Forgot your password?
typodupeerror

PayPal Security Flaw Allows Identity Theft 212

Posted by Zonk
from the watch-your-back dept.
miller60 writes "Phishing scammers are actively exploiting a security flaw in the PayPal web site to steal credit card numbers belonging to PayPal users. The scam tricks users into accessing a URL hosted on the genuine PayPal site, which presents a valid 256-bit SSL certificate confirming that the site belongs to PayPal. However, some of the content on the page has been modified by the fraudsters via a cross-site scripting technique, and victims are redirected to a spoof site that requests their account details."
This discussion has been archived. No new comments can be posted.

PayPal Security Flaw Allows Identity Theft

Comments Filter:
  • by neoform (551705) <djneoform@gmail.com> on Friday June 16, 2006 @11:06AM (#15548867) Homepage
    What most people don't realize is this, if your card number is stolen and someone uses it.. you aren't liable for the charge.

    Unless a merchant has proof that you made the transaction on your credit card, you can always refute any charge on your credit card statement and you wont have to pay it.
    • It's still a hassle and a violation of privacy.
      • by jpellino (202698) on Friday June 16, 2006 @12:30PM (#15549507)
        I got took for a paycheck's worth, with no high tech used or needed.
        Someone hand copied all the info on my car, front and back, when it was used at a restaurant.
        I called the bank (Fleet, often considered big and difficult), they looked at everything that happened, I told them which ones were bogus, their fraud department confirmed the details of the transactions (location, times, names - these people were dumb enough to charge at Woolworths overseas, and paid bills for Progressive insurance, ATT and Verizon cells and Cablevision - all eminently traceable).
        They reversed the charges, and said they were still subject to verification, and since they were all as I presented them. I got it all back and kept it. Most of the money was back after the next overnight, the rest was back after two overnights.
        • >I called the bank ... I told them which ones were bogus
          I dropped all my cards except those that allow online disputes for this. (for me) much easier to click the transactions, hit dispute, and forget about it until they call me Instead of 10 minutes on hold, then giving all my account details, mothers name, SSN digits... over a insecure link (any phone line, but especially my cordless phone at home, cell eats minutes) to get them to chat. Unfortunatly the only cards I have found were Discover and AME
    • by Grendel Drago (41496) on Friday June 16, 2006 @11:10AM (#15548907) Homepage
      Of course, if you've been silly enough to use a debit card, you're out the money for six months or however long it takes until the bank gets around to deciding that you didn't really spend the money. Happened to Tom Tomorrow [thismodernworld.com].
      • by vinn01 (178295) on Friday June 16, 2006 @11:51AM (#15549232)

        I used to have a brokerage debit card. It withdrew funds from my money market account. It was an insane risk to use that card. It would have been a jackpot if thieves got that number. And my financial life would have been in ruins for months.

        Since the bubble burst, I don't have to worry about having a lot of money in a money market account.
    • by goodcow (654816) on Friday June 16, 2006 @11:11AM (#15548915)
      I think you're forgetting the fact that PayPal also stores checking account information, which is far, far more difficult to get money back from in the event of identity theft.
      • This is a great point, checking accounts are different beasts alltogether. I setup a completely seperate checking account at a different bank from my personal one for Paypal transactions only. It works because, yes it has the potential of being hacked, but they aren't privy to access my other primary accounts which pays my mortgage. If a customer has a rather large transaction I always do money orders.
      • by Golias (176380) on Friday June 16, 2006 @12:09PM (#15549359)
        I think you're forgetting the fact that PayPal also stores checking account information, which is far, far more difficult to get money back from in the event of identity theft.

        Which is one of several reasons why linking your bank accounts directly to PayPal is a terrible idea, no matter how much they like to push it on you.

        If you use PayPal at all, only link it to a credit card which you've kept at a low limit. PayPal has long shown themselves far too irresponsible to be trusted with any of your real money.
      • by fallen1 (230220) on Friday June 16, 2006 @12:17PM (#15549409) Homepage
        This is the reason I have an account set up with my bank that states it is specifically for PayPal. Period. The only money I keep in the account is enough to cover 4 to 6 months of banking charges (like $5/month) so even if someone were to try and steal the money in that account, I'm out $20 to $30 or so AND I am immediately alerted to the fact that account has been breached.

        At this point I immediately shut down the checking account, check with my bank to see if anyone has called and tried to change account information or get more info on accounts, apply for my money back based on fraud/identity theft, log in to PayPal (_if_ I can) and change passwords (if I cannot log in to PayPal then I try and contact PayPal to have that account shut down), set up a new checking account for PayPal only, and finally - if needed - start a new PayPal account.

