Updated Enemies of investigative reporter Brian Krebs took over his PayPal account twice on Christmas Eve, but were foiled on both occasions in their attempts to transfer funds to an account associated with an assassinated jihadist hacker, he said.
Krebs, who has been the target of several previous unsuccessful attempts to discredit him, including the mailing of heroin purchased on the dark web, reckons the account takeover was carried out using social engineering rather than by breaking his (strong and unique) password.
Miscreants added an email address under their control to his PayPal account after tricking call centre workers, claimed Krebs.
“The attacker had merely called in to PayPal’s customer support, pretended to be me and was able to reset my password by providing nothing more than the last four digits of my Social Security number and the last four numbers of an old credit card account,” Krebs explained in a blog post.
The second of the two hacks happened even though PayPal had earlier promised to monitor the reporter’s account for suspicious activity following the first attack just hours before, said the reporter.
As-yet-unidentified miscreants apparently took advantage of private info about Krebs posted by his foes over the years before taking over his account twice. The same email address was used in each case, strongly suggesting the same group or individual was involved both times.
In each case, Krebs intervened before black hats were able to transfer funds to the email account of the late Junaid Hussain, the British-born Team Poison hacktivist turned IS recruiter recently killed by a US drone strike in Syria, he claimed.
PayPal has since locked Krebs’ account so that no further account changes are allowed. However, the whole incident still serves to illustrate weaknesses in PayPal’s anti-fraud systems as well as a lack of a mobile authentication option.
Krebs is dismissive of the PayPal Security Key fob, a technology he uses but which he said didn’t prevent the account takeover. “PayPal’s security token isn’t much use if the company lets thieves reset your password over the phone using your Social Security number,” he writes.
Third party experts are also unimpressed by PayPal’s authentication options. “#2FA is akin to adding a second lock to the front door... while leaving the back door open,” said infosec consultant Paul Moore in a Twitter update. “Shame on you @PayPal”.
El Reg put in a query to PayPal, asking for its take on the incident, and will update this story as and when we hear back from the online payments firm. ®
In a statement, PayPal admitted it had let itself down with this particular incident while pointing out that Krebs had not actually lost any money. A spokesperson told us:
The safety and security of our customers’ accounts, data and money is PayPal’s highest priority. Due to our privacy policies that protect our customers, PayPal does not publicly disclose details about our customers’ accounts or their specific cases.
However, it appears that our standard procedures were not followed in this case. While the funds remained secure, we are sorry that this unacceptable situation arose and we are reviewing the matter in order to prevent it from happening again.