PayPal has been accused of failing to adopt adequate security measures by a journalist who says his account was taken over twice in 20 minutes recently by hackers who attempted to siphon funds to a slain recruiter for the Islamic State terror group.
Virginia-based security journalist Brian Krebs claimed in a blog post on Monday that one of the world’s largest online payment companies is unnecessarily exposing its users to security and privacy threats, the likes of which he experienced first-hand last week when his account was repeatedly compromised by hackers on Christmas Eve.
The KrebsOnSecurity writer recalled receiving an alert from PayPal in his inbox on Thursday morning notifying him that a new email address had been added to his account. Having taken no such action on his own, he quickly logged on from his computer and changed his password to ensure that the rogue account’s privileges had been properly revoked.
In a subsequent phone call with PayPal’s customer support number, Mr. Krebs said he was told that the company would monitor his account for suspicious activity and that he should rest easy. Twenty minutes later, however, his account was again under attack, and this time the hacker had taken full control of his information before Mr. Krebs could stop them.
During a second conversation with PayPal’s support line, Mr. Krebs learned that in both instances the attacker had gained access to his account by simply making a phone call of their own and then convincing the company reset the password by providing them with the last four digits of the journalist’s Social Security number and an old credit card.
A PayPal spokesman told The Washington Times in a Monday email: “The safety and security of our customers’ accounts, data and money is PayPal’s highest priority. Due to our privacy policies that protect our customers, PayPal does not publicly disclose details about our customers’ accounts or their specific cases. However, it appears that our standard procedures were not followed in this case. While the funds remained secure, we are sorry that this unacceptable situation arose and we are reviewing the matter in order to prevent it from happening again.”
While Mr. Krebs has hardly been a stranger to cyber-pranks — a SWAT team had been deployed to his house in 2013 after police were erroneously told there was a gunman in his home — he said that PayPal, and presumably many other legitimate financial services, are guilty of being “woefully behind the times in authenticating their customers and staying ahead of identity thieves.”
“Let’s leave aside for a moment the reality that all of this static information about Brian Krebs has been posted online by various miscreants over the years (and probably remains online): Any company that authenticates customers with nothing more than static identifiers — address, SSN, DOB, phone number, credit card number, etc. — is vulnerable to these takeover attempts,” he wrote.
“This almost certainly includes all of the companies that supply utilities to your residence, your bank or credit union and a host of other companies. They’re vulnerable because those static identifiers about you are no longer secret and are available for sale in the underground,” Mr. Krebs added.
Indeed, data of all sorts is bought and sold corners of the Internet that aren’t easily accessed or patrolled by law enforcement: a report put out by Dell’s SecureWorks team last year stated that online black markets are “booming with counterfeit documents to further enable fraud, including new identity kits, passports, utility bills, Social Security cards and driver’s licenses.” Hacked Netflix and Uber accounts have appeared more recently for sale on the so-called dark web, and Raj Samani, the vice president of Intel Security, told Tech Insider recently that “Every possible service and every possible flavor you could think of was being made for sale.”
Yet while identity fraud is without a doubt an too often enabled by stolen data that’s sold on the Web, Mr. Kreb’s latest cyber misadventure could have had an even more serious repercussion still: in Monday’s blog post, the journalist said his account was only locked down by PayPal after being hacked for the second time in 20 minutes because the hacker had “allegedly tried to send my money to the email account of the late Junaid Hussain,” a British hacker who had been accused of spearheading social media efforts for the Islamic State terror group before being killed earlier this year in an U.S.-led airstrike.
“No doubt, the attempted transfer was a bid to further complicate matters for me by associating my account with known terrorists,” Mr. Krebs wrote.
• Andrew Blake can be reached at ablake@washingtontimes.com.
Please read our comment policy before commenting.