
PayPal Denies Providing Payment Information to Twitter Username Hacker - fraqed
http://thenextweb.com/insider/2014/01/29/paypal-denies-providing-payment-information-hacker-hijacked-50000-twitter-username/#!tXHD5
======
ck2
PayPal is lying or playing dumb and here's why:

Ask them if the customer service agents can see the last four or if they have
to enter them first before the customer's records come up.

They can see the last four right away.

Call paypal and ask them which card you have on file, you cannot remember. The
agent can give you last four to identify it.

~~~
chimeracoder
> Call paypal and ask them which card you have on file, you cannot remember.

Exactly. I've done this before when services ask me for my full credit card
number or expiration date (to verify), and I ask them for the last four digits
(to remind me which card I used).

What PayPal did may be bad, but what GoDaddy did (use the last six digits) to
verify is even worse.

If you know the last four digits, you have a better than 1% chance of guessing
the previous two, since they are not uniformly distributed:
[http://en.wikipedia.org/wiki/Luhn_algorithm](http://en.wikipedia.org/wiki/Luhn_algorithm)

(There are actually even _more_ restrictions than the Luhn algorithm on credit
card numbers, but I won't go into them here. Suffice to say, there's a reason
than the attacker says he was able to guess it in a single try - he was lucky,
but not _that_ lucky).

~~~
WatchDog
Unless you know every other digit in the card number, I don't see how knowing
the luhn algorithm is going to narrow the possibilities of guessing just the
two digits.

~~~
unreal37
Also credit card can never be used by itself for any purchase, ever. You must
have the name, expiry date, and if you're doing transactions online, often the
address and ccv2 as well.

~~~
jrockway
As far as I know, not true. Merchants get discounts for asking for more
information, but it's not strictly required to process your card.

~~~
swombat
It depends on the bank. Some require more data than others. In either case,
though, if the transaction turns out to be fraudulent, it's the merchant that
pays, so the merchant has a strong incentive to ask for more rather than less.

------
lipanski
In my opinion, the hacker who hijacked this guy's Twitter account didn't have
had ANY interest in explaining how he got to it, besides creating a hoax to
confuse and divert attention. Just think about it, in just one email he puts
the blame on both GoDaddy, for doing phone validation over unsecure criteria
(like credit card numbers), and PayPal (for giving out the last digits of the
card number to a complete stranger). There might be some truth to it
(GoDaddy's phone validation sucks and GoDaddy sucks altogether), but I've read
the original HN thread and the majority of comments are directed against
GoDaddy or PayPal, rather than the real perpetrator. There are a million ways
to hijack someone's account - including but not necessary by exploiting flaws
of GoDaddy / PayPal - but I wouldn't trust the hijacker to kindly explain to
me how he _actually_ did it.

~~~
jader201
_> didn't have had ANY interest in explaining how he got to it, besides
creating a hoax to confuse and divert attention._

Would the story have gone viral, though, had he just said, "I'm not going to
say anything about how I did it."? The story would have just been another "I
got hacked" story.

If the hacker were really clever enough to fabricate such an elaborate hoax, I
think he would have been clever enough to realize the best way to divert
attention from the story, would have been to just keep quiet.

~~~
Uchikoma
The argument was, he was deflecting attention away from him towards others -
which, as this thread for the parent poster shows, worked.

~~~
jader201
My argument is, this attention wouldn't even be here had he just kept quiet.

I don't think he was clever enough to have foresight that a) this would get
this much attention, _and_ b) he would need to deflect said attention by
fabricating an elaborate hoax.

The guy was simply wanting to brag about what he did in the excitement of him
actually pulling it off. I think this is much more believable than him
fabricating this story.

~~~
Uchikoma
After all the prison sentences lately, I'm not sure he wants to brag about
himself.

~~~
jader201
If he were really that concerned about prison sentences, would he have done
this to begin with?

Not being snarky, that's a real question. I don't know the minds and rationale
of hackers.

