December 28, 2015

My PayPal account was hacked on Christmas Eve. The perpetrator tried to further stir up trouble by sending my PayPal funds to a hacker gang tied to the jihadist militant group ISIS. Although the intruder failed to siphon any funds, the successful takeover of the account speaks volumes about why most organizations — including many financial institutions — remain woefully behind the times in authenticating their customers and staying ahead of identity thieves.

Junaid Hussain's Twitter profile photo.

Junaid Hussain’s Twitter profile photo.

On Christmas Eve morning, I received an email from PayPal stating that an email address had been added to my account. I immediately logged into my account from a pristine computer, changed the password, switched my email address back to to the primary contact address, and deleted the rogue email account.

I then called PayPal and asked how the perpetrator had gotten in, and was there anything else they could do to prevent this from happening again? The customer service person at PayPal said the attacker had simply logged in with my username and password, and that I had done everything I could in response to the attack. The representative assured me they would monitor the account for suspicious activity, and that I should rest easy.

Twenty minutes later I was outside exercising in the unseasonably warm weather when I stopped briefly to check email again: Sure enough, the very same rogue email address had been added back to my account. But by the time I got back home to a computer, my email address had been removed and my password had been changed. So much for PayPal’s supposed “monitoring;” the company couldn’t even spot the same fraudulent email address when it was added a second time.

PayPal locked the account shortly after the assailant allegedly tried to send my money to the email account of the late Junaid Hussain, a 17-year-old member of the hacktivist group Team Poison. Hussain — who used the nickname “TriCk” and is believed to have been a prominent ISIS propagandist online — was reportedly killed in a U.S.-led drone strike earlier this year in Raqqa, Syria. No doubt, the attempted transfer was a bid to further complicate matters for me by associating my account with known terrorists.

In my second call to PayPal, I insisted on speaking with a supervisor. That person was able to tell me that, as I suspected, my (very long and complex) password was never really compromised. The attacker had merely called in to PayPal’s customer support, pretended to be me and was able to reset my password by providing nothing more than the last four digits of my Social Security number and the last four numbers of an old credit card account.

Let’s leave aside for a moment the reality that all of this static information about Brian Krebs has been posted online by various miscreants over the years (and probably remains online): Any company that authenticates customers with nothing more than static identifiers — address, SSN, DOB, phone number, credit card number, etc. — is vulnerable to these takeover attempts.

This almost certainly includes all of the companies that supply utilities to your residence, your bank or credit union, and a host of other companies. They’re vulnerable because those static identifiers about you are no longer secret and are available for sale in the underground.

I asked the PayPal supervisor why the company couldn’t simply verify my identity by sending a text message to my phone, or a special signal to a PayPal mobile app? After all, PayPal has had the same mobile number of mine on file for years (the attacker also deleted that number from my profile as well). The supervisor explained that the company didn’t have any mobile authentication technologies, and that in order to regain access to the funds in my account I had to send the company a photocopied or scanned copy of my driver’s license.

Nevermind that it was PayPal’s lack of any modern authentication methods that led to this mess. Also, let’s forget for the moment that there are a half-dozen services online that let customers create fake but realistic looking scans of all types of documents, including utility bills, passports, driver’s licenses, bank statements, etc. This is the ultimate and most sophisticated customer authentication system that PayPal has: Send us a copy of your driver’s license.

When I pressed the PayPal representative about whether he had any other ways to validate my identity short of sending a copy of my license, he offered to do so “using public records.” Now, I understand that what he actually meant was that PayPal would work with a major credit bureau to ask me a series of so-called “out of wallet” or “knowledge-based authentication” (KBA) questions — essentially yet more requests for static information that can be gleaned from a variety of sources online. But that didn’t stop me from playfully asking the representative why a security challenge should rely on answers from public records? He responded that someone probably would have to go down to a courthouse somewhere to do that, which made me laugh out loud and wish him a Merry Christmas.

For better or worse, this isn’t the first time I’ve had to deal with weaknesses in PayPal’s anti-fraud systems. Last year, my account was the recipient of a large number of fraudulent donations made through hacked PayPal accounts that all were funded by credit cards instead of bank balances. The problem with fraudulent credit card donations via PayPal is that PayPal assesses the inevitable $20 Visa or MasterCard chargeback fee against the unwitting recipient of the fraudulent donation, effectively taking $20 out of the recipient’s account for each phony donation!

I called my contact at PayPal who’d helped work out a stopgap solution to the phony credit card payments, and that person said PayPal would lock my account so that no further account changes would be allowed. I’m grateful that they were able to do this (so far) but it probably goes without saying that most PayPal users will not have that line of contact or influence at the company.

