Flaws in Paypal security discovered after Brian Krebs account is breached

Brians Krebs, well-known for his information security blog Krebs on Security, is pretty pissed at Paypal after his account was taken over twice by hackers in one day.

On Christmas Eve, Krebs reports that twice someone managed to take over his Paypal and attempted to transfer funds to an an account belonging to a ISIS jihad hacker gang.  Luckily, those attempts were thwarted, but Krebs believes they should never have gotten as far as they did.

Krebs contacted Paypal after the first breach of his account, and Paypal assured him that they would be monitoring account.  Only a short time later, he discovered that they had hacked his account again and locked him out of it, all while Paypal was supposedly monitoring his account.  This time they attempted to transfer money to a dead jihadist hacker.

Krebs contacted Paypal again, and discovered that someone had called their customer service, convinced them they were Krebs and was given his credentials to use.  Krebs reports that the hackers only had to provide the last four digits of both his social security number and an old credit card. Social Engineering strikes again!

Krebs pressed Paypal on what other authentication methods they could use to prove his identity, and he was told he would have to mail in a copy of his drivers license.  Paypal isn’t setup to even do a simple two-factor authentication text message to his cell phone.  Frightening thought for a service that is attached to your bank account.   Krebs discussed the fact that this is especially concerning for someone who lives in the public eye and is constantly having their information put out in public by enemy hackers.

Paypal has agreed to lock down Krebs account so that no further charges can be made, but whose to say a social engineer can’t call and have it reopened?

 

For information on how you can prevent your organization from being breached, visit www.miltonsecurity.com or call 714-515-4011.

 

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *