Hacker News new | past | comments | ask | show | jobs | submit login
PayPal Denies Providing Payment Information to Twitter Username Hacker (thenextweb.com)
177 points by fraqed on Jan 30, 2014 | hide | past | favorite | 124 comments

PayPal is lying or playing dumb and here's why:

Ask them if the customer service agents can see the last four or if they have to enter them first before the customer's records come up.

They can see the last four right away.

Call paypal and ask them which card you have on file, you cannot remember. The agent can give you last four to identify it.

> Call paypal and ask them which card you have on file, you cannot remember.

Exactly. I've done this before when services ask me for my full credit card number or expiration date (to verify), and I ask them for the last four digits (to remind me which card I used).

What PayPal did may be bad, but what GoDaddy did (use the last six digits) to verify is even worse.

If you know the last four digits, you have a better than 1% chance of guessing the previous two, since they are not uniformly distributed: http://en.wikipedia.org/wiki/Luhn_algorithm

(There are actually even more restrictions than the Luhn algorithm on credit card numbers, but I won't go into them here. Suffice to say, there's a reason than the attacker says he was able to guess it in a single try - he was lucky, but not that lucky).

The last 4 digits are known, and the first 6 digits are based on the type of card (VISA/MC/AMEX + Bank/Issuer), so are guessable. Apply the Luhn algorithm to these, and you're left with only 10-100K possibilities for the remaining middle digits.

If you're only required to specify the last 2, you can narrow it down significantly by only looking at valid combinations of those last 2, which is far smaller than 100.

I've written up some of this here: http://tech.bluesmoon.info/2011/01/how-guessable-is-your-cre...

You are right that Last Six is a miserable password.

One correction thought: the attacker didn't guess the two digits in a single try, they guessed them in a single phone call. The GoDaddy agent allegedly let them just try numbers until they got it.

Someone should just record a video of themselves doing it to their own account and post it online, that would be proof enough I'd think.

Unless you know every other digit in the card number, I don't see how knowing the luhn algorithm is going to narrow the possibilities of guessing just the two digits.

Also credit card can never be used by itself for any purchase, ever. You must have the name, expiry date, and if you're doing transactions online, often the address and ccv2 as well.

More than likely you dont need the name or cvv, sometimes not even the expiry.

As far as I know, not true. Merchants get discounts for asking for more information, but it's not strictly required to process your card.

It depends on the bank. Some require more data than others. In either case, though, if the transaction turns out to be fraudulent, it's the merchant that pays, so the merchant has a strong incentive to ask for more rather than less.

I doesn't make sense to point fingers without proof.

PayPal says that they did find records of the attempt, and they state affirmatively that they did not provide any credit card details. It sounds to me like they are saying they listened to a recording of the call, and they know they didn't disclose any credit card details.

If you're PayPal in this situation, how do you know the hacker doesn't have their own recording of the call? It would be one thing to claim no record of a call. But I think it would be incredibly reckless to claim you found the records, and you know you didn't disclose anything, if/when in fact you did.

The fact is, there's nothing PayPal can do to prove a negative. If the hacker, or anyone else, produces actual proof that PayPal discloses this information improperly (not just claiming it's easy), I'm sure we will see how PayPal responds then.

> If you're PayPal in this situation, how do you know the hacker doesn't have their own recording of the call?

If I were PayPal, I would asks the question: Why would a hacker keep a recording -- of obtaining information illegally -- that would only incriminate himself?

Obviously I have no way of knowing either way, but PayPal has earned the mistrust many have in their security best practices. PayPal has much more to gain by covering this up than the hacker would by lying about it.

I don't think it's uncommon for a hacker to believe they're invincible. Especially if they are doing something to a U.S. company or citizen when they are in a 3rd or even a 2nd world country. The laws and enforcement are often lax in comparison or even non-existent.

Those four digits aren't hard to get - - it's scary how much access was given with such minor info.