PayPal's security token isn't much use if the company lets thieves reset your password over the phone using your Social Security number.

PayPal’s security token isn’t much use if the company lets thieves reset your password over the phone using your Social Security number.

PayPal does offer additional security protections — including a PayPal Security Key fob that periodically generates a new one-time password which needs to be entered at login in addition to a username and password. I’ve used this solution since shortly after the company began offering it almost a decade ago, but a fat lot of good it does if PayPal is going to continue letting users reset their passwords by regurgitating static data that is trivial to purchase from the cybercrime underground.

Many companies will offer customers more account security options, but only if asked. Most often, when companies are asked for non-standard security precautions it is because the account holder has stated that he or she was previously the target of cyber stalking or concerted harassment or threats online. I can recall doing this with most of the utilities we use — including our ISP — after having ne’er-do-wells try to shut off our power, phone and water service by calling in with those static identifiers. None of those companies offered more advanced authentication options — such as mobile device authentication — but most would let me place a flag on my account that no changes were to be made unless I showed up at the utility’s offices in person and presented a photo ID and my username and password.

Although this is effectively the same solution that PayPal offered after it froze my account and available funds, having to visit an office and present my ID to close or make changes to my account is significantly less onerous and aggravating than trying to work that out after the fact while having no electricity, water or Internet.

Longer term, PayPal should review which of its users have already provided mobile phone information, and then seek to validate those contact numbers. Once that process is done, PayPal can start upgrading its authentication systems — and hopefully become less reliant on static (read: already-compromised) identifiers to validate customers. This would help cut down on account takeovers and reduce the threat of costly, fraudulent credit card donations via hacked accounts.

Until then, PayPal will continue to expose its users unnecessarily to security and privacy threats (bear in mind that a crook who gains access to your PayPal account can see all of your transactions and financial data from associated bank accounts).

Many KrebsOnSecurity readers have been quite generous in supporting my efforts this year, and to those folks (and to anyone else who’s read this far) I offer a hearty and heartfelt THANK YOU!


236 thoughts on “2016 Reality: Lazy Authentication Still the Norm

  1. Oldtaku

    A big part of it is that they Just Don’t Care. To PayPal as long as the money is in their piggy little hands, it’s generating interest. So they randomly lock accounts and hope a small percentage won’t or can’t provide the ID to recover them. They’ve been complete sleazeballs since before eBay bought them and now they’re spun off again. The other lesson is to use a dedicated account just for Paypal (any good credit union will let you do this) and never keep much money in. It’s always at risk, from fraudsters or PayPal itself.

    1. Sarah

      That’s exactly the way we do it, and we have to provide an additional verbal code for ANY phone or personal dealings with the CU.

  2. Rob Douglas

    Good grief. PayPal needs to get its act together. Sorry about what happened to you, Brian. At times it must feel like you’re a human honeypot. Keep up the good fight.

  3. Eaglewerks

    Brian: Good article, good suggestions I think, sorry to hear it happened to you. Is some form of voice recognition or fingerprint scanning software available that might be of use to larger companies like PayPal? I am aware of a smaller bank in Hamilton Mo that uses essentially a telephone conversation with their customer wanting to make changes, lots of local questions and chat about things only that specific account holder would know.

    1. Alek Davis

      Two-factor authentication does not help if a hacker calls customer support and customer support asks to answer the KBA questions.

      1. Leo Edwardsson

        So in addition to resetting the password, customer support must have also disabled two factor authentication at the fraudulent caller’s request. That’s an important point that’s not clear from the blog post in its currently published form. Brian, did PayPal support admit to turning off 2FA at the caller’s request? Is it their policy to do that if the caller answers the ID verification questions?

    2. Troy Frericks

      Paypal no longer offers two-factor authentication. I closed my account for this exact reason. The pictured “football” security device is no longer available OR USABLE. Instead, Paypal has renamed SMS to “Paypal security key”.

      After explaining to Paypal’s support (and their supervisor) that two-factor authentication is using two of the following three authentication methods… 1) something you know, 2) something you have, 3) something you are, it was obvious that they did not care. (My first clue that they did not care was simply no longer using the second factor. I could log in with just my user/password. I no longer needed my “football” security device. No notice. Nothing).

      SMS is not a second factor. SMS is not something you have. Your cellphone provider also has it. Any of your apps on your Android with the proper permission has it.

