28
Dec 15

2016 Reality: Lazy Authentication Still the Norm

My PayPal account was hacked on Christmas Eve. The perpetrator tried to further stir up trouble by sending my PayPal funds to a hacker gang tied to the jihadist militant group ISIS. Although the intruder failed to siphon any funds, the successful takeover of the account speaks volumes about why most organizations — including many financial institutions — remain woefully behind the times in authenticating their customers and staying ahead of identity thieves.

Junaid Hussain's Twitter profile photo.

Junaid Hussain’s Twitter profile photo.

On Christmas Eve morning, I received an email from PayPal stating that an email address had been added to my account. I immediately logged into my account from a pristine computer, changed the password, switched my email address back to to the primary contact address, and deleted the rogue email account.

I then called PayPal and asked how the perpetrator had gotten in, and was there anything else they could do to prevent this from happening again? The customer service person at PayPal said the attacker had simply logged in with my username and password, and that I had done everything I could in response to the attack. The representative assured me they would monitor the account for suspicious activity, and that I should rest easy.

Twenty minutes later I was outside exercising in the unseasonably warm weather when I stopped briefly to check email again: Sure enough, the very same rogue email address had been added back to my account. But by the time I got back home to a computer, my email address had been removed and my password had been changed. So much for PayPal’s supposed “monitoring;” the company couldn’t even spot the same fraudulent email address when it was added a second time.

PayPal locked the account shortly after the assailant allegedly tried to send my money to the email account of the late Junaid Hussain, a 17-year-old member of the hacktivist group Team Poison. Hussain — who used the nickname “TriCk” and is believed to have been a prominent ISIS propagandist online — was reportedly killed in a U.S.-led drone strike earlier this year in Raqqa, Syria. No doubt, the attempted transfer was a bid to further complicate matters for me by associating my account with known terrorists.

In my second call to PayPal, I insisted on speaking with a supervisor. That person was able to tell me that, as I suspected, my (very long and complex) password was never really compromised. The attacker had merely called in to PayPal’s customer support, pretended to be me and was able to reset my password by providing nothing more than the last four digits of my Social Security number and the last four numbers of an old credit card account.

Let’s leave aside for a moment the reality that all of this static information about Brian Krebs has been posted online by various miscreants over the years (and probably remains online): Any company that authenticates customers with nothing more than static identifiers — address, SSN, DOB, phone number, credit card number, etc. — is vulnerable to these takeover attempts.

This almost certainly includes all of the companies that supply utilities to your residence, your bank or credit union, and a host of other companies. They’re vulnerable because those static identifiers about you are no longer secret and are available for sale in the underground.

I asked the PayPal supervisor why the company couldn’t simply verify my identity by sending a text message to my phone, or a special signal to a PayPal mobile app? After all, PayPal has had the same mobile number of mine on file for years (the attacker also deleted that number from my profile as well). The supervisor explained that the company didn’t have any mobile authentication technologies, and that in order to regain access to the funds in my account I had to send the company a photocopied or scanned copy of my driver’s license.

Nevermind that it was PayPal’s lack of any modern authentication methods that led to this mess. Also, let’s forget for the moment that there are a half-dozen services online that let customers create fake but realistic looking scans of all types of documents, including utility bills, passports, driver’s licenses, bank statements, etc. This is the ultimate and most sophisticated customer authentication system that PayPal has: Send us a copy of your driver’s license.

When I pressed the PayPal representative about whether he had any other ways to validate my identity short of sending a copy of my license, he offered to do so “using public records.” Now, I understand that what he actually meant was that PayPal would work with a major credit bureau to ask me a series of so-called “out of wallet” or “knowledge-based authentication” (KBA) questions — essentially yet more requests for static information that can be gleaned from a variety of sources online. But that didn’t stop me from playfully asking the representative why a security challenge should rely on answers from public records? He responded that someone probably would have to go down to a courthouse somewhere to do that, which made me laugh out loud and wish him a Merry Christmas.

For better or worse, this isn’t the first time I’ve had to deal with weaknesses in PayPal’s anti-fraud systems. Last year, my account was the recipient of a large number of fraudulent donations made through hacked PayPal accounts that all were funded by credit cards instead of bank balances. The problem with fraudulent credit card donations via PayPal is that PayPal assesses the inevitable $20 Visa or MasterCard chargeback fee against the unwitting recipient of the fraudulent donation, effectively taking $20 out of the recipient’s account for each phony donation!

I called my contact at PayPal who’d helped work out a stopgap solution to the phony credit card payments, and that person said PayPal would lock my account so that no further account changes would be allowed. I’m grateful that they were able to do this (so far) but it probably goes without saying that most PayPal users will not have that line of contact or influence at the company.

PayPal's security token isn't much use if the company lets thieves reset your password over the phone using your Social Security number.

PayPal’s security token isn’t much use if the company lets thieves reset your password over the phone using your Social Security number.

PayPal does offer additional security protections — including a PayPal Security Key fob that periodically generates a new one-time password which needs to be entered at login in addition to a username and password. I’ve used this solution since shortly after the company began offering it almost a decade ago, but a fat lot of good it does if PayPal is going to continue letting users reset their passwords by regurgitating static data that is trivial to purchase from the cybercrime underground.

