Brian Krebs, the author of the Krebs On Security website, had his PayPal account hacked on Christmas Eve by a hacker who tried sending his funds to an ISIS-connected hacker gang. In an article on his website, Krebs describes his efforts to fix the problem with PayPal, but he views it as representative of the current state of security for many companies. He says many organizations, including financial institutions, are “woefully behind the times” in fighting identity theft.
In learning how the hacker had gotten into his PayPal account, Krebs found the company was relying on static identification information and continues to do so for most of its customers. This method is highly flawed and Krebs has urged PayPal to upgrade its authentication systems.
Problems Begin Christmas Eve
He received an email from PayPal on Christmas Eve morning advising him an email address was added to his account. He logged into his account, changed his password and changed his email address to a prior address and deleted the rogue email account.
Krebs then asked PayPal how the email got added to his account and what he could do to prevent it from recurring. He was told the attacker logged in with his username and password and there was nothing more Krebs could do in response to the attack.
In checking his email 20 minutes later when he was away from home, he found the same email address had been added to his account once again. When he got back to his home computer, someone had removed his email address and changed his password, despite the fact that the PayPal customer service rep promised to monitor the account.
PayPal locked the account after the attacker tried to send Krebs’ money to an email account of a member of a hacktivist group called Team Poison. That email account belonged to a 17-year-old Junaid Hussain who used the name “TriCk” and was considered an ISIS propagandist who was reportedly killed in a U.S. drone strike in Syria.
The attempted funds transfer was an effort to associate his account with terrorists.
PayPal Claims Password Was Secure
A PayPal supervisor told Krebs his password was never compromised; the attacker had called PayPal’s customer support and was able to reset the password by providing the last four digits of his social security number and the last four numbers of an old credit card account.
Krebs said any company that authenticates customers only with static identifiers like a Social Security number, date of birth, address, credit card number and phone number is vulnerable to such attacks. Such identifiers are not secret and are available for sale online.
Utilities, banks and other companies all fit into this category.
Asked why PayPal could not simply verify his identity by sending a text message or a signal to his PayPal mobile app, the supervisor said the company does not have mobile authentication technologies. To regain access to his funds, he needed to send a scanned or photocopied copy of his driver’s license.
Krebs blamed PayPal’s lack of modern authentication for the problem. He also noted that there are online services that allow people to create realistic-looking scans of many types of documents, such as passports, bank statements, utility bills and driver’s licenses.
PayPal Relies On Static Identity Data
Other than using a driver’s license to validate his identity, the PayPal supervisor said Krebs could validate his identity using public records. What this meant was the supervisor would contact a major credit bureau to ask Krebs a series of knowledge-based authentication questions. Such questions, he noted, are nothing but additional requests for static information that someone could find from a number of online sources.
When he questioned the representative about effectiveness of relying on public records for authentication, the representative said someone would need to go to a court house to get this information. Krebs laughed at this and wished the rep a Merry Christmas.
It was not the first time Krebs encountered weaknesses in PayPal’s anti-fraud system. A large number of fraudulent donations funded by credit cards were sent to his account last year through hacked PayPal accounts.
The problem with fraudulent credit card donations is that PayPal assesses the MasterCard or Visa $20 chargeback fee against the recipient.
To fix his more recent problem, he contacted the PayPal person who had stopped the phony credit card payments. That individual said he would lock his account to prevent any further changes.
Krebs was grateful for this assistance, but he noted that most users will not be likely to have access to this support.
Advanced Security Options?
PayPal does offer a security keyfob that creates a new one-time password periodically that the user enters along with their password and username. But this doesn’t help users who don’t use this extra security feature.
Many companies offer additional security to customers who ask for it. Usually when people ask for extra options it is because they experienced online harassment or cyber stalking.
Krebs has asked his utilities for additional security options after there were attempts to shut off his power, water and phone service from people using static identifiers.
None of his utilities offered a more advanced authentication option like mobile device authentication. To prevent changes to his account, most utilities said they would allow him to place a flag on his account. They agreed to prevent any changes to be made until he visited their office in person and gave a photo ID, password and username.