      It just seems stupid for a service like Paypal, with a huge need for security, would just brush off this what-if situation: Say I install a rogue Android app on my phone. It keylogs and intercepts SMS, sending the data out of country. It also can use my phone to proxy http. So, the bad guy has my userid, password, and all my SMS message… and can use my phone to access Paypal. Seems like a recipe for more of what you’ve been experiencing… security issues with Paypal.

      Troy Frericks.
      #

      1. Robb Leatherwood

        You can still use 2FA with PayPal. It’s not as easy-to-find as it used to be, but you can still register a VIP token in addition to SMS-based 2FA. It IS frustrating that if you’ve registered both a mobile phone AND a VIP token, it always defaults to the SMS authentication, rather than letting you choose which one will be primary.

  4. Alek Davis

    I wish there were a certification for the security technologies and procedures compliance that companies (especially, financial institutions) should and should comply with. You use personal questions/answers for password reset, or don’t notify user if personal information on the account changes, then you don’t get a certification. Things like password recovery via text message would be required. Security companies could start such initiative and make money (by auditing companies).

    1. JCitizen

      Put in a request to make that a regulation, with the Consumer Financial Protection Bureau; from what I understand the act that created that agency gave them the power to regulate – however, like the FCC and FAA, many of those regulations come from public review periods where comments are recorded for or against said changes, and suggestions to make more useful features. One may be able to petition such an agency and force consideration for such additions, but calling one’s congressmen, could go a long way as well.

  5. SW

    Sickening and predictable at once, Brian.

    But what I don’t understand is how the keyfob 2FA didn’t protect against this case. Even assuming they continue to let people “password slam” using static identifiers, isn’t the solution to not let the keyfob be bypassed (assuming it still has the flaws described in [http://www.binaryspiral.com/2007/03/17/inside-the-paypal-security-key/]).

    Then, even if they could lock you out, they couldn’t log in. Or maybe that’s exactly what you’re saying — they never logged in, just locked you out repeatedly — but it isn’t quite clear from your post.

  6. Richard

    in the UK some of the companies will let you have a second password for telephone support access

    ie you phone them and they ask relevant details, and an account access password, not the one you use online

  7. Mike Sheridan

    Read the article
    PayPal does offer additional security protections — including a PayPal Security Key fob that periodically generates a new one-time password which needs to be entered at login in addition to a username and password. I’ve used this solution since shortly after the company began offering it almost a decade ago, but a fat lot of good it does if PayPal is going to continue letting users reset their passwords by regurgitating static data that is trivial to purchase from the cybercrime underground.

  8. MTBcycloRista

    Wow… quasi-social engineering trumps multifactor authentication: OUCH.

    Mental note to self: password or account change notification from anywhere = drop everything and get on the phone ASAP.

    Thanks for all of your efforts to make the digital world a safer place.

  9. Rando

    PayPal 2FA worked great for me the other day. I understand it doesn’t stop the attacker, but you might want to update the article.

    1. Larry

      The problem with Paypal’s 2FA is that a paypal CSR can override it if you call and social engineer the CSR effectively. Apple’s 2FA works differently; once you enable it CSRs do not have access to your account credentials. You are totally responsible for managing your security. This has good and bad sides; the bad side is if you are careless about managing your account credentials AND you lose the recovery key they provide.

    2. Rick

      Sadly you can override it online by answering security questions also.

  10. tim

    Had the same issue through three financial institutions and a mobile phone carrier earlier this year. My online accounts were never compromised. All the attacks were carried out just dialing into call centers and simply giving well known information to prove they were me. Didn’t matter what I had on the online account (two factor or otherwise).

    American Express was especially bad. After replacing my card twice within weeks they stilled allowed a cash transfer to someone who stated they lost their card. I notified them of that issue within 12 hours (I was on a plane at the time) and then they forced me to get a notarized document proving who I was not once but twice.

    Most companies will allow you to set a call in passcode. But you have to ask for it.

  11. Aaron Bertrand

    Brian, great revelations, thank you, but I do have a question. You said that after the rogue e-mail address was added the first time, you logged in and changed the password. How did you log in successfully, if that e-mail address was added via resetting the password?

    1. BrianKrebs Post author

      PayPal has a process where you can get a link sent to the email on file. In the first case, I hadn’t been locked out of my account yet (my email address was still on file as a valid reset address).

  12. Ryan

    What’s even more frustrating is that given this article, I want to close my account with Paypal and can’t. I entered in the full account information on their site and the generic error pops up:

    >>Some required information is missing or incomplete. Please correct your entries and try again.