Many companies will offer customers more account security options, but only if asked. Most often, when companies are asked for non-standard security precautions it is because the account holder has stated that he or she was previously the target of cyber stalking or concerted harassment or threats online. I can recall doing this with most of the utilities we use — including our ISP — after having ne’er-do-wells try to shut off our power, phone and water service by calling in with those static identifiers. None of those companies offered more advanced authentication options — such as mobile device authentication — but most would let me place a flag on my account that no changes were to be made unless I showed up at the utility’s offices in person and presented a photo ID and my username and password.

Although this is effectively the same solution that PayPal offered after it froze my account and available funds, having to visit an office and present my ID to close or make changes to my account is significantly less onerous and aggravating than trying to work that out after the fact while having no electricity, water or Internet.

Longer term, PayPal should review which of its users have already provided mobile phone information, and then seek to validate those contact numbers. Once that process is done, PayPal can start upgrading its authentication systems — and hopefully become less reliant on static (read: already-compromised) identifiers to validate customers. This would help cut down on account takeovers and reduce the threat of costly, fraudulent credit card donations via hacked accounts.

Until then, PayPal will continue to expose its users unnecessarily to security and privacy threats (bear in mind that a crook who gains access to your PayPal account can see all of your transactions and financial data from associated bank accounts).

Many KrebsOnSecurity readers have been quite generous in supporting my efforts this year, and to those folks (and to anyone else who’s read this far) I offer a hearty and heartfelt THANK YOU!

Tags: , , ,

236 comments

  1. As others may have pointed out, PayPal does offer 2 factor using text messages. I use that across all accounts + my Yubikey where possible. Unfortunately, you are a target for obvious reasons and I agree PayPal should have even more sophisticated authentication methods than it does…but it does at least have 2 factor, which will not allow un-recognized devices or computers to login, even with your password unless they have the code.

    • You’re sort of missing the point here. I had two-step authentication (PayPal security key fob) enabled, and the attacker got past that. I don’t know if PayPal simply didn’t require it when the password was reset, but the point is that two-factor is kind of useless when someone can just call in and reset your password verbally by answering a couple of out-of-wallet questions.

      • The truth of the matter is that two-factor authentication only really works if the company is willing to write off customers who lose access to their 2nd factor.

        The whole point of having a system where you are required to produce that second factor is simply that *you are required to produce it*. If it can be bypassed by sweet-talking somebody with admin access, then the additional protection is non-existent.

        The correct answer by a support representative should be “Oh, you have 2 factor enabled, without it, so you can not regain access to your account without that under any circumstances, goodbye.”

        But the truth is that companies are not in a position to simply tell their own customers to buzz off. If somebody calls in having lost their 2-factor, then the company *has* to provide a way for the user to regain access. How difficult a company makes this is up to them, but I agree that simply providing publicly available information is obviously stupid.

        Still, what is the alternative? While it’s true that most people have smart phones and mobile information is on record and can be validated, it’s still not a perfect system. Short of standing there and looking at somebody in person, we do not have any good way to verify identity in our society, overall. All solutions are half-baked, in some way, and they will always be vulnerable to social engineering until a company actually is capable of saying “No”.

        • Why can’t PayPal do what Google does? Allow 10 one-time use codes to be generated (print out and stick in your wallet) or send a code to your backup phone or email address?

          I mean, if you call in and you’ve lost access to your cell phone, your email address, and your wallet, then you probably have much *much* bigger problems.

          • While I agree in principal, ease of setup and irrational peace-of-mind are each discouragements from “store these backup keys in a safe place”.

            When you try to set up a Bitcoin wallet, steps exactly like these are the reasons that so many people whinge and cry “how can it really be so secure if I have to go through so many steps and hide so many bits of paper under mattresses and in fire-proof safes? I don’t have to do that with my bank/paypal/credit card/etc!”

            At the end of the day, most people (wrongly!) expect that security (and thus, somehow, authentication) should somehow entirely be a third party problem. Thus, they don’t even care if they get hacked so long as every penny and every scrap of functionality is rapidly returned to them out of *somebody else’s* pocket.

            But even then, they would prefer to yell at some presumably incompetent financial company on the phone once or twice per year “until things get fixed” than they would take one scrap of responsibility for their own infosec. 😛

            • It’s disingenuous to me to tell people, well, take better care of your things, and they won’t be stolen when they are FAR more likely to be stolen through somebody else’s negligence, often a large company. People just don’t take care of other people’s things as well as they take care of their own. And sometimes they’re arrogant and complacent about that, too.

              • and yet…..
                The world seems perfectly willing (to the point of demanding) to have everything on the cloud. Most of the world seems completely OK living with all the dangerous lack of security within the realm of social media and websites like Ashley Madison. No one seems to give a fig about security issues regarding WiFi and using xbox and playstation consoles.

                You have to protect your things. It’s just that most people seem to think that protecting your things means putting it all in someone else’s hands (usually someone you will never even meet). It should be obvious that most of these companies feel no real desire to protect anyone after they make their money from convincing everyone that they can. It really wouldn’t matter anyway because they can’t. But no one wants to see that.