        With a special checking account for PayPal only, and it designated as such, that makes it much easier to prove fraud/identity theft since I have NO checks for the account, NO check card for the account, NO online banking for the account, NO way to access the account other than through PayPal or by walking into or calling the bank. Sure it costs $5 per month but if you really need/want to do transactions through PayPal it is the safest way. Also, if PayPal gets a wild hair up their ass and decides to freeze your account for some reason (someone accuses you of fraud, whatever) then the only thing they tie up is that same small amount of money in an easily closed account.
         
    • What some people don't realise is that a lot of the credit card companies will put layer upon layer of beurocracy in front of you to try and stop you claiming. Recovering stolen funds can be very time consuming.

      On top of that, you have to have cards re-issued and any recurring payments set up on them have to be re-established with the new card.

      For a lot of people, the fear of having their credit card details stolen is not about losing their money but the considerable amount of hasstle involved in gettin

    • by HardCase (14757) on Friday June 16, 2006 @11:13AM (#15548936)
      Absolutely true, but, like everything else, there ain't no such thing as a free lunch. We all end up paying for it because reversed transactions are a cost of doing business that all merchants must calculate into their retail prices. If nothing else, it ought to cause people to be more aware of just what they're clicking on when they get an email.

      -h-
    • what you dont realize is that if someone get's your paypal info they can empty your checking account and paypal will tell you.

      "Sorry but your fault. thanks for giving us money!"

      paypal != creditcard.

      in any way shape or form. never EVER link your bank accounts to paypal.

      • Which is pretty much why i stay away from Paypal like the plague.

        Paypal is trying to be a bank without having ANY of the federal regulations set forth to banks. You have no insurrance on any of the money in your paypal account, which could be 'fozen' at any time. It's a total wonder to me why anyone trusts paypal enough to give them their banking information..
        • "Paypal is trying to be a bank without having ANY of the federal regulations set forth to banks."

          Are you sure about this statement? I believe they are regulated as a bank just like a brick and mortar bank.
          • I believe they are regulated as a bank just like a brick and mortar bank.

            You believe incorrectly. [auctionbytes.com]
          • In the UK PayPal are regulated by the Financial Services Authority. So you're probably a little bit safer if your PayPal account is a UK one. The FSA do have teeth.


          • They're up to no good somehow.

            I made a contribution to a free overseas web service, being a good guy, supporting it, etc. Looking at the PayPal trail of breadcrumbs, they determined the exchange rate[*], rounded up, made the payment, then returned the difference to my account.

            About ten days later, I get a nifty envelope from GE, managing a "PayPal Credit Service" for the amount of the exchange rate[*] with a minimum charge, deadline, service charge if it's late ($15), everything you'd expect to see f
        • You have no insurrance on any of the money in your paypal account, which could be 'fozen' at any time

          Which is why I keep a minimal amount in the account. And I *never* click on a link to anything having to do with money out of email. I always use a bookmark or type in the URL manually. The only problem I have with Paypal is their history download is a joke: the balance doesn't change between some transactions, only to have it be added to another transaction later. It makes balancing the account a roy

        • You may want to consider a pinch of research before saying that aren't held to ANY federal regulations. They may not be covered under FDIC as a bank, but they are held liable to other federal regulations. I dug this up although cannot verify it by any reputable means:
          "While Paypal is not a bank and thus can't be regulated by the FDIC, it is regulated by the Federal Reserve under Regulation E and by each state government as a money transfer provider."
    • by sgant (178166) on Friday June 16, 2006 @11:44AM (#15549177) Homepage Journal
      I've been working on this for years now...decades actually....but now I'm totally protected from people stealing my identity and ruining my credit. Here's how I did it:

      I've personally destroyed my credit so badly over the years that if someone were to steal my identity, the joke would be on them! Hell, it may actually even help my credit.

      Oh sure, people laughed at me over the years...but who's laughing now?!! Ok....so they're still laughing at me...but that's beside the point.
      • There's nothing like the feeling of NOT getting a credit card bill once a month, except not having a car payment to make, or a mortgage payment to make either. (I 'lucked out' despite having MS.)

        I have ONE credit card left and that gets used judiciously. Its also a pay by phone type deal with security identification.

        I have no credit rating because I don't WANT any (and I can afford NOT to have any. :-)

        You wouldn't believe the number of CapitalOne offers that I've put through the shredder over the years.

