Skip to main content

Brian Krebs exposes major flaws in PayPal’s security system

amazon paypal news office
Ken Wolter
You can have the most secure password in the world, but as it turns out, there’s no defense against poor company security. Security expert Brian Krebs learned that the hard way when he discovered that his PayPal account was compromised due to what he claimed was a lack of authentication and security protocols on PayPal’s end.

On Christmas Eve, the cybersecurity journalist who runs the popular KrebsOnSecurity site became the victim of a hacking attempt, with the offenders seeking to use the hack to send money to a group with ISIS connections. And while Krebs has long drawn the ire of hackers everywhere, he’s now made a new enemy of PayPal as well.

Related Videos

Accusing the payment company of insufficient security to protect user information, Krebs used his own firsthand account to highlight flaws in PayPal’s system. “The successful takeover of the account speaks volumes about why most organizations — including many financial institutions — remain woefully behind the times in authenticating their customers and staying ahead of identity thieves,” Krebs wrote on his blog.

As the journalist tells it, he received an email from PayPal on the morning of December 24, “stating that an email address had been added to my account.” Immediately after receiving this notification, he “changed the password, switched [his] email address back to the primary contact address, and deleted the rogue email account.” He also contacted a PayPal representative, who promised the company would “monitor the account for suspicious activity.”

But a mere 20 minutes later, he found that the same email address had been re-added. “By the time I got back home to a computer, my email address had been removed and my password had been changed,” Krebs wrote. “So much for PayPal’s supposed ‘monitoring;’ the company couldn’t even spot the same fraudulent email address when it was added a second time.”

When Krebs called PayPal again, he discovered just how easy it was for the hacker to gain access to his account. “The attacker had merely called in to PayPal’s customer support, pretended to be me, and was able to reset my password by providing nothing more than the last four digits of my Social Security number and the last four numbers of an old credit card account,” a supervisor told the security expert. Needless to say, this didn’t sit too well with Mr. Krebs.

Ultimately, says Krebs, the key lies in implementing a more robust anti-fraud system, including the ideal — mobile device authentication. “This would help cut down on account takeovers and reduce the threat of costly, fraudulent credit card donations via hacked accounts,” he wrote. “Until then, PayPal will continue to expose its users unnecessarily to security and privacy threats.”

PayPal has since responded to the unflattering incident, stating, “The safety and security of our customers’ accounts, data and money is PayPal’s highest priority … While Mr Krebs’ funds remained secure, we are sorry that this unacceptable situation arose and we are reviewing the matter in order to prevent it from happening again.”

Editors' Recommendations

This critical macOS flaw may leave your Mac defenseless
A close-up of a MacBook illuminated under neon lights.

Apple’s macOS operating system has such a strong reputation for security that many people mistakenly believe Macs simply aren’t affected by malware. Well, Microsoft has served up a reminder that that’s not true, as the company has identified a serious vulnerability that affects one of macOS’s most important lines of defense.

According to Bleeping Computer, the bug was first reported by Jonathan Bar Or, Microsoft’s principal security researcher, who named the flaw Achilles. It is now tracked as CVE-2022-42821.

Read more
This free service just hit a huge website security milestone
global internet usage one zettabyte computer server room information cloud web net

One of the most important security features that protect your personal data as you browse and interact with various websites is enabled by a free service from a company called Let's Encrypt. As the name implies, this involves encrypting data to make it more difficult for your information to be intercepted in a readable form.
Website encryption is incredibly important on shopping websites since you usually need to fill out a form with your email address, shipping address, and phone number in order to get updates on the order status and receive the items you've ordered. Even more sensitive than your contact information and address, your payment information is needed to pay for that awesome, new tech, kitchen gadget, or toy.

In the early internet, encryption wasn't as common as it is today, and Let's Encrypt has played a huge role in making website security universal across the World Wide Web. Starting in 2015, Let's Encrypt took steps to ease the burden of encryption which came at a significant cost that was prohibitive for small businesses compared to the relative ease of creating a website today. Beyond the expense of ordering a Secure Sockets Layer certificate (SSL), which could cost hundreds of dollars each year, it wasn't easy to install this technology on a website. That meant most small websites were not encrypted.

Read more
Major tax services are sending your data to Meta and Google
fake irs emails are delivering dangerous new malware this tax season 1040 form being filled out

A new report claims that Meta's tracking Pixel has been used to collect your financial information when using popular tax filing services to send in your return. This is disturbing news for taxpayers that likely assumed these online tax services were keeping such information locked up securely.

The types of data collected vary but are said to possibly include your filing status, adjusted gross income (rounded to the nearest thousand), and the amount of your refund (rounded to the nearest hundred). This information would be quite useful in targeting advertising to those with disposable income and help determine which people to target when tax refunds arrive. As if this wasn't bad enough, your name, phone number, and the names of dependents such as your children are being obfusticated then sent to Meta by some tax filing services. According to the report by The Markup the obfustication is reversible.

Read more