PayPal is lying or playing dumb and here's why:<p>Ask them if the customer service agents can see the last four or if they have to enter them first before the customer's records come up.<p>They can see the last four right away.<p>Call paypal and ask them which card you have on file, you cannot remember. The agent can give you last four to identify it.
In my opinion, the hacker who hijacked this guy's Twitter account didn't have had ANY interest in explaining how he got to it, besides creating a hoax to confuse and divert attention. Just think about it, in just one email he puts the blame on both GoDaddy, for doing phone validation over unsecure criteria (like credit card numbers), and PayPal (for giving out the last digits of the card number to a complete stranger). There might be some truth to it (GoDaddy's phone validation sucks and GoDaddy sucks altogether), but I've read the original HN thread and the majority of comments are directed against GoDaddy or PayPal, rather than the real perpetrator. There are a million ways to hijack someone's account - including but not necessary by exploiting flaws of GoDaddy / PayPal - but I wouldn't trust the hijacker to kindly explain to me how he <i>actually</i> did it.
What's interesting is in the original "i got hacked" post[0]. The email from the hacker says that he called paypal and posed as an employee.<p>That may not be tough to do, i.e. if you call a call center, select the wrong department and request an internal transfer, it is quite possible that the person receiving the call would not be able to distinguish between an internal call or a customer call.<p>So if the hacker told them he was Jack from xyz department, who would know the difference, better still, would they log the call at all?<p>The alleged breach could in this situation be quite easy.<p>[0] <a href="https://medium.com/p/24eb09e026dd" rel="nofollow">https://medium.com/p/24eb09e026dd</a>
Perhaps the cracker is actually employed at PayPal for real? :) This thought amuses me, since it's a scenario with no leaks outside the circle of PayPal employees, yet it gives the opportunity to the bad guy to gain the info necessary for the deed.
<a href="http://thenextweb.com/insider/2014/01/30/godaddy-accepts-partial-responsibility-social-engineering-attack-ns-customer-account/" rel="nofollow">http://thenextweb.com/insider/2014/01/30/godaddy-accepts-par...</a><p>"Our review of the situation reveals that the hacker was already in possession of a large portion of the customer information needed to access the account at the time he contacted GoDaddy. The hacker then socially engineered an employee to provide the remaining information needed to access the customer account. The customer has since regained full access to his GoDaddy account, and we are working with industry partners to help restore services from other providers. We are making necessary changes to employee training to ensure we continue to provide industry-leading security to our customers and stay ahead of evolving hacker techniques."<p>It's likely the attacker obtained credit card info from GoDaddy rather than PayPal.
Alternatively, if this hacker had a method different than what he/she described to obtain the necessary information, it would make sense that he/she would describe a false sequence of events in order to throw the account holder off the trail.
All the hacker claims to have obtained from PayPal is the last four digits of the credit card number. Perhaps this failed attempt they mention was them asking the hacker to provide the complete credit card number ending in XXXX as a form of verification?
Well PayPal once flagged a non-existent transaction on my account as suspicious. I had to call them to get it sorted out. The fact that something like that can happen surely doesn't help me trust PayPal...
Why doesn't Twitter simply quarantine the handle until some sort of dispute resolution is completed? Oh wait, Twitter doesn't "do" customer service, so forget about any sort of common sense solutions.
Shouldn't it be easy enough for Twitter to just return the handle to the original owner? I guess Twitter has to cover their own ass to a degree, and it is possible the original owner is making up this story and actually sold the Twitter handle (though I suspect this would be against Twitter's policies).<p>However, based on what I've read, the people involved, and Occam's Razor, I believe the published story. Twitter should transfer ownership of the handle back to Naoki Hiroshima, do the right thing, and get some good press at the same time.
Paypal's value lies in it's network and it's trustworthiness. There is no way in a million years they would divulge a f<i></i>*-up of this magnitude unless there's was cold hard proof.<p>But I think there is pretty convincing proof, and I think if anything, this makes them less trustworthy than if they had come out and accepted partial wrong doing.<p>The "hacker" had no incentive to lie; the ace was in his hand.
I am very interested in what comes out of this. When I read Hiroshima's blog post, I was getting chills thinking how angry I would be if I could not get into my own accounts thanks to someone taking over them simply by exercising human engineering tactics. Big and small companies need to implement 2-step verification, or better, and never give out information.
PayPal records every call, 100% and also all the screen captures of the agent answering the call. So, either they're telling the truth, or they're lying. Not sure how anyone could tell the difference. but I guarantee you, they listened to the call.<p>I can't see why a hacker would actually give his secrets away.