        When
    • That will not last forever. The credit card vendors are moving the shift liability back to the retail merchant not the issuing merchant bank or the the aquirer. The merchants will either raise prices or hold the cardholder responsible.

      Secondly, what else can a phisher do if they have your name and CC data? Can they bootstrap from that to further knowledge about you allowing them to actually access your credit (for loans, cars, etc.) Once they can assume your credit history the sky is the limit and your life
      • Actually it's the merchants that foot the bill, (i would know, i'm a merchant with an account with Moneris).

        If i get a chargeback and i don't have a signature to proove the transaction, i get charged $35 + the amount of money charged. Not only that, but if i get enough chargebacks, i lose my account.
    • Yes, but it's the merchants that foot the bill, not the credit card companies, nor Paypal. Would it be fair if some mom-and-pop shop pay for the mistakes of Paypal? I think not.
    • Unless a merchant has proof that you made the transaction on your credit card

      Almost - I don't know about the terms of your card, but mine has language in it along the lines of anything that I buy, or that someone I allow to use my card buys, I'm liable for. That is, if I tell my girlfriend "sure, use my card" and she runs up a huge bill, tough on me.

      That doesn't apply in this situation, of course, but it's worth remembering that you can't exploit the apparent loophole (at least, not without getting the pers
  • ... Oh my God! How will the masses be able to buy gold for Wold of Warcraft? Something has to be done... GonzoTech
  • by Billosaur (927319) * <wgrotherNO@SPAMoptonline.net> on Friday June 16, 2006 @11:09AM (#15548895) Journal

    When the victim visits the page, they are presented with a message that has been 'injected' onto the genuine PayPal site that says, "Your account is currently disabled because we think it has been accessed by a third party. You will now be redirected to Resolution Center." After a short pause, the victim is then redirected to an external server, which presents a fake PayPal Member log-In page. At this crucial point, the victim may be off guard, as the paypal.com domain name and SSL certificate he saw previously are likely to make him realise he has visited the genuine PayPal web site - and why would he expect PayPal to redirect him to a fraudulent web site?

    What will they think of next? I must say, I get more PayPal phishing emails than for anything else. With the profusion of them, and PayPal's constant warnings that they would never ask for such information, it's still amazing how many people will fall for this, especially as the spoofs get more slick and sophisticated.

    • I usually spot phishing scams based on the informal register of the language. Like, this is what I'd expect to hear in that case:

      We suspect that your account information has been compromised, and have disabled your account as a security precaution. You will now be redirected to the Resolution Center to verify your information.

      That is, when they're not totally butchering my language:

      Sir apologies you to! We is suspects that hackers been gotting into your account and disabled fraud! Please give to your

    • A friend of mine ALMOST got caught by this.

      Secured? Check, Paypal direct link? Check. Confirm info...ok....click click click....wait a minute...why is it asking me for a Bank PIN #?

      They were a little TOO greedy for info...turns out it was residing in memory and redirecting AFTER he logged in.

      Tricky bastards indeed.

      Yo Grark
    • by pavon (30274)
      While there will always be gullible people, I am not suprised that PayPal has a larger problem than other places. When I was still using them, they had horrible email practices. They sent out emails advertising new serivices. They even included links in their emails. There was more than once when I recieved a legitimate email from PayPal which I though was a phish. Yeah they sent out warning about phishing, but when legitimate email looks like a phish, people are going to have a harder time telling the dif
    • It seems to me that this phishing attempt would never work on people who employ one simple tactic. When you get an email from a company requiring action on your account, log in directly to the account yourself and do not click the links in the email.
  • how?? (Score:3, Interesting)

    by zimsters (978940) on Friday June 16, 2006 @11:09AM (#15548896) Homepage
    "by tricking users into accessing a URL hosted on the genuine PayPal web site" How are hackers injecting this code into a legitimate paypal website?? Don't you have to modify the source code on the paypal servers themselves?
    • Re:how?? (Score:5, Informative)

      by shawn443 (882648) on Friday June 16, 2006 @11:25AM (#15549029) Homepage
    • How are hackers injecting this code into a legitimate paypal website?? Don't you have to modify the source code on the paypal servers themselves?

      Well to be fair... Pay Pal does hand out dev kits for pay pal ecommerce customers. As in... You get an upgraded account to interface your eStore into your pay pal account to directly accept credit cards.
  • by Draconnery (897781) on Friday June 16, 2006 @11:18AM (#15548975)
    This extremely detailed and thorough (~3 paragraphs long) article does sound like PayPal has a problem to take care of, but the flaw described doesn't remove the burden of stupidity from the phishing equation.