                Since the hacking of Ashley Madison….I have heard that their user base has increased quite a bit. I do agree with you and what you said here but I really am wondering if anyone out there really even cares. I also wonder if anyone has any level of understand of any of these things. I feel as if since most people know little to nothing about computers, most of the world just blows it off anyway.

                That millennial on Facebook grows up to be a C level boss for these companies. He makes all kinds of money at a tech company and figures he actually “knows” something. People will actually listen to him just simply because of his title (which is NOT a reflection of his technological IQ).

                Too many people claim to be tech savvy if they can click the Facebook ‘like’ button.

                • I don’t know about the PlayStation, since I don’t have one, but I’m gussing it’s the same, but on the Xbox you can set a PIN code to lock it down so only you can buy stuff.

                  And if you have a Kinect, you can use that to log in, instead of using the always logged in mode. And you can still set the PIN, on top of that too.

                  Still, that doesn’t help much when people then enter their credentials on some random site, and don’t have 2-fa enabled, which, let’s be real here, people do way to often… But that’s not something either Sony or Microsoft can fix.

                  • You seem to be soooo missing the point. That PIN is just like 2-fa. Neither one is secure and should not be trusted. The existence of this article is in itself proof of that. You say that Sony and Microsoft can’t fix problems that users make when not enabling (or rather disabling) 2-fa as if 2-fa is in itself a fix.

                    The Sony system has been compromised (time and time again). Various article on this site discuss that exact thing. “Fool me once, shame on you. Fool me twice, shame on me.”

                    People are way too trusting with systems they will admit to knowing nothing about. While these companies will promise a safe and secure place for your data, activities, and investments. How many times must our information be stolen before people start thinking about NOT doing certain things? How many times must this be proven again and again and again and agian?

            • It is interesting that you mention Bitcoin, because Bitcoin companies tend to have security and 2FA that makes Paypal look like an absolute joke… without the need for recording a seed per se.

        • Paypal DOES have a backup for the 2FA key fob, which I have also used since PayPal implemented it.

          If you don’t have the keyfob, you can opt to have PayPal send an SMS to the phone on file. This provides a temporary 2FA number.

          They have also allowed access to bypass the 2FA by allowing the user to validate things like their bank account number: here is the last three digits of the bank account associated with this Paypal account, now you tell us the whole account number and we will let you in.

          The problem here of course is that that bank account numbers are completely insecure. They’re printed ON every check you write, among other things.

          So yes Paypal allows the keyfobs to be bypassed and does so in a way that is trivially simple to do for even a novice crook. Once in the account, you can easily delete the keyfob and it won’t be used again even though it doesn’t actually do anything.

      • Exactly! The proper way to setup a 2-factor system is how my insurance company implements it. If I need to call for any reason, the VRU prompts for the PIN number generated by a security token to proceed further. If you don’t enter the token PIN it routes to an agent who then explains the process to ensure understanding, then asks for the token PIN again.

      • @Brian, are you saying they both changed your password and had the 2FA disabled? I guess that’s the only way it would have worked since your fob would have still been required if they just changed your password. Just looking for confirmation. It blows me away that they’d change your email, password and disabled 2FA. Must have been quite a story the hacker told that the PayPal rep didn’t recognize it as an account takeover. I’m not sure mobile text would have worked in this situation because apparently they could have convinced the rep to change that also!

      • This is missing the social engineering of customer service point also, but it’s a second point that points to PayPal’s lack of respect to the customer’s security…

        > I had two-step authentication (PayPal
        > security key fob) enabled, and the
        > attacker got past that.

        The security key fob’s are no longer available, AND if you have one, they are no longer being used to protect your account. The second factor verification of key fobs was removed without notice several months ago.

        Troy.
        #

        • I disagree. I use PayPal’s 2FA token from 10 years ago. Their payment system still requests it during a transaction. Maybe new accounts don’t have that option.

          • My FOBs only last about 5 years. I’m on my second, I can assure you that they are no longer being offered. PayPal is using the term ‘key’ to make customers think ‘hardware’ rather than SMS.

            I had PayPal second level support on the phone. If my current key fob was still usable, I would not have cancelled my account. But, talking in plain English, he assured me that it’s not being enforced, which confirmed my experience. I chastised him about stopping asking for the six-digit two factor string WITHOUT NOTICE. All he could do was apologize.

            Beside the fact that you won’t be able to replace your FOB (check their web site), I’d like to know what the difference is between your account and my past account!

            Brian, it’s be interesting to confirm the information and provide the information to your readers.

            Troy.
            #

            • My PayPal account is just the regular free account, though the token is paired with my eBay account, too. I see that is still valid there.

      • Agreed. There is a hug difference between 2FA and Dynamic Identity Proofing. And while their is no silver bullet here, Paypal would be well-served by subscribing to an advanced Identity Proofing solution in their call centers.

    • Most companies use 3 step verification, they refuse to let you be aware of it for legal reasons, your GPS location is the third step.

  2. That begs the question why continue to use PayPal?

    • > why use paypal.

      Despite it’s flaws, it’s still one of the easiest ways to accept donations.

      I have to imagine the risk of fraud is outweighed by frictionless donations.

      • Alister Macintyre

        I make donations in person at brick & mortar locations, and via snail mail. Both work quite well.