In my opinion, the hacker who hijacked this guy's Twitter account didn't have had ANY interest in explaining how he got to it, besides creating a hoax to confuse and divert attention. Just think about it, in just one email he puts the blame on both GoDaddy, for doing phone validation over unsecure criteria (like credit card numbers), and PayPal (for giving out the last digits of the card number to a complete stranger). There might be some truth to it (GoDaddy's phone validation sucks and GoDaddy sucks altogether), but I've read the original HN thread and the majority of comments are directed against GoDaddy or PayPal, rather than the real perpetrator. There are a million ways to hijack someone's account - including but not necessary by exploiting flaws of GoDaddy / PayPal - but I wouldn't trust the hijacker to kindly explain to me how he actually did it.

> didn't have had ANY interest in explaining how he got to it, besides creating a hoax to confuse and divert attention.

Would the story have gone viral, though, had he just said, "I'm not going to say anything about how I did it."? The story would have just been another "I got hacked" story.

If the hacker were really clever enough to fabricate such an elaborate hoax, I think he would have been clever enough to realize the best way to divert attention from the story, would have been to just keep quiet.

The argument was, he was deflecting attention away from him towards others - which, as this thread for the parent poster shows, worked.

My argument is, this attention wouldn't even be here had he just kept quiet.

I don't think he was clever enough to have foresight that a) this would get this much attention, and b) he would need to deflect said attention by fabricating an elaborate hoax.

The guy was simply wanting to brag about what he did in the excitement of him actually pulling it off. I think this is much more believable than him fabricating this story.

One issue to be thought of is if he tells how he hacked the accounts, it would become difficult for him to hack some other accounts in the future. But I have found out that he has a habit of giving out advice to people. I have done some searching and found out (hopefully) who he is.

A simple google search for the email swiped@live.com revealed this link http://mydomaintest.com/index.php?query=getgamesfree.net with owner douglas

A password reset on that account shows the following accounts listed. do * * * @gmail.com do * * * @aim.com

A password reset on aim.com for user name douglas(just guessing) also revealed the email d * * * *8@froze.org

Searching for the name douglas parmele and 5167, brenda gave a result http://welfare.im/dox/index.php?name=communist

There is a reference of froze.us in the dox.

Here you get his hackerforums.net profile http://www.hackforums.net/member.php?action=profile&uid=1399...

search for his posts and you see most of them are selling novelty twitter and other accounts


Here he gives out advice on securing accounts. http://www.hackforums.net/showthread.php?tid=3610513

You have to have an account on hackforums.net to view those links.

After all the prison sentences lately, I'm not sure he wants to brag about himself.

If he were really that concerned about prison sentences, would he have done this to begin with?

Not being snarky, that's a real question. I don't know the minds and rationale of hackers.

I generally get the impression hackers honestly feel they're invincible, until they get caught. Maybe that's a misperception though.

That may be an age thing - often they are young males. Entirely conjecture.

I could be wrong, but wasn't there a story a while back where someone explained how they could hack into any apple ID account with a similar process? Didn't linode's servers get hacked and the hacker explained the whole process?

I guess we'll never know, but last 4 digits are not difficult to get (they're on every single one of my receipts... and for all we know, this guy could be in close vicinity of him...), and making up that PayPal gave the hacker those 4 digits is a good diversion.

Clearly you've never watched a single Bond movie. The only thing a villain enjoys more than committing a crime, is revealing the intricate plan by which he will get away with it.

GoDaddy have come out and specifically said they were at fault in this case.


"GoDaddy accepts partial responsibility in social engineering attack of @N's customer account"


What's interesting is in the original "i got hacked" post[0]. The email from the hacker says that he called paypal and posed as an employee.

That may not be tough to do, i.e. if you call a call center, select the wrong department and request an internal transfer, it is quite possible that the person receiving the call would not be able to distinguish between an internal call or a customer call.

So if the hacker told them he was Jack from xyz department, who would know the difference, better still, would they log the call at all?

The alleged breach could in this situation be quite easy.

