14 DAY TRIAL // Brian Krebs, a renowned security researcher, has penned a blog post skewering PayPal's lackadaisical user authentication procedures that allowed an unknown attacker to take over his account, and later transfer funds to a hacker associated with ISIS and believed dead by the US military.
Mr. Krebs, who wrote for several years for The Washington Post, specializing in cyber-crime syndicates, and recently starting a very popular security blog, has had previous encounters with PayPal during his long career.
To his surprise, after so many years, a recent incident has shown how far behind the current times PayPal's customer support program really is and how easy it is for anyone to take over other accounts with just a few details.
PayPal call centers are easy to trick via social engineering attacks
We’re not going to recount step by step what happened to Mr. Krebs since his literary talents are far superior to our own, and he does a much better job at it, but in short, a hacker got control over his PayPal account by calling in to PayPal's customer support center.
Here the attacker asked for a password reset, and got it, only by providing the last four digits of Mr. Krebs' Social Security number and the last four numbers of an older credit card account.
Since Mr. Krebs exposed many cyber-crime groups in the past, he was doxed multiple times, and his data is already available online in different places. For other people, details like these can also be easily obtained from data breaches leaked online, or from the criminal underground black market, where hackers sell entire batches for just a few dollars.
To Mr. Krebs' disbelief, the account takeover happened twice, even after he informed PayPal of the first attempt and they reassured him they would monitor account activity.
PayPal is a company stuck in the '90s when it comes to user authentication
A call to a PayPal supervisor revealed that the company, in 2016, still doesn't have modern authentication systems that would avoid simple social engineering tricks like the one above, and in most cases, only a few static personal details are considered enough to reset passwords and change emails associated with accounts.
The hacking of Mr. Krebs PayPal profile was obviously a targeted attack, because as soon as the hacker got control over the account the second time, he wanted to compromise Mr. Krebs's reputation by moving some of his funds to the PayPal of a known ISIS terrorist.
The terrorist was Junaid Hussain, a hacker known as TriCk, former member of TeaMp0isoN, and also the leader of the CyberCaliphate, one of ISIS' cyber divisions.
At the end of August, we wrote about a US military report that detailed a drone strike during which Hussain was believed to be killed. Since no activity related to Mr. Hussain's online accounts has been seen since, chances are that the report was accurate.
For the long run, Mr. Krebs recommends that PayPal should review their backup user authentication procedures to take into account the digitized world we live in and the countless data breaches that have exposed the personal details of almost anyone that goes online on a regular basis.
UPDATE: PayPal reached out with a statement regarding this specific incident.
"The safety and security of our customers’ accounts, data and money is PayPal’s highest priority. Due to our privacy policies that protect our customers, PayPal does not publicly disclose details about our customers’ accounts or their specific cases. However, it appears that our standard procedures were not followed in this case. While the funds remained secure, we are sorry that this unacceptable situation arose and we are reviewing the matter in order to prevent it from happening again."
