Identity Theft – Paypal Style

Update – After all of the press coverage showing the weakness in Paypal’s security, Paypal issued a press release saying they were sorry and that Brian Krebs’ funds were secure.  Paypal says they are going to investigate what happened.  Read details here.

Brian Krebs discovered the hard way that Paypal is not the most secure place in the world.  On Christmas Eve his Paypal account was hacked.  Twice.  After Paypal customer service promised that they would “monitor” his account for suspicious activity.

Some of you know that I am not a big fan of Paypal.  They sort of pretend to be a bank – they can hold money, process credit card transactions and transfer money to and from your bank account.  BUT, they are not a bank.  They are not regulated like a bank.  You do not have the same protections that you would have if you were doing business with a bank.  In my personal experience, my results with Paypal customer service is about 50/50 in terms of achieving the result that I think I am due.

But here is Brian’s story.

On Christmas Eve morning he received an email that said a new email address had been added to his account.  He immediately logged in from a “pristine” computer, changed his password, deleted the rogue email and reset the contact information to what it should have been.

He called Paypal customer service to find out what happened and they said that the attacker logged in with his userid and password.  Turns out this is not true, but stay tuned.

Twenty minutes later the same rogue email had been added to his account, but this time, they deleted HIS email address, locking him out of his own account.

The hacker this time attempted to transfer money to a known terrorist, Junaid Hussain, who is deceased.  Since Paypal is a money tranferor, they are required to check information against the Treasury Department’s list of known terrorists called OFAC.  Since this transaction generated a “hit”, Brian’s Paypal account was locked.

IF you had been dealing with a local bank, you could drive over to a branch, talk to the person that you deal with on a recurring basis and get things straightened out.

But Paypal is not a bank and they don’t have local branches and they don’t have to follow the rules that banks do.

If this hacker had been doing more than playing with Brian, he could have transferred the money to a living non-terrorist person and emptied Brian’s Paypal account.  Legally, at that point, Brian would have very little recourse other than to sue Paypal.  Good luck with that.

Paypal offers two factor authentication, which Brian has used for years.  That is why the comment earlier about the user just logging in with Brian’s password is wrong.

However, because they are a customer service oriented company, if you forget your password, all they ask for is the last four of your Social and the last four of your credit card.  Now THAT is secure.

So the attacker was able to just call Paypal and ask them to change Brian’s password.  Twice.

In Brian’s case, since he is a well known journalist, used to work for the Washington Post and has tens of thousands of readers, Paypal’s media relations staff kind of put two and two together and decided that maybe they should help Brian out.  After all, Brian telling his tens of thousands of readers that Paypal took his money and would not give it back (which, by the way, apparently happens more than I would like) probably is not the kind of press that Paypal wants.

If it were you or me, we would still be arguing with them to get back control to our account and get our money returned.

This is why I cancelled my Paypal account long ago and do not deal with them.  I don’t need this kind of aggravation.  I have enough challenges in my life already.

If you do use Paypal, I would recommend not leaving much money in you Paypal account because it is just possible that you may have to jump though hoops to get access to it.

You can read Brian’s post to get the rest of the story.  In some ways, Paypal is like banks.  Apparently, their technology platform is a bit of an antique. Unlike, say, Facebook, they do not have a mobile validation capability.  In fact, even my bank has that, so maybe they are more antiquated than a bank.

I am not saying that you should cancel your Paypal account.  I am saying that it is useful to understand the rules that you are playing by.

Just food for thought.


Information for this post came from Krebs On Security.

Leave a Reply

Your email address will not be published.