        My financial security is more important to me, than the convenience of making donations to some place which could involve man-in-middle crooks or other games.

        I became retired in 2015, so my financial security is even more critical.

    • twinmustangranchdressing

      It doesn’t beg the question, it prompts or raises the question.

  3. Happy New Year Brian, Hopefully Paaypal will read the article and offer some sort of new policies pushing forward into 2016.

    If they had caller ID, or sent a text message for authorization to change/add information to an account in Paypal or Ebay for that matter, it’s a start.

    Its just another company looking for use of ease over strict security. From these companies I hate hearing “We’re Sorry” (in which I respond, I know your sorry, but try to fix that state of mind) and the “we’re committed to ensuring your data is safe and secure” (committed to what, the state mental institution? The security posture seems to think so).

    Happy New Year !

  4. To create money you need to lend money to lend money u need person behind it that’s why the social security code + passport copy can ensure that voila you just created other money in financial system we can not forget that all the financial system is under trading conduct law so it’s maded the way to print money that’s why In UK you need always adress proof couse basecli the adress will be backed up transaction or any ammount in bank so UK banks have 2 securities adress and person if the person fail to pay then they have property.in USA allmost same but little different anyways USA stay under UK financial conduct city of London control all the money around world all the money in the world is basecly tied with UK property prices as PayPal also is under city of London red 5star conduct its complex system but I’m not going to go any more details here all I’m saying is this fraud is not fraud fraud can help financial institutions create more money + is negativ – and negative is + couse negative is installed alllready into system without minus in bank without debt there would be no money at all !!!

  5. I had a security issue with PayPal Sunday and Monday. I tried to send money to a friend while out of town. PayPal detected I was using a different IP address (but my own laptop) and didn’t let the tranfer go through, but didn’t say so. After talking to PayPal on the phone (more than once) I was sent a verification code to my cell phone, after which the transfer went through.

    • Now why couldn’t they just have real 2 factor like every European bank does? When you open an account there, nobody expects an award for providing it. It’s just expected and done. You won’t get online access to your accounts if you don’t do it.

    • Alister Macintyre

      Every time I know in advance of an out-of-town trip, in time to inform my credit card bank of the planned trip, I do so.

      That way, if I am at a gas station, restaurant, motel, etc. where I said I’d be, or between home community & there, they know the money access is where I said I’d be.

      Then when I get back, I notify them I am back. It is a bit of extra effort to protect against false positives, while also maximizing protection against crooks outside my home base accessing my account.

      • Does that not allow some crook-cahoot to know who is out of town and plan you for a burgle?

        as for VPN see http://nc3.mobi/t1512 look down for 5 December 2015, story and tweet.

        Jonathan @NC3mobi

        • Alister Macintyre

          Crook must be bank insider to know in advance where I am going.

          Regarding NC3story – My day job used to send employees to a certain motel with both public user-id and public password, both same for 200+ nitely guests, every nite, for dare I say years. Guests left access, in never cleaned temp cache to all sorts of bank accounts.

          I made sure my confidential stuff was not added to that treasure trove.

  6. Part of me wants to say that I am surprised, but part of me isn’t surprised at all. Various forms of 2FA have been around for a while, but they never seem to catch on. The vast majority of people don’t seem to want to be bothered – even for more critical things like banking. They don’t seem to want to have to go out and buy and keep track of some new dongle of some sort (although ironically a smartphone is probably the most expensive dongle that I can think of – the difference is that lots of people already have one).

    And as a result, banks (I lump PayPal into this) don’t want to be bothered having to support any of this.

    Being able to trick a CSR to reset things with just a phone call is just plain dumb – really that should be a part of pentesting that these organizations should already be doing. But that leads to an interesting problem – people are human – they can forget, lose or misplace things. How do you prove who you are to an online entity? A brick-and-mortar bank is easy by comparison – you can physically go into the bank to prove who you are.

    • It is not that they do not want to be bothered, it is that the economics are against it. Implementing a more rigorous system is expensive. Not to mention maintaining it. The current system is good enough, experiences like Mr Krebs’ are rare. It is far cheaper for them to deal with the rare exceptions than pay a huge global cost to alter all their accounts. Yes, it sucks for victims of fraud, but that’s how the numbers work out. Now if public behavior or regulation somehow changed that equation, things would be different.

  7. Hello Mr. Krebs, do you have any recommendations of alternatives to PayPal that cannot be socially engineered like PayPal was in your case mentioned in this article?
    Thank you for all you do to bring attention to security flaws!

    • Yes, use Bitcoin together with some virtual credit card :>

      • Yeah, because bitcoin has never been stolen from someone through social engineering, right?

        • Read Brians article again. Idiot.

        • Well, if you’re running your own wallet software then the only human being anybody can potentially trick or “socially engineer” is you.

          This makes you both the beginning *and* the end of the responsibility chain, though. Once you accidentally send money to somebody or completely trust a party that never delivers it’s goods or whatever, then there is no parent Paypal to pluck the toy away from one kid and give it back to another.

          So, it’s ultimately a question of asset governance. Should we be responsible for our own assets or should everyone trust a third party who in turn has to bear the unfashionable burden of authenticating us correctly?

          • Bitcoin Libertarian

            “Well, if you’re running your own wallet software…”

            Did you hand-roll your own bitcoind? No?

