switched my email address back to the primary contact address, and deleted the rogue email account.”
“I then called PayPal and asked how the perpetrator had gotten in, and was there anything else they could do to prevent this from happening again?” Krebs continued. “The customer service person at PayPal said the attacker had simply logged in with my username and password, and that I had done everything I could in response to the attack. The representative assured me they would monitor the account for suspicious activity, and that I should rest easy.”
“Twenty minutes later I was outside exercising in the unseasonably warm weather when I stopped briefly to check email again: Sure enough, the very same rogue email address had been added back to my account. But by the time I got back home to a computer, my email address had been removed, and my password had been changed. So much for PayPal’s supposed ‘monitoring;’ the company couldn’t even spot the same fraudulent email address when it was added a second time,” he added.
PayPal then locked the account as soon as hackers tried to wire money to an email account belonging to Junaid Hussain, a 17-year-old hacker from Team Poison who joined ISIS and who is believed to have been killed in a U.S. drone strike in 2015.
But then PayPal asked Krebs to provide a photocopy of a driver’s license to regain access to his account – but during the second attack, hackers removed Krebs’s details from the account so that he couldn’t regain control of it.
In his article Krebs explains that PayPal seems to lack the necessary security measures that would make it harder for hackers to steal account credentials, suggesting that further updates would be needed so that attackers would not be able to social engineer their way into an account with the help of information that may be found or sold online.
“I asked the PayPal supervisor why the company couldn’t simply verify my identity by sending a text message to my phone, or a special signal to a PayPal mobile app?” Krebs wrote. “After all, PayPal has had the same mobile number of mine on file for years (the attacker also deleted that number from my profile as well). The supervisor explained that the company didn’t have any mobile authentication technologies and that in order to regain access to the funds in my account I had to send the company a photocopied or scanned copy of my driver’s license.”
Driver’s licenses and any other similar documents can be easily forged Krebs argues, making it a futile protection layer.
“Longer term, PayPal should review which of its users have already provided mobile phone information, and then seek to validate those contact numbers,” Krebs argued. “Once that process is done, PayPal can start upgrading its authentication systems — and hopefully become less reliant on static (read: already-compromised) identifiers to validate customers. This would help cut down on account takeovers and reduce the threat of costly, fraudulent credit card donations via hacked accounts.”
“Until then, PayPal will continue to expose its users unnecessarily to security and privacy threats (bear in mind that a crook who gains access to your PayPal account can see all of your transactions and financial data from associated bank accounts),” he concluded.
To read Krebs’s full account of his terrible PayPal experience, follow the source link.
UPDATE: A PayPal spokesperson reached out to BGR with the following statement on the matter: “The safety and security of our customers’ accounts, data and money is PayPal’s highest priority. Due to our privacy policies that protect our customers, PayPal does not publicly disclose details about our customers’ accounts or their specific cases. However, it appears that our standard procedures were not followed in this case. While the funds remained secure, we are sorry that this unacceptable situation arose and we are reviewing the matter in order to prevent it from happening again.”