[0] https://medium.com/p/24eb09e026dd

When I worked at a large bank many years ago, internal calls were verified to be bank employees. It was low tech, but when a bank employee called and asked about a customer we had them verify they were a bank employee by telling them to look up, and tell us what was on a certain page and line of an internal bank book. If their answer matched what we were looking at as well then the conversation continued. The books were changed/printed often.

That's just like early days video game anti-piracy measure.

What is the third word on the second paragraph of page 42 of the Dungeon Master's manual? Etc.

Military codebooks are used in this way for authenticating over unsecured links. Letters or numbers laid out in a grid-like format, and you make the far side read off a certain cell.



The Pragmatic Programmer website uses this system to allow you to prove that you bought a hard-copy of a book, so they can offer you a discounted ebook.

In my case we had a security code on an internal system that was updated in real-time. So the protocol was:

"Hi I'm an employee calling from [X]" "OK, can I get the security code?" (caller gives security code)

Any employee in the company could also request a no-questions-asked reset at any time. I actually had cause hit the big red button once when the call went:

"Hi, this is [employee] calling from [branch]" "All right, can I get the security code?" "Oh, (mutters "security code"), it's $foo"

See, that counted as a compromise because someone in the lobby may have overheard her.

A couple other fun stories:

- Once I called a branch and got transferred to someone else. The conversation at the other end:

Him: "Did you give the code already?" Me: "...are you seriously going to believe me if I say 'Yes'?"

- Apparently there was a phishing attempt where people would call our center opening with:

"Hi this is [person] from the fraud department, before we begin can I get the security code?"

I don't know if it ever worked, but we got several memos warning us not to fall for it.

The email from the hacker says that he called paypal and posed as an employee.

I took that to mean the hacker posed as an employee of Naoki Hiroshima. I wonder which it was.

- When I worked in a bank's call center, it would be impossible for such an attacker to gain any information without the (receiving) agent screwing up unless the attacker had already successfully phished a different employee.

- The situation you describe in particular, where one employee might cold transfer to another employee without the receiver verifying whether the customer had identified already...if that is even possible, it's gross negligence.

- Call centers typically record all calls regardless of origin; it's not like a human being manually hits a record button on a case-by-case basis.

When I worked at a call center, I eventually was promoted to call monitor, where I was actually the person listening to the recordings and grading reps on how they did. Our system did not record every call. It was a random sampling, and I had to hope a given MSR got recorded enough times in a month for me to hit my minimums.

Different use-case but we've implemented recording on all call-center calls; this isn't for employee monitoring, it's so we have a recording for legal purposes because some of those calls involve instructions for financial trades.

If I was in PayPal's situation I'd want to record every call, because dealing with money is a lot more critical than dealing with call quality.

I suppose I could have hedged a bit with the usual "may depend on the institution" disclaimer, heh. Anyway, I was responding to the apparent belief that someone might look at the inbound number and think "no need to record this one," which I'm pretty confident saying does not happen.

I've implemented this is a call center. We recorded every call. It's actually harder to do "random sampling" than just have the button auto-click every call. It sounded like Paypal reviewed the call transcript before making a statement.

Re: recording...

Why does the message when you call say something like '...may be recorded...' where "may" sounds like it's synonymous with "might"?

I know why they have to have the message but I was just curious if there was a reason for the apparently odd wording.

They reserve the right not to record the call, in case the stuff hits the fan and a customer insists on getting a recording of the call where everything went wrong.

The wording is specifically because they want to pretend that only a small share of calls are recorded for quality review and that it is very unlikely that your particular call will be recorded.

Why commit yourself to a stronger statement than necessary? As you probably already know, it's just to satisfy laws against recording a phone call without the consent of both parties. It's just a nicer way to say "we will proceed assuming we have your consent to record this call," without promising or revealing anything further.

When I was in a call centre (10 years ago) they would log all calls regardless of origin and us telemonkies had no control over it. I don't know how long they were stored though, I imagine they were purged on a regular basis.

    > PayPal Denies Providing Payment Information
    > to Twitter Username Hacker 
Well, they would, wouldn't they.