Krebs Urges PayPal To Act
Krebs encourages PayPal to review which users have provided mobile phone information and validate the contact numbers. The company can then upgrade its authentication systems and rely less on static identifiers for customer validation. Doing this would reduce compromised accounts as well as the fraudulent credit card donations.
In the meantime, PayPal customers will be exposed to privacy and security threats, Krebs noted. Attackers who access a PayPal account can view transactions and financial data from bank accounts.
Image from Shutterstock.
Alleged FBI Hacker Lauri Love Ordered to US Extradition by UK Home Secretary
The long-running court saga of Lauri Love, a British hacker and activist accused of compromising and stealing data from the likes of the FBI, NASA and the US Federal Reserve has been ordered by the UK’s home secretary for his extradition to the United States.
31-year-old Love who has Asperger’s syndrome launched a legal challenge to avoid his extradition to the U.S., following a court ruling by a UK judge in September 2016. Love, who suffers from depression and eczema argued against the extradition ruling, claiming it could lead him to a mental breakdown or suicide. Despite his plea, the ruling district judge, Nina Tempia, determined that Love would be cared for by medical facilities in the United States, while accepting that Love suffered “both physical and mental issues.”
On the other side of the pond, Love potentially faces legal proceedings in three different US jurisdictions, reports the Guardian. Meanwhile, the UK home secretary had been given a deadline of November 16, in order to decide if Love was to be extradited or not. A day before the deadline, Rudd signed the order for Love’s extradition to the US. His lawyers believe he faces up to 99 years in prison if convicted of charges related to hacking.
The UK Home Office stated that Rudd had “carefully considered all relevant matters” before ruling:
[Love] has been charged with various computer hacking offences which included targeting US military and federal government agencies.
The case drew parallels to that of Gary McKinnon, a British hacker whose extradition to the US was blocked by Theresa May in 2012, as the home secretary at the time.
Love’s legal battle with the ruling garnered support from The Courage Foundation, whose acting director Sarah Harrison stated:
The US has ruthlessly persecuted hackers and digital activists for years, and nobody expects that to improve under President Trump. Theresa May set a good example by protecting Gary McKinnon back in 2012. For a home secretary in her government now to willingly send a brilliant and vulnerable UK citizen to Donald Trump’s America beggars belief.
Love was bailed earlier this year in June when US prosecutors were already doing plenty to extradite him stateside.
Lori’s alleged hacking endeavors were a part of #Oplastresort, an operation by Anonymous, the global hacktivist collective. This particular operation was in response to the treatment endured by Aaron Swartz a prominent programmer and hacktivist. Swartz faced 35 years In prison, asset forfeiture and a million dollars in fines with two counts of wire fraud. Swartz committed suicide for his alleged computer crimes.
Love’s legal defense is certain to bring up the unfortunate series of events that led to Swartz committing suicide under the threat of persecution. Love has 14 days to appeal against Rudd’s order and will almost certainly do so.
Images from YouTube/AP.
WikiLeaks: Podesta Received E-mails On Extraterrestrial Disclosure
While most fallout from the Podesta emails has been political, there are extraterrestrial implications for some of the e-mails released by whistleblower source WikiLeaks.
An email on behalf of Apollo astronaut Dr. Edgar Mitchell to Clinton campaign chairman John Podesta turned up in the recent data dumps. The email was sent by Rebecca Wright of the Institute of Exoconsciousness.
Mitchell requested in an email dated July 29, 2014 to meet with President Barack Obama to discuss extraterrestrial disclosure, but was partially rebuffed.
“Fifty years ago Battelle, Brookings and RAND studies on UFOs convinced the government to remove knowledge of the extraterrestrial presence from the citizens of our country. These organizations advised with their best information. However, today much, if not most, of the extraterrestrial reality they examined is known by our citizens,” the e-mail states. “These organizations’ resultant strategies and policies of 50 years ago no longer hold credibility or benefit.” Mitchell says a well-informed public is important to further disclosure.
