Jump to content
Sign in to follow this  
lew~

Paypal Account Security Fun

Recommended Posts

My recent ‘locked-myself-out-of-paypal-account-by-restoring-iphone-which-had-the-softoken-installed’ experience / PSA.

 

Identification performed by:

• Full name

• Last four PAN digits form a card assigned to the Paypal account (printed on any receipt e.g. car park or coffee shop)

• Asked for the last four digits from the security key… explained why I was calling paypal support again, and continued anyway. (lol)

 

Paypal phone support were then happy to:

• Change the account’s email address and reset the password

• Remove the security key (2FA) assigned to the account

• Ask me if there was anything else they could help with

 

Notwithstanding the above, they also failed to try and identify through my secret questions (possibly because they are 250char long random keys). Can’t say if all this is a human or workflow/script failure.

 

Mitigations?

• Don’t keep a Paypal account

• Use a separate account/card for Paypal in an effort to try and keep the account info private…?

• ???

 

 

Can't even call this social engineering it is so disappointing...

Share this post


Link to post
Share on other sites

It's a total fail on paypal's behalf. Anyone could have pretended to be me with some basic information, and accessed my paypal account.

Share this post


Link to post
Share on other sites

What phone did you call them up from? Is there a number tied to the account and was this the one you used?

 

Find my ISP (iiNet) eliminate a lot of the security checks simply by checking the number I'm calling from

 

 

And from what I've heard of PayPal accounts and getting them back after they had been locked down, your story sounds like they may be getting their shit together

 

 

Did you happen to inquire about your concerns regarding the security check while you were on the phone with them, or realised this afterwards? Given this is access to your money we're talking here, I would call them back and ask some polite questions - If not happy, get out of the service and stop using it

Edited by Khirareq

Share this post


Link to post
Share on other sites

What phone did you call them up from? Is there a number tied to the account and was this the one you used?

Good question, but no - from a blocked number which is not associated with my account.

 

your story sounds like they may be getting their shit together

How so? Perhaps it was just the customer service rep I got on the day, but I don't really believe they got anything right with my call.

 

Did you happen to inquire about your concerns regarding the security check while you were on the phone with them, or realised this afterwards? Given this is access to your money we're talking here, I would call them back and ask some polite questions - If not happy, get out of the service and stop using it

It was difficult getting through the process due to the offshore call centre, so I didn't raise it at that time. But I agree with you - I will send through an email to an appropriate address to ask their processes be validated from a security standpoint.

Share this post


Link to post
Share on other sites

your story sounds like they may be getting their shit together

How so? Perhaps it was just the customer service rep I got on the day, but I don't really believe they got anything right with my call.

 

How so? As in, lucky you got your access back. I'm currently looking into setting up a website to sell pens (I hand craft pens and sell them for shit loads), and looking for a back end to handle the shopping cart transactions - When looking into Paypal, got told to go look into some of the horror stories there. I have no idea how many of them are true, but there appears to be a lot of cases where people had accounts taken over, and Paypal don't really care and offer little help getting it back, others where they have had their accounts locked down, and unable to regain access for up to months afterwards, and some cases where accounts closed without warning, resulting in loss of revenue for the business. It appears to be prone to scams, and Paypal just don't seem to care at all

 

There's some here: http://www.aboutpaypal.org/

 

But, I don't give these stories much weight, as I can't fiddle and ask questions like I have done here with you - But I have read enough to convince me to say "Fsck you" to Paypal and look around at other merchant accounts for what I am wanting to do

 

May be my Scottish blood, or been stuffed too many times, but when it comes down to dealing and handling money, I will go to great lengths to prevent issues in the first place rather than try to retrieve money after someone has already grabbed it

Edited by Khirareq

Share this post


Link to post
Share on other sites

Fair enough mate. It definitely is a balance to ensure you try and keep people's accounts in the right hands.

 

Out of interest, have you chosen a payment provider yet?

Share this post


Link to post
Share on other sites

Not yet - I have to go and have a chat with a mate again shortly (He does a shitload of ecommerce set ups, and is looking around for me) - I haven't been rushing the website too much yet, as the pens sell so damn quickly I have no *real* need for a website yet (I took ten in to work the other day just to demonstrate what I make, and they all sold within 20 minutes)

Share this post


Link to post
Share on other sites

Maybe look into using Google Wallet? I'm not sure what its like, but its becoming as popular as paypal it seems, so most people will have google accounts, or atleast won't mind signing up for one (if there are any trust issues involved) to be able to pay.

Share this post


Link to post
Share on other sites

I figured out how to replicate that process, simply try to do a paypal transaction when you're logged onto your VPN. Bingo.

Share this post


Link to post
Share on other sites

If someone knows your full name and the number of your card, why would they bother doing anythign via paypal?

Only needed the last four digits of the CC number.

 

In order to make a purchase, you should need:

Full name

Full credit card number

Expiry

CSV

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×