Exactly - as the article points out, without released voice recordings (if they exist, which is not a given), they can't prove that they didn't. Haven't similar things happened before with paypal though?

In a hearsay battle between Paypal and a thief, why is the burden on PayPal to prove its innocence?

Its partly because PayPal's reputation precedes it. Paypal is a shitty company with often scummy policies. They also have a demonstrated history of employees making horrible decisions.

If PayPal didn't do anything wrong, they would probably be far more eager to provide their customer with assistance. In their initial communication they should have volunteered whether or not there is a recording of any conversation they may have had with the attacker. If there is a recording, they should have immediately volunteered to play it back for the victim in order to give him peace of mind. That's basic customer service.

To my knowledge they don't know who the thief is.

The thief allegedly got the last 4 digits of the CC by posing as an employee.[0]

If true, it would mean paypal gave out financial information to an unknown third-party, which would be a breach of a bunch of laws, terms, internal policies etc.

The burden to prove innocence in this situation would definitely fall on paypal.

Excerpts from the original article[0]:

>I called paypal and used some very simple engineering tactics to obtain the last four of your card (avoid this by calling paypal and asking the agent to add a note to your account to not release any details via phone)

>Yes paypal told me them over the phone (I was acting as an employee) and godaddy let me “guess” for the first two digits of the card

[0] https://medium.com/p/24eb09e026dd

[1] https://news.ycombinator.com/item?id=7141532

I dislike paypal as much as anyone, but since when does anyone have to prove innocence?

When you are a financial company.

edit: financial companies, or any company when dealing with a financial or privacy breach usually needs to prove their innocence when they are attributed to allegedly causing financial loss (to varied extents depending on the situation).

This is an expectation from society in general. It may not seem fair or be legally required, but that's just the way it is.

You need a course in elementary logic. Specifically, on the burden of proof. Also, everything you wrote in this comment here seems to be a complete fabrication.

I work for a bank and it's absolutely on us to show that our transactions and treatment of financial information is verifiable. We have to be able to demonstrate due diligence, there is no assumption of innocence when the auditors come knocking on the door, whatever 'elementary logic' may say.

Thats why I completely believe the posters here claiming this wouldn't be possible in a banks call centre. What I don't know is whether PayPal operates at the same standard.

That's a different question altogether. Banks are required to keep meticulous and auditable transaction records -- nobody is disputing that or even questioning if PayPal does so. Banks are not required to show extend themselves to whatever demands made to them, in order to show that the claims of a random internet person are false.

Legally, no. But if enough people find the claim credible, then it is definitely in their best interest to convince everyone else that the claim is false. Whether or not you think that is fair is irrelevant; if enough people feel the bank is not safe to use, the bank will lose business.

Ok well if that's your hand, the converse principle is more pertinent -- if it has no impact on profits, nobody cares about the random rantings of an insular group of technologists, and how they think PayPal ought to conduct itself.

The 'burden of proof' is a social/legal concept which has absolutely nothing to do with elementary logic, so maybe you're the one that needs the refresher.

From https://en.wikipedia.org/wiki/Philosophic_burden_of_proof

When debating any issue, there is an implicit burden of proof on the person asserting a claim. The fallacy of an argument from ignorance occurs if, when a claim is challenged, the burden of proof is shifted to be on the challenger.

The burden of proof is a philosophical concept which extends into the legal domain. In fact, it's the only sane way to process assertions made by purportedly rational actors, it's hardly limited to 'social/legal' contexts.

But I'm not sure why you didn't go look this up in Wikipedia before you commented.

That really does not apply in this situation. A thief made a claim that he tricked PayPal into giving out personal information on his victim. We know the thief got the personal information. What is in question is if he is telling the truth that he got it from PayPal.

You are looking at this as a claim between the thief and PayPal. The thief made the claim, so the burden of proof is on the thief.

But that's not what's going on. PayPayl is asserting a claim that they are safe, and the other party is every potential customer of PayPal. The burden is on PayPal to convince us of their claim that they are safe, in light of the claim against them.