            Did you audit every line of code of $FAVORITE_WALLET_CLIENT? Is the source even available (e.g. mobile clients)?

            Then you’re necessarily trusting the executable binary not to steal all of your coins, every time you use it.

            This bitcoin libertarian ideal of “personal responsibility begins and ends with you” is just victim blaming.

            Good luck with your crusade, though. Burn the banks!

  8. Why should I care ? If I get money back anyways !! If money stolen then all I have to do is just keep track on my bank accounts or PayPal account and if I see something suspicious I just report to them !! And they always pay back I don’t see problem really in UK everybody is insured up to 70.000£ more then that would be problem but anything lower is not problem at all to get back of lost and stolen why people don’t insure themselves ?? We have car insurance so we should have fraud and bank insurance as common and mandatory 2 factor security makes only complicated things too much security don’t allow u to make transactions even if you do your own, I can just say that only thing here is just keep track on all your transaction and if u see something suspicious just call and report and if money stolen they will pay back so nobody not gona get hurt

    • Nobody gets hurt except for the merchant that got zinged for the sale. They are the only true victims here.

    • Are you daft?

      This is the reason I don’t trust banks.

      Oh, regulation dictates I get money back. WHO CARES? It’s NOT worth having your PII in an old institutional system which is KNOWN to handle data carelessly. Just because your money comes back to you, what about the time and effort put into GETTING it back by PROVING fraud? And what about all the times people CAN’T prove fraud and get their money back? Even when they DO get their money back, as it’s been stated already, the MERCHANTS lose out – in other words, prices rise. Everyone gets hurt in the process.

      I’ve seen the same ideology being used as an excuse by pro-CC people AND fraudsters. That has never changed since ages ago when it was implemented. It still gets tiring to hear it though!

    • > Why should I care ? If I get money back anyways !!

      Well, first of all you cannot get your money back unless you:

      1> Prove you really *are* you. I mean.. you *have* heard of identity theft before, right? If I convince the bank and the government that *I* am really you, that all of your bank accounts and credit cards and credit scores (so that I could take out even more loans) that you’ve worked a lifetime to accumulate really belong to me, then why would *you* get any money back? Hell, who even are you except an imposter now, eh? xD

      2> Prove that the transaction(s) in question are actually fraudulent, and not just drunk-spending or whatever.

      Once you *can* do all of that, then all you are doing is helping fraudsters steal money from merchants. 2FA is a hassle? Why not say that cash registers are a hassle and merchants should keep stacks of cash right on the counter. So what if people take the stacks of cash? just double the costs of all of your goods every day. xD

      I don’t know if that makes your self-entitled retail customer life any easier or not (soaring prices over time can’t be easy, can it?) but it sure makes a fraudster’s life easier when the customers are literally begging them to keep stealing.

  9. The SS administration should make everyone’s SS number public, say, 6 months from now, allowing anyone depending on secrecy of that knowledge time to adopt a new system. States should do likewise with drivers license numbers.

    • more or less, SSNs are already in a public db.

    • when I say that previous comment, I want to emphasize “more or less,” because:

      A: Dead persons’ records are literally public
      B: By knowing the birthdate and location, anyone’s SSN is easily guessed/calculated.

      • It does not exactly work like that. Otherwise two people from the same zip code on the same day, such as all multiple birth people, would have the same SSN.
        The localization system was roughly in effect from 1973 to 2011. I have seen examples where the rules appear to have been followed prior to the date the SSA reports.

        Also, fwiw, when I was born, both my father and grandfather had an SSN created for me. They were not identical.

  10. Martin Rubenstein

    When I set up 2FA with Gmail, I was given ten verification codes should I ever need to disable 2FA. With Dropbox and Hotmail I got a recovery code. Something similar could be used: if you don’t have the recovery code you were issued with when you opened the account, do not waste your time contacting us: our agents will not be able to reset passwords. Brian’s article has really brought it home that, by contrast, PayPal’s security is amateurish at best. If this is indicative of their security systems then it’s just a matter of time before there is a major incident. Based on Brian’s report alone, the head of PayPal security should be sacked for incompetence.

    I emailed PayPal to say that in trying to set up 2FA, I was getting broken links and pages not found, and it seemed that obstacles were deliberately making it difficult to set up 2FA. All I got back was a standard reply which led to yet more broken links. It’s starting to ring alarm bells with me.

  11. Call me vastly unimpressed with PayPal.

    Early on, I bought something on eBay, I think, using PayPal. Then I didn’t buy anything via PayPal for maybe six years. They wouldn’t accept the card I prefer to use (the one with the lowest limit). Maybe a year and a half ago, I got annoyed, and called PayPal. They were willing to send a password reset… to the phone number they had on file. Which I thought I’d been able to change a number of times. Which was last valid in 2003, before I had to relocate the last three times…. That account is locked for the same reason (that happened when they had the major hack, and locked everyone’s accounts, and forced them to change their password… but I couldn’t.

    Wish I had your leverage, Brian, but I’m thinking of calling VISA main number – my card’s from a small credit union – and seeing if they’ll talk to PayPal to update my info. Of course, somewhere there, I may have to open my security freeze from at least one agency….

    mark

  12. Mr. Krebs, based on this post I just de-linked my primary financial institution account from my PayPal account. Thanks.

