You can have the most secure password in the world, but as it turns out, there’s no defense against poor company security. Security expert Brian Krebs learned that the hard way when he discovered that his PayPal account was compromised due to what he claimed was a lack of authentication and security protocols on PayPal’s end.
On Christmas Eve, the cybersecurity journalist who runs the popular KrebsOnSecurity site became the victim of a hacking attempt, with the offenders seeking to use the hack to send money to a group with ISIS connections. And while Krebs has long drawn the ire of hackers everywhere, he’s now made a new enemy of PayPal as well.
Accusing the payment company of insufficient security to protect user information, Krebs used his own firsthand account to highlight flaws in PayPal’s system. “The successful takeover of the account speaks volumes about why most organizations — including many financial institutions — remain woefully behind the times in authenticating their customers and staying ahead of identity thieves,” Krebs wrote on his blog.
As the journalist tells it, he received an email from PayPal on the morning of December 24, “stating that an email address had been added to my account.” Immediately after receiving this notification, he “changed the password, switched [his] email address back to the primary contact address, and deleted the rogue email account.” He also contacted a PayPal representative, who promised the company would “monitor the account for suspicious activity.”
But a mere 20 minutes later, he found that the same email address had been re-added. “By the time I got back home to a computer, my email address had been removed and my password had been changed,” Krebs wrote. “So much for PayPal’s supposed ‘monitoring;’ the company couldn’t even spot the same fraudulent email address when it was added a second time.”
When Krebs called PayPal again, he discovered just how easy it was for the hacker to gain access to his account. “The attacker had merely called in to PayPal’s customer support, pretended to be me, and was able to reset my password by providing nothing more than the last four digits of my Social Security number and the last four numbers of an old credit card account,” a supervisor told the security expert. Needless to say, this didn’t sit too well with Mr. Krebs.
Ultimately, says Krebs, the key lies in implementing a more robust anti-fraud system, including the ideal — mobile device authentication. “This would help cut down on account takeovers and reduce the threat of costly, fraudulent credit card donations via hacked accounts,” he wrote. “Until then, PayPal will continue to expose its users unnecessarily to security and privacy threats.”
PayPal has since responded to the unflattering incident, stating, “The safety and security of our customers’ accounts, data and money is PayPal’s highest priority … While Mr Krebs’ funds remained secure, we are sorry that this unacceptable situation arose and we are reviewing the matter in order to prevent it from happening again.”