I generally get the impression hackers honestly feel they're invincible, until
they get caught. Maybe that's a misperception though.

~~~
lostlogin
That may be an age thing - often they are young males. Entirely conjecture.

------
bushido
What's interesting is in the original "i got hacked" post[0]. The email from
the hacker says that he called paypal and posed as an employee.

That may not be tough to do, i.e. if you call a call center, select the wrong
department and request an internal transfer, it is quite possible that the
person receiving the call would not be able to distinguish between an internal
call or a customer call.

So if the hacker told them he was Jack from xyz department, who would know the
difference, better still, would they log the call at all?

The alleged breach could in this situation be quite easy.

[0] [https://medium.com/p/24eb09e026dd](https://medium.com/p/24eb09e026dd)

~~~
carlosrt
When I worked at a large bank many years ago, internal calls were verified to
be bank employees. It was low tech, but when a bank employee called and asked
about a customer we had them verify they were a bank employee by telling them
to look up, and tell us what was on a certain page and line of an internal
bank book. If their answer matched what we were looking at as well then the
conversation continued. The books were changed/printed often.

~~~
ionforce
That's just like early days video game anti-piracy measure.

What is the third word on the second paragraph of page 42 of the Dungeon
Master's manual? Etc.

~~~
nknighthb
Military codebooks are used in this way for authenticating over unsecured
links. Letters or numbers laid out in a grid-like format, and you make the far
side read off a certain cell.

[http://en.wikipedia.org/wiki/DRYAD](http://en.wikipedia.org/wiki/DRYAD)

[http://en.wikipedia.org/wiki/BATCO#Other_functions](http://en.wikipedia.org/wiki/BATCO#Other_functions)

------
ColinWright

        > PayPal Denies Providing Payment Information
        > to Twitter Username Hacker 
    

Well, they would, wouldn't they.

~~~
misnome
Exactly - as the article points out, without released voice recordings (if
they exist, which is not a given), they can't prove that they didn't. Haven't
similar things happened before with paypal though?

~~~
freerobby
In a hearsay battle between Paypal and a thief, why is the burden on PayPal to
prove its innocence?

~~~
shrooms
Because Paypal has a history of being full of shit.

~~~
1angryhacker
that's not a reason to convict without evidence.

if paypal is so shit why is everyone using them.

vote with your feet

~~~
zamalek
We aren't convicting them here - this isn't a court. It's just pointing out
that, once again, as always:

PayPal

Not only did they screw up; but they also can't man up, tell the truth and be
transparent - as usual. Shit happens. Slamming us with a denial that shit
happened is implying that you aren't going to do anything about it; admitting
it is a clear statement that you are not proud of it and will work to make
sure it never happens again.

It's come to the point where if someone said that PayPal are responsible for
climate change; I would be inclined to believe them. No matter how much they
denied it.

~~~
jessedhillon
In other words you're prejudiced and see no reason to logically validate your
preconceptions?

Great, that's what we need. More people commenting who have all the answers.
What if PayPal were telling the truth, how exactly would that situation look
different than the one we are in? Good thing PayPal's always wrong though!

~~~
orclev
It's more like extrapolation from a known set of data points. PayPal has a
certain history. You can look up what's gone down in the past, and based on
that, the accusations fall right in line with the sorts of things PayPal has
historically done. At this point it seems far more likely that PayPal did in
fact do what it's accused of than that it didn't.

 _If_ PayPal is in fact telling the truth (and that's a big if), then the
question becomes where did the hacker get the last 4 of the CC from? GoDaddy
has confirmed the hacker had a large amount of info, including presumably the
last 4 of the CC when he called them, so somewhere in this whole thing someone
gave that data away.

~~~
fat0wl
(I can't reply to jessedhillon's follow-up comment yet & i don't want to wait
so I'll just reply here....)

If you look as far as... oh say, the top of this thread on HN, you will hear
accounts from people who have apparently done this very thing (asking PayPal
for last 4 digits and gotten an answer). So it seems like their policy did not
forbid it, anyone could do it, so why not believe the hacker's claim?

You can't have a policy of routinely giving out certain info then deny that
you gave it out in a case where it caused a security breach. What is the
defense there? "Well yeah ordinarily we DO give that out but we could tell
this guy was a hacker so we didn't." Yeah, they wish. If they regularly give
out last 4 digits, then the claim that they didn't in this case is absurd.

