Brian Krebs, the author of the Krebs On Security website, had his PayPal account hacked on Christmas Eve by a hacker who tried sending his funds to an ISIS-connected hacker gang. In an article on his website, Krebs describes his efforts to fix the problem with PayPal, but he views it as representative of the current state of security for many companies. He says many organizations, including financial institutions, are “woefully behind the times” in fighting identity theft.
In learning how the hacker had gotten into his PayPal account, Krebs found the company was relying on static identification information and continues to do so for most of its customers. This method is highly flawed and Krebs has urged PayPal to upgrade its authentication systems.
Problems Begin Christmas Eve
He received an email from PayPal on Christmas Eve morning advising him an email address was added to his account. He logged into his account, changed his password and changed his email address to a prior address and deleted the rogue email account.
Krebs then asked PayPal how the email got added to his account and what he could do to prevent it from recurring. He was told the attacker logged in with his username and password and there was nothing more Krebs could do in response to the attack.
In checking his email 20 minutes later when he was away from home, he found the same email address had been added to his account once again. When he got back to his home computer, someone had removed his email address and changed his password, despite the fact that the PayPal customer service rep promised to monitor the account.
PayPal locked the account after the attacker tried to send Krebs’ money to an email account of a member of a hacktivist group called Team Poison. That email account belonged to a 17-year-old Junaid Hussain who used the name “TriCk” and was considered an ISIS propagandist who was reportedly killed in a U.S. drone strike in Syria.
The attempted funds transfer was an effort to associate his account with terrorists.
PayPal Claims Password Was Secure
A PayPal supervisor told Krebs his password was never compromised; the attacker had called PayPal’s customer support and was able to reset the password by providing the last four digits of his social security number and the last four numbers of an old credit card account.
Krebs said any company that authenticates customers only with static identifiers like a Social Security number, date of birth, address, credit card number and phone number is vulnerable to such attacks. Such identifiers are not secret and are available for sale online.
Utilities, banks and other companies all fit into this category.
Asked why PayPal could not simply verify his identity by sending a text message or a signal to his PayPal mobile app, the supervisor said the company does not have mobile authentication technologies. To regain access to his funds, he needed to send a scanned or photocopied copy of his driver’s license.
Krebs blamed PayPal’s lack of modern authentication for the problem. He also noted that there are online services that allow people to create realistic-looking scans of many types of documents, such as passports, bank statements, utility bills and driver’s licenses.
PayPal Relies On Static Identity Data
Other than using a driver’s license to validate his identity, the PayPal supervisor said Krebs could validate his identity using public records. What this meant was the supervisor would contact a major credit bureau to ask Krebs a series of knowledge-based authentication questions. Such questions, he noted, are nothing but additional requests for static information that someone could find from a number of online sources.
When he questioned the representative about effectiveness of relying on public records for authentication, the representative said someone would need to go to a court house to get this information. Krebs laughed at this and wished the rep a Merry Christmas.
It was not the first time Krebs encountered weaknesses in PayPal’s anti-fraud system. A large number of fraudulent donations funded by credit cards were sent to his account last year through hacked PayPal accounts.
The problem with fraudulent credit card donations is that PayPal assesses the MasterCard or Visa $20 chargeback fee against the recipient.
To fix his more recent problem, he contacted the PayPal person who had stopped the phony credit card payments. That individual said he would lock his account to prevent any further changes.
Krebs was grateful for this assistance, but he noted that most users will not be likely to have access to this support.
Advanced Security Options?
PayPal does offer a security keyfob that creates a new one-time password periodically that the user enters along with their password and username. But this doesn’t help users who don’t use this extra security feature.
Many companies offer additional security to customers who ask for it. Usually when people ask for extra options it is because they experienced online harassment or cyber stalking.
Krebs has asked his utilities for additional security options after there were attempts to shut off his power, water and phone service from people using static identifiers.
None of his utilities offered a more advanced authentication option like mobile device authentication. To prevent changes to his account, most utilities said they would allow him to place a flag on his account. They agreed to prevent any changes to be made until he visited their office in person and gave a photo ID, password and username.
Krebs Urges PayPal To Act
Krebs encourages PayPal to review which users have provided mobile phone information and validate the contact numbers. The company can then upgrade its authentication systems and rely less on static identifiers for customer validation. Doing this would reduce compromised accounts as well as the fraudulent credit card donations.
In the meantime, PayPal customers will be exposed to privacy and security threats, Krebs noted. Attackers who access a PayPal account can view transactions and financial data from bank accounts.
Image from Shutterstock.