Skip to main content
  1. Home
  2. Web
  3. News

Brian Krebs exposes major flaws in PayPal’s security system

By

amazon paypal news office
Ken Wolter
You can have the most secure password in the world, but as it turns out, there’s no defense against poor company security. Security expert Brian Krebs learned that the hard way when he discovered that his PayPal account was compromised due to what he claimed was a lack of authentication and security protocols on PayPal’s end.

On Christmas Eve, the cybersecurity journalist who runs the popular KrebsOnSecurity site became the victim of a hacking attempt, with the offenders seeking to use the hack to send money to a group with ISIS connections. And while Krebs has long drawn the ire of hackers everywhere, he’s now made a new enemy of PayPal as well.

Recommended Videos

Accusing the payment company of insufficient security to protect user information, Krebs used his own firsthand account to highlight flaws in PayPal’s system. “The successful takeover of the account speaks volumes about why most organizations — including many financial institutions — remain woefully behind the times in authenticating their customers and staying ahead of identity thieves,” Krebs wrote on his blog.

Related

As the journalist tells it, he received an email from PayPal on the morning of December 24, “stating that an email address had been added to my account.” Immediately after receiving this notification, he “changed the password, switched [his] email address back to the primary contact address, and deleted the rogue email account.” He also contacted a PayPal representative, who promised the company would “monitor the account for suspicious activity.”

But a mere 20 minutes later, he found that the same email address had been re-added. “By the time I got back home to a computer, my email address had been removed and my password had been changed,” Krebs wrote. “So much for PayPal’s supposed ‘monitoring;’ the company couldn’t even spot the same fraudulent email address when it was added a second time.”

When Krebs called PayPal again, he discovered just how easy it was for the hacker to gain access to his account. “The attacker had merely called in to PayPal’s customer support, pretended to be me, and was able to reset my password by providing nothing more than the last four digits of my Social Security number and the last four numbers of an old credit card account,” a supervisor told the security expert. Needless to say, this didn’t sit too well with Mr. Krebs.

Ultimately, says Krebs, the key lies in implementing a more robust anti-fraud system, including the ideal — mobile device authentication. “This would help cut down on account takeovers and reduce the threat of costly, fraudulent credit card donations via hacked accounts,” he wrote. “Until then, PayPal will continue to expose its users unnecessarily to security and privacy threats.”

PayPal has since responded to the unflattering incident, stating, “The safety and security of our customers’ accounts, data and money is PayPal’s highest priority … While Mr Krebs’ funds remained secure, we are sorry that this unacceptable situation arose and we are reviewing the matter in order to prevent it from happening again.”

Editors' Recommendations

Topics
Lulu Chang
Lulu Chang
Former Digital Trends Contributor
Fascinated by the effects of technology on human interaction, Lulu believes that if her parents can use your new app…
Massive iPhone security flaw left millions of phones vulnerable to hacks
iPhone Home screen and apps

Over half a billion iPhones are vulnerable to hackers, and iPads are susceptible, too — and Apple is still working to deploy its fix.

The issue — which was discovered by cybersecurity company ZecOps exec Zuk Avraham — lies with Apple’s Mail app, which leaves devices vulnerable to hackers, according to Reuters.

Read more
There’s a major Android bluetooth security flaw. Here’s how to fix it
Android

Looks like it's time to check if you have an Android security update available to your phone. A new security flaw has been discovered in Android -- and this time, it uses Bluetooth to allow access to your phone.

The flaw, called BlueFrag, takes advantage of Bluetooth in Android 8 and 9, and it basically allows hackers to execute code on your device. The result? Hackers can fully access anything stored on your phone, and install malware without your knowledge.

Read more
The Adobe Iota all-in-one home security system gains Apple HomeKit support
apple homekit support comes adobe iota home security systems abode image 2

Apple HomeKit often gets the short end of the stick in terms of compatibility. The system lags behind Amazon Alexa and Google Assistant in the number of devices it works with, as well as the number of features it offers. However, HomeKit has its own group of die-hard fans who would rather use it than any other system. Adobe Systems has now announced Apple HomeKit compatibility for its Iota all-in-one home security system. Adobe says users can download the update through the Apple Home app on iPhone, iPad, and Mac. The company’s more traditional Gen 1 and Gen 2 systems are scheduled to add HomeKit compatibility sometime in the near future, too.

The HomeKit compatibility allows users to arm and disarm their system, receive alerts, and check a live feed of their security camera, all through the HomeKit app. Users can also access the information by asking Siri to perform any of these tasks. Remote access is possible provided the user has a 4th-generation Apple TV, a HomePod, or an iPad running iOS 10 or later in the home --  a requirement for remote access to any HomeKit system, not just Adobe's.

Read more