    For that matter, I could just call them, based on this article, and tell them to close it and verify nothing personal. I bet they’d do it too…

  13. R Mccoy

    ATO has always been a problem with PayPal, probably even more when you are a target of hackers. PayPal supports 2FA, and even the key fob rolling code solution. However, there are some accounts which purposely have their passwords locked just to prevent a fraudulent login. Normally these are your larger businesses who work through an account manager. There are personal accounts which are also locked which require verbal authentication to unlock the account. If you have the password then you gain entry. I remember when there was an issue where Nigerians used to call in through the deaf relay line and do the same thing. Bottom line there is a clear failure in customer service and security.

  14. Josh Collins

    This is why I’ll continue to hope that Bitcoin’s superiority as a secure payment system will win out over time. PayPal’s customer service has always been its weakest link. I find it completely unsurprising that they’re so easily exploited and clueless.

    1. Robert.Walter

      This is why I’ll continue to hope that Apple Pay’s über-superiority as a secure payment system will win out over time. PayPal’s customer service has always been its weakest link. I find it completely unsurprising that they’re so easily exploited and clueless

      1. R Mccoy

        Please tell me you were being sarcastic about Apple Pay? Ask anyone that works fraud detection at a bank that offers Apple Pay how much they lose each month to fraud.

    2. timeless

      That’s like saying you’d prefer Cash over Credit Cards.

      Because it’s better for a thief to be able to steal a wallet and keep all the Cash in it, than to be able to steal a credit card, try to use it, and have you be able to complain to your Credit Card issuer about the theft.

      Sorry, BTC isn’t the answer. Stealing wallets or hacking computers w/ wallets is pretty easy & common.

      The solution is for Banks + PayPal/equivalents to review accounts for extra security measures before simply allowing a CSR to do a reset.

  15. David

    When my fob stopped working earlier this year (2015), I contacted the folks at PayPal. One person told me my fob was on the way. Ten days later I called to check on the status of my fob and was then told they no longer provide fobs. (fingers out guys).

    I was told that I could add the ability to message my iphone with a security code that had to be entered when accessing my account.

    I am disappointed, but not surprised to hear can customer service can be easily bamboozled into into accepting a change of password to a different e-mail account

  16. NotMe

    Pay Pal has always been weak on the security but fairly good on customer service. I only used them Once to send money to Krebs. I have nothing tied to the account, only use a one time credit card entry each time. Too bad our human nature to help others can be used for evil so often.

    Thanks for writing about the problem, it’s nice to have the information and should help us all learn to be safer.

    Maybe Paypal will listen as well and some good can come of it.

  17. Richard

    Brian, do you mind explaining what you mean by “pristine computer”? I get the idea, I think, but what are the standards for “pristine”? Is the computer you used no longer pristine? Thanks. Best wishes to you and your family for the new year.

      1. Richard

        Thanks for telling / linking the Reddit chat. I missed that. I look forward to reading it. Big shock: you mention leaving WaPo in 2009. Time flies. Happy new year.

  18. Ellen Bailey

    Thank you for the article! It never ceases to amaze me how lax the financial organizations are that have already been breached. Or as another comment stated: “They Just Don’t Care.”
    I called Chase to set up Two-Factor Authentication for my personal account. Chase Technical Support told me that they didn’t offer that, but that I could delete the cookies on my computer before each transaction which would force 2FA. I told Chase Technical Support that I feared that not all criminals would access my account from my computer after they carefully deleted the cookies! Then I asked to speak to a supervisor. Eventually, I was told by the supervisor that Chase only offered 2FA to account holders with over $1M! Still haven’t determined if the supervisor was serious. If so, how irresponsible can the mega-bank be?

    1. timeless

      Most banks have “personal bankers” for wealthy customers.

      https://twofactorauth.org/notes/chase/

      It looks like Chase does have 2FA these days…

      http://web.archive.org/web/20140318080802/http://twofactorauth.org/
      says that they had SMS 2FA in March of 2014.
      And they had Phone + Email by April of 2014.
      http://web.archive.org/web/20140411205359/http://twofactorauth.org/

      http://web.archive.org/web/20140414041509/https://mobilebanking.chase.com/Public/Docs/Faq?nodeId=1&itemId=2
      Seems to be when Chase first talks about this feature (before then, it just talks about a username + password).

      I’m not sure about Chase’s current status.
      I remember being very annoyed when someone attached my email address to a Chase account that wasn’t mine. It took me *years* to get Chase to remove the email address.