    PayPal wants me to complete my profile by adding my SSN.
    Right.

  13. Don’t link a bank account to Paypal. Only link a credit card. That way if you do get hacked and money is sent you can just report it to the credit card company as a fraudulent charge and cancel the card. But you will still be able to use paypal to send money to people or for websites that you are not comfortable entering your credit card information on.

    • Hmmmnnn, that sounds good if all you do is buy stuff (and maybe that’s a solution for alot of people).

      But if you sell stuff (and alot of people do occasionally), you’re going to need a way to get the money people pay you and hence the requirement of a linked account.

    • At some point they will force you to link a bank account if you want to continue using it. What I did: I simply asked my bank (Wells Fargo) to create a second checking account for me (it’s free as part of my existing relationship with them). I link that account to not-entirely-trustworthy services like Paypal and only leave a small amount of money in it. You can also use the secondary account in other cases where you don’t want to disclose our main checking account number, e.g. for writing checks.

      • The problem here is that many banks link accounts, so if someone puts through a fraudulent debit on the special account and there isn’t enough money, the bank simply does a transfer from your other account to cover it. They may not even notify you they’ve done this.

        A safer way to do this is two entirely separate accounts at different banks. When you need to fund the special account, you have to do a bank transfer or write a check or deposit cash into it. This is a hassle and slower than clicking a couple buttons so most people won’t bother.

  14. Ah paypal. I use paypal on a website to collect payments but as part of the process I have to double check some payments which requires logging in to paypal itself. Not a problem when doing it from work or home, but when I go to my vacation house in the US it’s a pain.

    I call them in advance of my vacation each and every time to tell them that I will be accessing my account from town/state/ip/dates – and each and every time as soon as I do they freeze the account because it is being accessed from a ‘new’ location.

    I call them again and the agent even says they have the note saying I will be accessing the account from that exact location (10 years running), but they froze the account anyways. I then have to jump through hoops to get it activated again.

    And yet someone can just log in to your account and change your account details or call their customer service soon after you did to get in again.

    Paypal – only useful because it’s needed.

    • I recommend leaving a machine on at home that you can VPN / RDP to or otherwise remotely control if you go away.

      I do, it saves a load of time for me!

    • Paypal does have a setting where you can notify them on-line that you will be traveling internationally, and avoids having to make a telephone call. It’s called a Travel Profile and is available within the settings page.

  15. They need voice recognition as one of their tools to verify who you are. Kind of hard to mimic someones voice that you’ve never heard. Before long you’ll have smartphones that are capable of retina verification along with finger printing to ensure you are the person associated with the account.

    • Scott: in a closed-ecosystem (like a company or MOD/DOD) biometrics are fine, but in a national system problems arise with the security of the reference source. If your (retina scan, voice print, fingerprint, face) is somewhere else it can be stolen. Unlike a password it can’t be changed so you are compromised for life.

      As for fingerprints: “Starbug” (Jan Krissler of the Chaos Computer Club) demonstrated how to foil biometric fingerprint security, using only commercial software and a several high resolution photos of a hand. To prove this hack he recreated the print of Ursula von der Leyen’s thumb. Who? Germany’s federal minister of defense. Finger print security was also compromised by a 4-year old in 2013.

      Faces may already have been compromised thanks to Facebook’s tagging feature. More examples at
      http://nc3.mobi/references/biometrics/

      Jonathan @NC3mobi

  16. At what point do you consider filing a lawsuit over their lack of security and exposure of personal information (against their privacy policy, for one)? Not only is it something they actually have to respond to, instead of making empty promises to get you to go away, but it’s much more likely to end up in the mainstream news than a blog post.

  17. @Brian, for what it’s worth, I just called PayPal customer service to see what they say their password reset policy is, and if they’re doing anything about it. The call center rep. swore that the social engineer would have required — in addition to the last four of your SSN and the last four of an old CC# — access to the email address associated with the account. Who knows how easy it is to manipulate that policy, though, and get an email address added at the same time.

    I also asked what they do if a PayPal user calls and has lost access to their email account. In that case, he said, they have to answer some additional questions — how old is your wife, how long have you lived in this home, etc. These are public records, of course, but it sounds like you were told that the attacker didn’t have to go through even this level of authentication.

  18. Here is a blog from 2014 which points out that credential reset is the achilles heel of authentication: http://gluu.co/achilles

    There is really no point to strong authentication if you can use weaker credentials to reset–the hackers just go after the lowest hanging fruit.

    What I have propose is a pyramid of authentication–you need to present credentials of equal or higher risk mitigation in order to reset something lower in the pyramid.

    Of course this means that domains need multiple ways to authenticate a person–in fact multiple strong ways. And as Brian aptly points out, companies are lazy. I have a hard time explaining why so much time and money is spent on intrusion detection instead of intrusion prevention.

    With free open source software like the Gluu Server, defining flexibile authenticaiton business logic–and implementing fraud detection–has never been easier. And this enhanced security is available to applications via standard API’s like SAML or OpenID Connect.