Podesta’s secretary wrote Mitchell saying Mr. Podesta would rather meet alone before arranging a meeting with Obama. A Skype meeting was scheduled for Aug 11, but whether or not the meeting happened is unclear. Mitchell died in February 2016.
According to the leaks, former Blink 182 frontman Tom Delonge emailed John Podesta twice about extraterrestrial beings.
“Things are moving with the project. The novels, films and nonfiction works are blooming and finishing,” DeLonge said in an October 2015 email to Podesta. “I would like to bring two very ‘important’ people out to meet you in DC. I think you will find them very interesting, as they were principal leadership relating to our sensitive topic.” DeLonge emailed again later.
“When Roswell crashed, they shipped it to the laboratory at Wright Patterson Air Force Base. General McFasland was in charge of that exact laboratory up to a couple years ago,” DeLonge wrote. “He not only knows what I’m trying to achieve, he helped assemble my advisory team. He’s a very important man.”
Hacked reported in 2015 that DeLonge was working on various ET-related projects, and the former pop-punk superstar, whose 1999 album Enema of the State sold 15 million copies worldwide, has since released books and plans to release a documentary on extra terrestrials.
Featured image from Shutterstock.
12 Hacktivists You Should Know About
Hacktivism, a phenomenon specific to the digital age, represents the subversive use of computers and computer networks. The term was coined by the Cult of the Dead Cow in 1994.
Hacktivists represent a broad range of personalities and goals. They’ve recently played a greater role in the collective conscious as cyber attacks at banks and governments become a more regular occurrence.
1. Edward Snowden
President Obama once said of Edward Snowden: “I’m not going to be scrambling jets to get a 29-year-old hacker.”
Edward Snowden became notorious after blowing the whistle on mass surveillance in the United States and abroad. It’s been estimated that, since the whistleblowing, Snowden is one of the most powerful figures on Twitter.
I forgot to turn off notifications. Twitter sent me an email for each:
47 gigs of notifications. #lessonlearned
— Edward Snowden (@Snowden) October 1, 2015
2. Aaron Swartz
American hacktivist Aaron Swartz took part in the development of the web feed format RSS, as well as the organization Creative Commons. A partner in Reddit, he ultimately committed suicide while under federal investigation for data-theft.
Arrested by MIT police on January 6, 2011, Swartz faced breaking-and-entering charges due to installing a computer in an Institute closet to download academic journal articles from JSTOR. Federal prosecutors charged him with two counts wire fraud and eleven violations of the Computer Fraud and Abuse Act.
Swartz faced $1 million in fines and 35 years in prison. Swartz declined a plea bargain under which he would have served six months in federal prison. When prosecution rejected his counteroffer, he was found dead by hanging in his Brooklyn apartment two days later. In June 2013, Swartz was posthumously inducted into the Internet Hall of Fame.
3. The Jester
Who The Jester is, nobody knows. He claims responsibility for many, many DoS (Denial of Service) attacks against WikiLeaks, Islamist sites, homophobic sites and the President of Iran. He claims responsibility for developing DoS software, XerXes.
With Wikileaks in the news, almost makes you wonder: Where’s The Jester now?
4. Barrett Brown
Barrett Brown worked closely with Anonymous. The former writer was not a formidable coder or hacker, but he became a marketing figure for the hacking group, including news appearances. Brown has faced numerous charges related to hacking. In January 2015, he was sentenced to 63 months.
5. Hector Xavier Monsegur (Sabu)
Sabu co-founded Lulzsec, going onto receiving press attention after a 50-day hacking spurt targeting the likes of the CIA, Fox, Stratfor, and the US Senate and others. Sabu later turned away from hacktivism, becoming an informant for the FBI and working for them for more than ten months.
6. Jake Davis (Topiary)
This once active member of Anonymous moved onto LulzSec. During a court appearance in 2011, he pleaded guilty to a charge related to a hack on the Serious Organised Crime Agency’s (SOCA) website. Davis ran the LulzSec Twitter account. Details on his computer leaked him to a hack of Sony.