      There are a number of ways to screw up accounts:
      1. Not verifying email addresses before pinning them to an account
      2. Not using all security measures before considering a reset

  19. Jonathan Jaffe

    Think about the treasure trove of charge cards and more in PayPal’s hands. I’d wager a BTC or two that some crook is salivating at that. “Here at PayPal we take your security seriously ….”

    Josh Collins: BTC may be more secure, but it also exposes consumers to market exchange risk. If I bought a coin just before January 2014 at over $1000/BTC I’d still be very unhappy, even with the recent runup to about $400. The US may be fiat currency but even with inflation that scale of change takes decades. The drop from $1000 to $400/each took four months.

    Jonathan @NC3mobi

  20. MG

    What would be your suggestion for the rest of us without an in @ the company to protect ourselves? Is it possible to insist upon an account lock with Paypal if you are annoying enough?

  21. Debi

    Bit coin? I thought they had a huge problem in the last year or two?

  22. Debi

    I propose we take all of our money out of all the banks and hide it under our mattresses!

    1. The Tech Bear

      But if the house burns down you’d lose all your money. It’s better to dig a hole in you back yard and plant it there. Isn’t that where money trees come from?

  23. billie

    I don’t quite see why 2FA is that great the way it is normally implemented, namely via a PIN sent to a cell phone. I have read in other B.K.’s posts that it is possible to get your cell carrier to direct your calls to another phone. If an attacker does that, the backup scheme you are depending on just becomes worse than useless.

    IMHO, Brian K. is lucky his attackers were apparently not capable of thinking their way out of a wet paper bag. If they could think, they would be in complete control of his PayPal account.

    Personally, I’ve heard too many horror stories about PayPal. I refuse to open an account with them.

    Thanks for the article Brian!

    1. tim

      “I have read in other B.K.’s posts that it is possible to get your cell carrier to direct your calls to another phone.”

      For a week my mobile number was forwarded to another phone. It was how they convinced one financial institution to send them a new credit card to a different address. My mobile carrier has never been able to tell me how it happened and I spent hours with them going over records and logs.

  24. Michelle

    Paypal stopped asking me for my token number all of a sudden… a while back perhaps around the time they redesigned their web site.. not sure why.

  25. forensium

    I do not have a bank account, or credit card tied to my account.

    I only keep a small amount in the account.

    I use “Bill Pay” at my bank to “PayPal Send Fund”. It does take 2-4 business days, but the risk is minimal. It also isolates my PayPal from my bank account(s).

    To get the many out, unfortunately I have to request a check. 5-10 business day, and $1.50 fee.

    1. Russ

      > I use “Bill Pay” at my bank to “PayPal Send Fund”

      Please explain. How do you tell your bank which Paypal account to pay into? Do you provide an email address in the bank’s Bill Pay form?

  26. Jason

    Wow, I am appalled and have simply cancelled my account. Assuming they don’t leave my details on some unsecured web server I hopefully wont get hosed.

  27. Russ

    As soon as PayPal started offering 2FA I turned it on. However they NEVER ask for it! I’ve tried asking why they offer 2FA if I never have to use it to login and they don’t seem to understand the question.

    I would drop PayPal in a flash if there was an alternative but too many sites only offer PayPal in addition to credit cards and paying electronically is too convenient to give up (for now).

    What a poor company…

  28. Password-assignment

    For my investment account, and mt bank – for phone calls – I have create two passwords – one for me, and one for them. If I call them, I want them to aske me for the password I have assigned for myself, so they know that I am me. If they call me, I want them to tell me the password that I have assingned to the, so I know they are, who they say they are. Although these two companies have done that, others will not.

    1. Jonathan Jaffe

      Password-assignment: simpler solution. When someone calls from your (bank, credit card, anything) ask for their name and direct dial number. You’ll call them back. If they give you grief put them on hold … forever.

      Then call a number you know to be accurate. If they can’t find your caller report a phishing trip.

      You might be amazed (saddened) by the number of people who will answer questions for a caller from “your bank”.

      Jonathan @NC3mobi

      PS: I get calls from one phisher who uses the same number. Sometimes I answer with “You’re lucky caller number 12! We’ll be right back with you! Just let someone get your information.” in the most enthusiastic radio voice I can muster. Then I put them on hold … forever. It keeps them from calling someone else. A public service.

  29. allo

    And now look at paypal. They required a scan of a drivers license. Now consider another service doing so. The paypal employee handling your scan can now authenticate there under your name. Again a static information, looking very official, because its a scan of a official document. But now it’s out on the web and you never know where it ends up.

Comments are closed.