    I have two talks at RSA Security this year–one on the diversity of authentication (From Meat To Electrons and Back Again) and one on “Trust Elevation”, where I’ll go into more detail on why we are in this current mess, and how to get out.

  19. It’s Paypal, they don’t give a toss for their customers. At this point of my 10 year ecommerce adventure, I prefer Stripe and Propay. Paypal is now just leftover roadkill from the Ebay divorce. Both companies were horrible to buyers and sellers and we are not going to forget it.

  20. PayPal simply don’t care about security. I’ve emailed them twice to inquire about the (un)availability of two-factor authentication in my country and am still waiting for a reply. Tomorrow I’ll give them a call and see if they have something to say.

    But, as the article points out, the lazy authentication in contact centers is the Achilles’s heel of most companies, even financial companies.

  21. Too much stress guys don’t keep money there if you afraid to loose I deal with bitcoins paper wallet walllet dusconnected from internet I even don’t keep money in bank account only small ammount people why do u stress out you know it’s not safe only option is just check your account and report if u see suspicious anyways they can press the button and money back wolfes are feeded and Sheeps are alive :)

  22. the interests of the big-dollar corporations and governments are inimical to the interests of the consumer

    this isn’t likely to change in any large manner although minor tweaks may be provided at times

    Terms: NET
    each of us needs to take whatever actions we can to provide for our own security. this will need considerable education to be available. as noted: the big-dollar corporations and governments ain’t gonna help: it’s not in their interest.

  23. Great article Brian, sorry for your issues here. As is shown, a company’s online security is only as secure as its weakest link (often the call centers being vulnerable to social hacking/manipulation).

    The importance of online security (in the public’s eyes) is growing (with all the public compromises of the last couple of years), so maybe Paypal (and the many banks I run into that only allow letters and numbers for passwords…) will ratchet up their security as its demanded by the public.

    It would be more likely that PayPal would spend the money to do this if eBay tied in closely with additional providers so there was some competition and users could move to a more secure “eBay bank/transaction processor”.

  24. What’s most interesting to me is that if the reason for the lax security on CS password changes is that they’re actually worried about losing customers, then the problem will only get worse as more people leave…

    Personally, I only use PayPal if I have no other choice. The merchants that only accept PayPal and require a payp

    • (Gaak! Sorry, doing this on my phone)

      … merchants that require the use of a PayPal account, rather than as a “guest”, simply entering a CC number, don’t need my business. There are many other payment systems out there that have a better “attitude”. I’ll use Google or Amazon payments or even apparently “home grown” e-commerce payments first, using my credit card as “insurance”.

  25. Paypal, in my experience, has been completely useless at anything but routine transaction processing. I’ve been screwed by duplicate charges, website errors, seller fraud, etc, and in each case they didn’t do anything useful about it even after I jumped through the hoops I was supposed to.

    Their ultimate response always boiled down to “Not our problem, but you can do x and that might work.”

    I no longer use it. No idea what I would do if I was a self-employed person who needed an easy way for his customers to pay him.

  26. Paypal had this response on Mr. Krebs security breach:

    http://www.ecommercebytes.com/cab/abn/y15/m12/i30/s01
    Expert Exposes PayPal Vulnerability
    By Ina Steiner
    December 30, 2015

    “Update 12/30/15: PayPal provided us with the following statement:

    “The safety and security of our customers’ accounts, data and money is PayPal’s highest priority. Due to our privacy policies that protect our customers, PayPal does not publicly disclose details about our customers’ accounts or their specific cases. However, it appears that our standard procedures were not followed in this case. While the funds remained secure, we are sorry that this unacceptable situation arose and we are reviewing the matter in order to prevent it from happening again.””

    Which could also be read as a backhanded slap; blaming Brian Krebs for not following standard procedures.

    • someguyaccrosstheinternet

      Thanks for posting PayPal’s responding statement. I guess it’s a mildly good thing that they bothered themselves to respond to this story at all. I doubt that this incident will actually inspire them to make significant improvements in their CS procedures, of course. (Though maybe there’s some small chance PayPal will pleasantly surprise us. Probably some very small chance….)

      One thing, though: when the PayPal flack said ” it appears that our standard procedures were not followed in this case” he was probably blaming the service rep who first reset the password for not following the company’s “standard procedures” for identity verification. Rather than anything Mr. Krebs did or didn’t do. (Hopefully.)

      But, of course, that in turn raises the question of why PayPal’s customer password reset system implementation *would even allow* a customer service rep the ability to initiate a password reset without following proper “standard proceedures”. PayPal shouldn’t have software in place that presents a rep with an “initiate reset” button on a screen and trusts the rep to do verification proceedures properly. The rep should be limited to basically be a transcriptionist, reading identity questions to the (purported) customer and typing his or her responses into the system. If the information entered in doesn’t match what the system thinks it should, the reset attempt simply fails. The service rep shouldn’t be given any discretion to perform a reset without following “standard proceedures”.

      Of course, putting a more robust mechanism like that in place to make sure proceedures are followed would almost certainly result in more of the customers who can’t tell the difference between their solid waste excretion port and a hole in the ground being denied immediate re-access to their accounts. Which would make said customers unhappy, and perhaps more likely to leave the service. So there’s a quite good chance that using technology that doesn’t actually block reps from violating “standard proceedures” for identity verification where they see fit isn’t just an oversight by PayPal’s management.