7. Oxblood Ruffin
Canadian hacker Oxblood Ruffin is the “Foreign Minister” of the Cult of the Dead Cow network, a hacktivist group. Oxblood can often be seen in the media criticizing the actions of Anonymous and LulzSec.
8. Deric Lostutter (KYAnonymous)
When two members of an Ohio high school football team were charged with the rape of an intoxicated 16-year-old girl, Lostutter helped leak a video of two Ohio high school football players joking about the rape of an intoxicated 16-year-old girl. He faces charges for hacking a fan page of the football team and could face a 10-year prison sentence.
9. Ron Gonggrijp
This Dutch hacker speaks out against surveillance on citizens by governments and the lack of security in public electronic voting systems. He became a well-known teenage hacker and even appeared in the Jan Jacobs’s book Kraken en Computers (Hacking and computers, Veen uitgevers 1985, ISBN 90-204-2651-6) which details the early hacking scene in the Netherlands. Authorities in the Netherlands and the United States considered him a “major security threat.’
10. Jacob Appelbaum
Appelbaum, a Cult of the Dead Cow member, is reportedly a key player behind Tor and now an American journalist. He is the co-founder of the San Francisco hackerspace Noisebridge and has worked for kink.com and Greenpeace. Appelbaum was a trusted confidant of NSA’s Edward Snowden and had access to Snowden’s top secret documents during the 2013 global surveillance disclosure.
11. Gary Mckinnon
Mckinnon is responsible for what’s called the “biggest military computer hack of all time.” He hacked almost 100 American military and NASA servers in 13 months from 2001 to 2002. His goal while hacking NASA was to discover evidence of extraterrestrials.
“A NASA photographic expert said that there was a Building 8 at Johnson Space Center where they regularly airbrushed out images of UFOs from the high-resolution satellite imaging,” he said. “I logged on to NASA and was able to access this department. They had huge, high-resolution images stored in their picture files. They had filtered and unfiltered, or processed and unprocessed, files.”
12. John McAfee
The 2016 Presidential Candidate, John McAfee, had a run-in with authorities who he claims set him up for murder. He hacked every major computer of Belize government bureaucracies to prove his innocence. He found evidence that implicated officials in corruption, laundering, drug running and murder. He organized his own escape out of Belize to avoid arrest. He recently posted on social media he got into a shootout with police, though this was a joke.
Featured image from YouTube/The Guardian.
- Daily Analysis: Stocks Turn Lower as Kiwi Collapses after Coalition Agreement October 19, 2017
- Technical Analysis: Coins Recover from Sell-Off as Bulls Remain in Control October 19, 2017
- Trade Recommendation: Zcash October 19, 2017
- Trade Recommendation: Litecoin October 19, 2017
- Ethereum Alliance Gets Another Member in Russia’s Largest Bank October 19, 2017
- Tortoise & Hare Investing October 19, 2017
- Asian Market Update – Thursday: Asian stocks mixed on China GDP, Japan trade data October 19, 2017
- Bitcoin Returns to Health After Flash Crash October 19, 2017
- ICO Analysis: Datum October 19, 2017
- Kazakhstan Is About to See Its First Cryptocurrency Backed by Fiat Money October 19, 2017
A part of CCN
Analysis1 week ago
Analysis: Bitcoin Price at $5200, How Much is There Left in the Tank?
Analysis6 days ago
Technical Analysis: Ethereum, Monero, and Litecoin Jump as Bitcoin Goes Parabolic
Analysis4 days ago
5 Things to Watch Next Week: Byzantium, Bitcoin Stretched, Gold’s Strength, The Next Fed Chair, Kirkuk and Crude Oil
Cryptocurrencies1 week ago
Trade Recommendation: Monero
ICO5 days ago
ICO Analysis: UTRUST
ICO1 week ago
ICO Analysis: Request Network
Analysis1 week ago
Technical Analysis: Litecoin Follows Bitcoin Higher as Market Tops $165 billion
Cryptocurrencies4 days ago
Trade Recommendation: Stellar