    Anybody can make a website look like another website, so it's up to a user to think. Get an email that doesn't make any sense? Think very hard about everything that it leads you to. PayPal asks for your ATM PIN? Who the fuck does that? Nobody. My bank doesn't even know what my PIN is. ... sorry, I just live in a college town where the newspapers report bank fraud once a month because some stupid student fell for the 23 emails they received about suspicious activity concerning their bank account. Annoying.
    • A few weeks ago, I would have agreed with you. More recently, I've been doing some research and found that only rarely are there obvious 'tells' like asking for a PIN.

      You see, in addition to making it look exactly like the vendor's site, they now no longer ask for anything unusual. You click on the link, and are presented with the standard, expected login page. You log in, and everything works just like normal. What really happens is that you log into their server, they capture your information, and

  • by ch-chuck (9622) on Friday June 16, 2006 @11:18AM (#15548980) Homepage
    The server currently running the scam is hosted in Korea

    North? South?

    As I post this, 6 out of 8 top level posts have a '?' in the subject,
    now 7 out of 9.

  • Suprise? (Score:3, Insightful)

    by theaddkid.com (983011) on Friday June 16, 2006 @11:23AM (#15549017) Homepage
    I don't know how this is a surprise to anyone "cross-site scripting techniques" are so common now there writing magazine articles about them go look at the last 2600 and you will find out how to do it and that you can start with myspace.com.
    • I don't know how this is a surprise to anyone "cross-site scripting techniques" are so common now there writing magazine articles about them go look at the last 2600 and you will find out how to do it and that you can start with myspace.com.
      The people that this is a surprise to are probably not people who read 2600.
  • I've got a fix (Score:5, Informative)

    by Dixie_Flatline (5077) <vincent...jan...goh@@@gmail...com> on Friday June 16, 2006 @11:30AM (#15549080) Homepage
    Never follow a link in an email.

    It may be convenient, but in the vast majority of cases I've found that I can navigate from the main page if I know what I'm looking for. You can do basically everything from paypal.com without following the link that takes you directly to a specific page.
    • It's not a very good fix though.

      The thing is, you always have a tradeoff between safety and convenience. The very point of a service like PayPal is that it is convenient. Therefore you almost have to think that it has a built in tendency towards being insecure. The trick is to get the same convenience as a link without the danger.

      What sites should do, I think, is send notifications by email, but not include any URLS or even FRACTIONS of URLs (including the domain name) that could be cut and paste. Then
      • That'd be great, but your average sheeperson would still click links if they were sent them. The bad guys would be under no impetus to abide by PayPal's rules, and your average person wouldn't be observant enough to know that PayPal won't send the URLs. Probably even if PayPal put up a huge banner on their site saying, "We will never send you URLS", many people would still click or copy/paste.

        • It displays the actual content of the link as a pop-up.

          I then copy the link into a browser window but not the URL portion. I usually have NW-tools.com up on my browser and use that to check the origin of the message.

          I do that with all the phony 'meds' spam I get too.

          People have to be really STOOP-ID to click on a link on an email.

          I don't even do that with mail purporting to be from people I know.

          • I'm having a hard time understanding what you mean. You copy the link, but not the URL portion?

            Anyway, people might be stupid to click on links in e-mails, but LOTS of people do it, and spammers will continue to try this method no matter what security protocols legitimate websites develop.
  • Paypal is insecure (Score:2, Insightful)

    by Nightspirit (846159)
    I rarely use paypal, checked my bank statement one day, and realized 2k was missing from my bank courtesy of paypal. I have never clicked on a paypal email, and so the only explaination I could think of is either gross incompetance at paypal, or a keylogger was on my system (which was doubtful). Of course, I run all the major spyware/adware/virus/rootkit detectors and nothing (and yes, I do have a firewall, do not use wireless on this computer, and have a good password).

    So, no more paypal for me. Of course
  • by Todd Knarr (15451) on Friday June 16, 2006 @11:32AM (#15549098) Homepage

    This shouldn't really be a problem. It only occurs if you click on a link in the e-mail. If you ignore the link in the e-mail, go to PayPal through a bookmark of your own and proceed from there, the phisher can't inject any code. End of problem. And if what the e-mail's asking for is legitimate, you'll be able to do anything you need to do directly through PayPal without needing to use any links in the e-mail.