------
parandroid
Perhaps the cracker is actually employed at PayPal for real? :) This thought
amuses me, since it's a scenario with no leaks outside the circle of PayPal
employees, yet it gives the opportunity to the bad guy to gain the info
necessary for the deed.

------
slack3r
[http://thenextweb.com/insider/2014/01/30/godaddy-accepts-
par...](http://thenextweb.com/insider/2014/01/30/godaddy-accepts-partial-
responsibility-social-engineering-attack-ns-customer-account/)

"Our review of the situation reveals that the hacker was already in possession
of a large portion of the customer information needed to access the account at
the time he contacted GoDaddy. The hacker then socially engineered an employee
to provide the remaining information needed to access the customer account.
The customer has since regained full access to his GoDaddy account, and we are
working with industry partners to help restore services from other providers.
We are making necessary changes to employee training to ensure we continue to
provide industry-leading security to our customers and stay ahead of evolving
hacker techniques."

It's likely the attacker obtained credit card info from GoDaddy rather than
PayPal.

~~~
MarkTee
"evolving hacker techniques"?

I'm pretty sure that these fancy tactics can be found in _The Art of
Deception_ , which was released in 2002. Social engineering is nothing new.

~~~
zimpenfish
They can probably be found in any writing since about when people discovered
that manipulation and lying got them a warmer spot in the cave and a bigger
slice of mammoth pie.

------
MattyMc
Alternatively, if this hacker had a method different than what he/she
described to obtain the necessary information, it would make sense that he/she
would describe a false sequence of events in order to throw the account holder
off the trail.

------
RexRollman
I am more interested in Twitter's response to all of this.

~~~
jader201
While I think the right thing of Twitter would be to give the account back,
they didn't really do anything wrong (if the story is to be believed).
Hiroshima simply changed the account name, and let the hacker know it was
available.

Not sure Twitter could have done anything to prevent this from happening.

------
Frostbeard
All the hacker claims to have obtained from PayPal is the last four digits of
the credit card number. Perhaps this failed attempt they mention was them
asking the hacker to provide the complete credit card number ending in XXXX as
a form of verification?

------
poizan42
Well PayPal once flagged a non-existent transaction on my account as
suspicious. I had to call them to get it sorted out. The fact that something
like that can happen surely doesn't help me trust PayPal...

~~~
MarkTee
Why? Sounds like they did you a favour.

------
chris_wot
I'd be reporting them to the authorities. Then I'd sue them, and get the
recording in discovery.

~~~
Torn
Who's going to cover the lawyer costs? I'd love to see a 'no win no fee'
company prepared to take on paypal

~~~
chris_wot
It's done all the time with class actions.

~~~
ScottWhigham
This line of reasoning doesn't make a whole lot of sense. As a member of
several class action lawsuits over the past 20+ years, I bet I've made out
like a bandit - no less than $2.50 distributed over maybe 5-7 CALs. Sweet! The
lawyers, however, probably made $500,000,000 with those 5-7 lawsuits.

So while there's a financial want from the lawyers' perspective, why would _I_
want to go that route?

~~~
Bluestrike2
Generally speaking, class action suits--especially for smaller claims, like
what chris_wot implies--are less about seeking individual relief and more
about leveraging the potential for significant damages to force a defendant to
initiate a change in a given behavior. So even though you might only walk away
with a few pennies, on balance, there's a net benefit to the public value that
stems from behavioral changes.

If Mr. Burns is dumping his chemical waste into Lake Springfield and you're
winding up with little three-eyed fish as a result, you're hoping to force Mr.
Burns to stop polluting the lake.

Are there sleazy class action attorneys? Absolutely. They can be found on late
night television, ugly billboards with creepy mugshots, and stalking ambulance
drivers (:D). Basically, anywhere your regular run-of-the-mill scheister
attorneys can be found. But they're also fewer in number, mainly because class
action litigation is _significantly_ more resource-intensive than other types
of litigation. And since class action attorneys are almost always working on a
contingency basis, there's a lot to support the idea that they earn their fees
here.