  27. An excellent, extremely strong alternate 2FA option that should be available is for users to generate a PGP/GPG key-set and provide the public key to the service provider. Major account information changes require the user decrypt a pass-token encrypted with their public key and enter it back into the system, thus proving they are the true account holder. Ideally one keeps PGP private keys offline, but even if one is lazy in this regard the overall increase in protection is substantial so long as a decent pass-phrase is used when securing private keys.

    Sadly 98% of people cannot fathom PGP, though the essential concept behind it is easy to grasp. Even with simplified and streamlined UIs, PGP beyond the average user and no large service provider has implemented it.

    Additionally PGP can be used to encrypt monthly statements and transaction records which are then emailed. Until service providers provide this capability (likely never) I will continue to refuse the “paperless billing” option that companies desperately attempt to trick customers into accepting so they can save money. Why should I have to spend a great deal of time and energy downloading statements with wildly divergent UIs to save these idiots the cost of printing and postage? Make it easy and secure with PGP and I’ll be the first to adopt.

  28. Ok but people need to take blame they own security society is too weak and helpless why countries like Finland no fraud ?? I think the fraud can be stopped if police is involved now days basecly we don’t have any criminal investigation it’s not that hard to stop fraud

  29. Someone went into my bank and posed as me with only my lost license and faked my signature. No pin, no account number. Only *after* they said you can put a verbal password on the account. Oh and everyone should hey a credit security freeze.

    • Alister Macintyre

      When we lose our license, or have it stolen, a crook can have a fake license with our name but their mug shot.

      Meanwhile we went to DMV to get replacement license which may not have same reference # – no matter, no one checks that anyway, they just look at name on license and photo on license.

      When we get plastic, we are supposed to sign the back of it.
      For a place to verify that signature, we need to sign something again, when there, using the card. Very few places request the sign again, and very few of those compare the two signatures. Technology exists to automate this signature verification process, both at the place where we use the card, and at the institution which issues it. I have my doubts much of any places actually using such tech.

      Info on social media, about ourselves, often includes city we reside in, relatives id, from which crooks can derive all the info needed for security questions at banks in our city. They can then go to all banks, pretending to be people on social media in those cities, carrying with them all that info necessary to id those people.

      • Alister Macintyre: Therein lies a flaw in “static”, or mostly, static identifiers. It also describes one drawback to biometric based security – we generally can’t change it.

        The balance is between easy (for authenticatORS) and secure (for the authenticaTED). For charge card verification they have the data to ask more complex questions such as: Which business was NOT charged on your account in the last FIVE days? and show four, three of which WERE charged to your account at some time, but not in the last five (or some number) days.

        This is a “dynamic” authentication, no amount of social media research is likely to find the correct answer because the wrong answers were still related to you. Variations on this theme for amounts, date ranges, etc make it more secure.

        You can also try this: When you are asked to provide a piece of static information in response to a security question such as “What is your mother’s maiden name?” choose something other than your mother’s maiden name that you’ll remember. I have used “keybored” with the intentionally mis-spelling. (No, I don’t use that one now).

        We do need a better way.

        Jonathan @NC3mobi

        HAPPY NEW YEAR!
        (i hope)

        • Alister Macintyre

          If there’s been crooked use of your a/c, you may not know it.
          You only know & can volunteer info about your own recent usage.
          While unknown persons stealing from you, can volunteer info about their usage.
          Thus questions, about past usage, are not enough, to solve the fraud.

          When we give fictional answers for static data, we also need good memory of them or reliable storage method. I am of an age when too much stuff is falling out of my brain into nothingness.
          Some fictional solutions are becoming illegal.

  30. Brian,

    These instructions are on the WSJ website.

    They might help.

    I’m looking into it myself.

    PayPal and eBay – Security Keys
    After logging into paypal.com, you’ll see a link to “Security and Protection” in the upper right corner, near a search box. Click this link. You’ll be taken to a new page—scroll down to the bottom, and click on a link to the left that reads “PayPal Security Key.”

    When you click this link, scroll to the bottom of the subsequent page, which explains how two-factor authentication works, then click on “Go to register your mobile phone.” On the next page, you’ll enter in your phone number and agree to PayPal’s terms of service. Once you do that, you’ll receive a security code on your phone via text message to confirm the setup, and you’re good to go.

    PayPal’s parent company, EBay, uses the PayPal Security Key as its two-step authentication method as well.

    • Weird.

      I couldn’t see the comments until after I posted.

      I now understand that PayPal did not honor their own security agreement. Nothing works when trust is violated.

      I guess the only thing you can do is do not associate Credit Cards or Bank Accounts with the PayPal account, and enter all that information for each payment that must pass through them.

      That’s what I’ve done in the past and will return to, putting up with the requests to save your information will just have to be tolerated.

      I must say their marketing division will be somewhat upset if suddenly they loose all of that frictionless customer service. It will end up eviserating their value proposition to partners.

      • All my credit cards and banking information have been removed from PayPal.

        And I submitted the exact reason in their Feedback request. Citing this incident.. and any hint of violating their own promise to a customer.

        That is completely intolerable.

        They are not a payment system to me any longer.