    First rule: never trust the identity of the other party if you didn't initiate the contact yourself. When someone calls you on the phone claiming to be your bank you don't trust them, you hang up and call your bank's customer-service number yourself. When someone sends you an e-mail claiming a link will take you to PayPal you don't trust that, you fire up your browser and use your own bookmark to hit PayPal.

  • by XxtraLarGe (551297) on Friday June 16, 2006 @11:33AM (#15549104) Journal
    I don't know how people fall for these scams. PayPal tells you exactly how to avoid them:
    • PayPal will always include your full name in any e-mail correspondence, not "Dear PayPal Member/User/etc."
    • PayPal tells never to click on a link to log in to their site. They say always type the url: https://www.paypal.com/ [paypal.com]
    Additionally, you should report all spoof e-mails to spoof@paypal.com. Hopefully PayPal will be able to track these online criminals down with the help of users.
    • PayPal tells never to click on a link to log in to their site. They say always type the url: https://www.paypal.com/ [paypal.com]

      Paypal site is slow. Plus, it has nagware pages everytime you log in directly. Plus, if you want to find something a few days old, it's a pain since you have to to history and hit next and remember the amount and all, and did I mention the site is slow?

      It's like saying when you contact AT&T, always call the main number and carefully select the options till you get to the technical a

      • Umm, "doesn't lose anything"?

        PayPal probably loses quite a lot of money because of phishing assholes, through the human resources spent fighting the crap spewed by the phishers.

        Think about it:
        • The support guy who takes the initial customer phone call, and has to explain basic things like "identity theft" and "read your newspaper once in a while", and...
        • The other support guy who now has to track down where the money went, and if possible put it back, and...
        • The support guy who has to call the (possib
        • PayPal probably loses quite a lot of money because of phishing assholes, through the human resources spent fighting the crap spewed by the phishers.

          Wow, they do all that when a 3rd party tries to take my money? That's pretty good. They don't do much when an actual seller through PayPal steals from me, though. Perhaps they should focus on that first, then worry about when 3rd parties steal in their name.
    • If you get a message from any orginization you deal with online, your bank, eBay, even your free webmail account do NOT click on the link. Go to their site and log in as you normally do. Why? Well because if they need something, the site will let you know as soon as you log in. There's no possibility for any kind of redirection attack since you actually went to the site properly.
  • I hardly ever use it and PayPal is too big a target with too poor security, and almost nonexistent procedures for recovery after fraud.
  • by WillAffleckUW (858324) on Friday June 16, 2006 @12:33PM (#15549523) Homepage Journal
    by sending the full headers and links to spoof@paypal.com
  • It's important to educate oneself about basic security. Don't click a link in any email that refers to PayPal. As a matter of fact, there are few reasons to click links in any emails.

    Just as important, seriously, educate others. Don't mumble "Darwin" or "figure it out yourself" when you can help someone else protect themselves or educate themselves about security threats.

    Always report PayPal phish attempts to spam@paypal.com.

    There's an excellent set of resources about phishing in general - and you can report phishing attempts at: antiphishing.org [antiphishing.org].

    Not to be repetitive, but the best way to make a difference (in this case) is to help others and help yourself with education.
  • Good news for Google (Score:3, Interesting)

    by blueZ3 (744446) on Friday June 16, 2006 @12:56PM (#15549704) Homepage
    in their attempt to break into the on-line payments business?

    I recently (re)opened an account to buy a pinball machine on eBay (Stern Stars, a cool old machine), but it is only tied to my credit card. I'm very familiar (through personal experience) with PayPal's inability to handle fraud (the reason I closed my original, bank-linked account) and their lose-lose-win schemes (on a contested purchase, the buyer loses their money, the seller loses the item, and PayPal gets the big win by keeping any contested funds). I would probably have closed the account again, but my wife wanted to purchase some baby periphenalia from a home-based business that only accepts checks or PayPal. I'm thinking this article is areminder to close my PayPal account.

    Frankly, I will be very, very happy once Google's tool is available and I have a viable on-line payments alternative to PayPal.
  • I'd like to know... (Score:4, Interesting)

    by pongo000 (97357) on Friday June 16, 2006 @02:11PM (#15550214)
    ...why it is that whenever I log into PayPal, the number of PayPal-phishing e-mails suddenly increases over the next few minutes? It's as if something is monitoring traffic destined for PayPal (a compromised router, perhaps?) and is automatically triggering phishing e-mails to the originating IP.

    Has anyone else seen this?
  • Apparently Netcraft confirmed it.

    --Rob

Advertising is a valuable economic factor because it is the cheapest way of selling goods, particularly if the goods are worthless. -- Sinclair Lewis

Working...