It might not seem fair when you're looking at a $2.50 check, but that's the
tradeoff you accept in order to bolster your ability to force a change.

------
homersapien
Why doesn't Twitter simply quarantine the handle until some sort of dispute
resolution is completed? Oh wait, Twitter doesn't "do" customer service, so
forget about any sort of common sense solutions.

------
jontas
Shouldn't it be easy enough for Twitter to just return the handle to the
original owner? I guess Twitter has to cover their own ass to a degree, and it
is possible the original owner is making up this story and actually sold the
Twitter handle (though I suspect this would be against Twitter's policies).

However, based on what I've read, the people involved, and Occam's Razor, I
believe the published story. Twitter should transfer ownership of the handle
back to Naoki Hiroshima, do the right thing, and get some good press at the
same time.

------
squigs25
Paypal's value lies in it's network and it's trustworthiness. There is no way
in a million years they would divulge a f __*-up of this magnitude unless
there 's was cold hard proof.

But I think there is pretty convincing proof, and I think if anything, this
makes them less trustworthy than if they had come out and accepted partial
wrong doing.

The "hacker" had no incentive to lie; the ace was in his hand.

~~~
rwallace
Actually, neither the hacker nor PayPal has presented any proof whatsoever
(there is as yet no proof that the hacker even had the last four digits of the
card number, and if he did, there are plenty of sources to get those from).

Either could for all we know be telling the truth, but if you find yourself
automatically taking the word of a known thief over that of a legitimate
company, it's time to stop and re-examine, not only your conclusion in this
case, but every aspect of the thought processes you use for such things. The
hacker had several possible incentives to lie, and I'm sure you'd be able to
figure out at least some of them if you stepped back and looked at the
question objectively.

------
thehme
I am very interested in what comes out of this. When I read Hiroshima's blog
post, I was getting chills thinking how angry I would be if I could not get
into my own accounts thanks to someone taking over them simply by exercising
human engineering tactics. Big and small companies need to implement 2-step
verification, or better, and never give out information.

------
dutchbrit
Alternative option, thief has an insider at PayPal, or even worse, works at
PayPal.

But PayPal is probably just trying to cover their ass.

~~~
datphp
I'm not a PayPal fan but reading how he supposedly obtained the digits, I
immediately thought it was bullshit.

An insider seems likely, and it doesn't even have to be at PayPal. Most
companies where you use your credit card either have your email, or could
figure it out using your name / address.

------
melindajb
PayPal records every call, 100% and also all the screen captures of the agent
answering the call. So, either they're telling the truth, or they're lying.
Not sure how anyone could tell the difference. but I guarantee you, they
listened to the call.

I can't see why a hacker would actually give his secrets away.

------
enscr
I didn't expect them to come forth and accept it. If it's an employee mistake,
and not a standard broken process, they can erase the tracks.

~~~
msandford
If it's possible for employees to be able to make such a mistake, that's a
standard broken process. It should not be possible for them to reveal the last
four no matter how badly someone wants them to and how clever their social
engineering skills. It shouldn't be possible from a technical perspective, not
from a "we told employees not to do this" perspective.

~~~
Uchikoma
If you display 4 digits to the user for CC validation, as basically everyone
does, then there will always be someone who can read those 4 digits and give
them to someone else.

~~~
rahimnathwani
You don't need to display them to the user. The user can ask for them from the
customer. The user types in the 4 digits the customer provides. The computer
compares the two strings. The user need never see the real stored digits.

~~~
Uchikoma
Sorry, in my argument I meant user with what you've called customer.

------
sdaityari
Now who do we blame?

~~~
Tepix
Godaddy.

~~~
chris_wot
I'm waiting for the day that Godaddy buys Twitter and then is acquired by
PayPal. At this point the nexus of evil will be mainly concentrated around one
company.

It would make a good acquisition target for EMC.

~~~
oneeyedpigeon
Did I miss something - why are Twitter evil now?

~~~
sp332
I'm guessing "Sponsored Tweets", but I would call them "pretty annoying" and
not "evil".

~~~
gaius
They mean the same thing on the Internet. Same as "mildly interesting" and
"epic".

------
mpermar
As if they would say if they were :-)

