2016 Reality: Lazy Authentication Still The Norm

H

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
Although this article mainly focuses on PayPal’s less than stellar authentication system, the truth is that many financial institutions in 2016 are just as bad. :( If you have a PayPal account, you really should read this article.

My PayPal account was hacked on Christmas Eve. The perpetrator tried to further stir up trouble by sending my PayPal funds to a hacker gang tied to the jihadist militant group ISIS. Although the intruder failed to siphon any funds, the successful takeover of the account speaks volumes about why most organizations — including many financial institutions — remain woefully behind the times in authenticating their customers and staying ahead of identity thieves.
 
I'd like an account recovery option in the form of an escrow, where the user sends PayPal several hundred dollars for the privilege of receiving new passwords, which could only be refunded in the form of a mailed check, less expenses.
 
Good points. Have you reached out to PayPal for comment, Steve? I'd love to see more core-service providers move to 2FA.
 
Also, the article seems fishy. He claimed that they didn't have his password, and had Paypal customer service to reset his password. So if they got in the first time with new password, he shouldn't be able to login with his old password.
 
The article's main point is that PayPal's two-step authentication is worthless, because anyone can call in and talk to a human to have it disabled with a little social engineering.
 
Machupo said:
Good points. Have you reached out to PayPal for comment, Steve? I'd love to see more core-service providers move to 2FA.
Click to expand...

PayPal doesn't respond to me. They didn't respond to me when they kept almost $6,000 of mine for 180 days and they don't respond to me now for comments on articles like this. ;)
 
Sorry but I do not buy his story. He said they didn't have their password, but how could they got in and add new email? If they reset the password, he shouldn't be able to login the first time also.

EODetroit said:
The article's main point is that PayPal's two-step authentication is worthless, because anyone can call in and talk to a human to have it disabled with a little social engineering.
Click to expand...
 
Steve said:
PayPal doesn't respond to me. They didn't respond to me when they kept almost $6,000 of mine for 180 days and they don't respond to me now for comments on articles like this. ;)
Click to expand...

Perhaps if you call them and pretend to be Brian Krebs?
 
MDboyz said:
Paypal has two steps authentication, and everyone should enable it.
Click to expand...

Yes, but the hacker called Paypal, and was able to change the email, phone, etc.

This is not a 2 step authentication failure, it is a Paypal customer service failure. He had 2 step authentication enabled. :eek:
 
Yep. TFA, he used 2 step since it was released. Didn't matter.
 
MDboyz said:
Paypal has two steps authentication, and everyone should enable it.
Click to expand...

Where? I've searched all around but can't see anything even remotely hinting at that on their site.
 
MDboyz said:
Sorry but I do not buy his story. He said they didn't have their password, but how could they got in and add new email? If they reset the password, he shouldn't be able to login the first time also.
Click to expand...

Read more carefully. Krebs got a notice that an email address was added to his account., presumably by a phone call (Paypal never admitted how it was done). The password reset wouldn't work if the perp did not have access to the victim's email. Krebs caught it early enough the first time to log in, change his password, and remove the rogue email. Later the email was added again but Krebs didn't get to his account in time to prevent the perp from resetting the account password.

This is a serious failure on PayPal's part.

PayPal did issue a response - to someone not named Steve.
http://www.ecommercebytes.com/cab/abn/y15/m12/i30/s01

"The safety and security of our customers' accounts, data and money is PayPal's highest priority. Due to our privacy policies that protect our customers, PayPal does not publicly disclose details about our customers' accounts or their specific cases. However, it appears that our standard procedures were not followed in this case. While the funds remained secure, we are sorry that this unacceptable situation arose and we are reviewing the matter in order to prevent it from happening again."
 
Did anybody bother to actually read the article? He was using TFA.
 
Damn that article nailed every single "hot button" topic.

Scary ISIS terrorist jihadist
Global warming
Cyber security

Excuse me while I go curl up in a corner and drool and shake uncontrollably.
 
Once you report a hacked account to Paypal, they bring you through several identity confirmation steps. Of course you enter a stronger password from a password generator. To your surprise, you want be allowed anymore to paste the password, but only can type it, so quite soon you'll go back to the weak one easy to hack.
 
Just out of curiosity, why would someone use Paypal over a bank/CU or credit card? ... is there some benefit gained and does it provide the same level of legal protection as credit cards and banks? ... my banks/cards generally trigger some level of security if I access them from a new computer ... if I access them from a phone number not associated with my account I also trigger a certain amount of security ... maybe I've been lucky but I haven't seen any major issues with my accounts (other than one erroneous charge that was removed from my credit card within 24 hours and a replacement card in my hands within 48 hours) ... the few times I have been forced to use paypal I only used it for credit card processing and saved none of my account info
 
kbrickley said:
why would someone use Paypal over a bank/CU or credit card?
Click to expand...

People sell stuff on Ebay, and then buy stuff with Paypal balance. It doesn't give extra protection, if you use a registered bank or cc acc via Paypal, except cc charge backs of course.
 
the_servicer said:
Please correct me if I am wrong, but a PayPal account is not required to use eBay (regardless of what may have been true at some times in the past).
Click to expand...

but its the primary way to send and receive funds. Unless buying from a "store" or large seller, most individuals do not accept credit cards. When I started using ebay 10 years ago or so, money orders were common, but now that paypal is so popular, it has really taken over as the default way to pay.
 
You must log in or register to reply here.
Back
Top