Lazy Authentication Still the Norm

I closed my paypal account after reading this. The gist is that the author had his account compromised and after warning paypal about this, had it compromised immediately again. It turned out you don&#x27;t even need a password to get into accounts.<p>There&#x27;s no excuse for a multi billion $ company to be this lax on security today.

I agree that banks and other high value targets still assume that attackers somehow &quot;play by the rules&quot;. I got a call not too long (maybe a year ago) from someone claiming to be with my bank. Their first line was, &quot;To verify your identity, what&#x27;s the last 4 of your SSN?&quot; My response, &quot;You called me, how do I know you&#x27;re actually with (bank)?&quot; The rep was flabbergasted at the response and didn&#x27;t know what to say.<p>Finally he gave me a number and suggested I call him back at it. Same problem. He gave me the number. It&#x27;s a random phone number. I ended up looking up the number and confirming it was associated with the bank and then calling him back on it. Not ideal, but the whole security model is completely broken.

Paypal remains the only online service I&#x27;ve used for real world stuff (as opposed to throw away e-mail accounts on spam forums) that has been compromised (to my knowledge).<p>In 2007 or so $50 was taken from my account and sent to SecondLife (remember them?), despite me never having played that game. I think even back then the only way I could prove I was the rightful owner of the account and get my money back was to send a photo of my drivers license.<p>I&#x27;m glad they&#x27;ve stepped up their security game in the past 8 years.

PayPal seems to have a lax attitude towards security in general. I had a similar issue a year ago, that (fortunately) didn&#x27;t end up in having my account compromised &lt;<a href="http:&#x2F;&#x2F;www.sanspoint.com&#x2F;archives&#x2F;2014&#x2F;09&#x2F;11&#x2F;great-paypal-email-hack-wasnt&#x2F;&gt;" rel="nofollow">http:&#x2F;&#x2F;www.sanspoint.com&#x2F;archives&#x2F;2014&#x2F;09&#x2F;11&#x2F;great-paypal-em...</a> but my dealings with PayPal support didn&#x27;t give me much hope for if and when things do blow up.<p>In this case, it&#x27;s likely that phone support is optimized for speed, rather than security. Good if you&#x27;re legit, bad if you&#x27;re a target.

I don&#x27;t blame companies for supporting the &quot;20 questions over the phone&quot; last line of lost passwords, but your account should be secured as part of the process - take a restore point, dump the credit card info, lock some features for a week, etc.

It would be nice if there was a good solution that companies could implement because this isn&#x27;t just a fault of PayPal, this is most utilities, TV providers, etc. You can call up and pretend to be the account holder and as long as you have the address on file and account number you can gain access to a lot of things.

What&#x27;s the business case for PayPal not using 2FA? I&#x27;ve never done an integration with them but I wonder if there are SLAs in place that require a maximum amount of steps or an average transaction time or something that verifying via SMS or a physical token would invalidate. Seems to me that PayPal accounts would be a major honeypot for seedy activity and that the customer service impact of dealing with this is high.<p>Unless this is a very rare thing at PayPal and internally they know it.

You are lucky enough to be in a country where PayPal offers 2FA at all. For unknown reason 2FA is available in very few countries, while majority cannot use it. I talked with their call center, but I was under strong impression that the lady didn&#x27;t even understand why I need such thing.

Krebs talks about the supposed problem, but fails to point out a solution.<p>Without knowledge based auth, what is PayPal supposed to say when someone calls them and says that they lost their phone and therefore access to their email and can&#x27;t remember their password?<p>Right now, to social engineer someones account (Like Krebs&#x27;s in this case, I&#x27;ve personally listened to the call he&#x27;s talking about here) you need almost all the information that&#x27;s on the account already (besides payment history, which could be a big deal to someone I guess).<p>A detail worth noting is that stealing someones PayPal account in this manner doesn&#x27;t allow you to steal money from them.

Reminds me I should try the password reset flow for each service before trusting it.<p>Would be awesome if there was a site that documented these, even if it was as simple as plaintextoffenders.com.

&gt; Any company that authenticates customers with nothing more than static identifiers — address, SSN, DOB, phone number, credit card number, etc. — is vulnerable to these takeover attempts.<p>Does having two-factor auth even matter if it can be circumvented with social engineering from static data?<p><i>I also submitted the same article last night:</i><p><a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=10805415" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=10805415</a>

The real problem I see is: A lot of places are <i>still</i> using SSN (and sometimes address) as a &quot;password&quot;. And it&#x27;s not just PayPal. It&#x27;s the &quot;something I know&quot; that was never a good idea in the first place. I never understood how just your SSN was a good authenticator of who you really were.

If you are concerned about this (and you should be) there is very little you can do about Paypal. But for your banks, all of them allow you to ask to set a &quot;password&quot; or &quot;security phrase&quot; for customer support.<p>I strongly recommend you do this. It&#x27;s actually stronger than the branch security.

If only PayPal had some truly private non-static information about the customer that&#x27;s not freely available in hacker databases that they could ask the customer about. Possibly some piece of info that the customer keeps in their wallet.<p>If only. If only.

If you&#x27;re a high-risk user, it&#x27;s incumbent on you to take specific measures against this stuff. Gangs of criminals specifically targeting an individual aren&#x27;t the type of risks that most businesses are going to be thinking about.<p>&quot;Use two factor&quot; isn&#x27;t a valid response here. If you expect the electric utility to throughly vet every service request, why would you allow them to assume that the authorized user actually controlled his phone? (Especially when people tend to connect&#x2F;disconnect utility services when they are buying&#x2F;selling&#x2F;renting a house and often doing things like changing phone numbers.)<p>Why does Brian Krebs have anything like this in his name? I would think that someone this high profile would have an anonymized LLC or similar legal structure to hold these accounts.

That&#x27;s not the biggest concern. The biggest concern is <i>SSN AND CREDIT CARD INFO</i> being compromised. Priorities, folks. With someone having this info, an authorized two-step or two-factor authentication process is a joke in comparison.<p>What advanced type of stupid makes articles like this seem completely fine to individuals in the tech sector?