To me, it is credible that the thief got the information from PayPal. Between the thief and PayPal, I think the thief has little incentive to lie about where he got the information, but PayPal has high incentive to cover up.

The burden of proof applies to all logical propositions. You are confusing two issues -- PayPal's marketing claims and those of a random thief. The truth is that you actually have insufficient information to decide one way or another who is telling the truth here, and at least you wouldn't be able to substantiate such a conclusion without appealing to prejudices. That's the point I'm making -- personally I think that the thief is telling the truth. But I'm reserving judgment because we certainly don't know enough to warrant some of the strong claims made on this thread.

I think you are concerned with correctly filling out The Universal Ledger of All Objective Truths. That's not what we're concerned with.

We're concerned with figuring out what we think is most likely. You are correct that we have insufficient information to know with high confidence who is telling the truth, but if we are in a position to use PayPal, we have to make a judgement anyway. Further, not having enough information to know most things with high confidence is the common case; we usually have to make decisions based on imperfect information.

In such cases, we have to use the imperfect information available to us. Prejudices is one word for it; Bayesians call it our priors.

For the record, I actually think PayPal is a net-good. I think that most of the negative press they put up with is unwarranted, and is a result of people not understanding how they are allowed to use the service. In addition, I think most people do not appreciate that PayPal is much more tolerant than the alternative that was the only-game-in-town before PayPal, which were merchant accounts with banks.

Well said, for the most part, although it should be noted that not all prejudices are appropriate priors!

Yes, agreed.

when there is a believable story about them getting socially hacked & they have a sea of clients they are trying not to lose...

Since there is apparent evidence against their innocence?

What evidence? The chat transcript of a thief?

Since ever? For example anti-harassment law...

Because 1) they likely have the actual recording on file 2) they are the service company that wants to convince us to continue using them.

I would tend to agree with you, but paypal was emphatic that they _did not_ (emphasis theirs) release anything. There is a difference between not finding evidence and saying as such, "We could find no evidence that that one of our employees failed to follow correct and established procedures". If they had said that, I would be more inclined to let them go. I believe that they placed the burden of proof on themselves by coming out with such a firm statement.

Because the thief actually did acquire the last 4 digits of the credit card number, and there is plenty of anecdotal evidence that their techs can and will give out the last 4 digits of credit card numbers.

Because there are three parties here, not two: PayPal, the thief, and all real and potential customers of PayPal. PayPal has no obligation to convince the thief that they are innocent. But if they want to retain business, they must convince all of their current and future customers that they are innocent.

They're not, they're just covering their own asses.

Because Paypal has a history of being full of shit.

@1angryhacker - they're the only game in town for a lot of people, notably ebay sellers and users. More tech-savvy sellers know to diversify or to use other payment gateways (amazon, google, etc) but paypal has a huge userbase of average internet users.

that's not a reason to convict without evidence.

if paypal is so shit why is everyone using them.

vote with your feet

We aren't convicting them here - this isn't a court. It's just pointing out that, once again, as always:


Not only did they screw up; but they also can't man up, tell the truth and be transparent - as usual. Shit happens. Slamming us with a denial that shit happened is implying that you aren't going to do anything about it; admitting it is a clear statement that you are not proud of it and will work to make sure it never happens again.

It's come to the point where if someone said that PayPal are responsible for climate change; I would be inclined to believe them. No matter how much they denied it.

In other words you're prejudiced and see no reason to logically validate your preconceptions?

Great, that's what we need. More people commenting who have all the answers. What if PayPal were telling the truth, how exactly would that situation look different than the one we are in? Good thing PayPal's always wrong though!

It's more like extrapolation from a known set of data points. PayPal has a certain history. You can look up what's gone down in the past, and based on that, the accusations fall right in line with the sorts of things PayPal has historically done. At this point it seems far more likely that PayPal did in fact do what it's accused of than that it didn't.

If PayPal is in fact telling the truth (and that's a big if), then the question becomes where did the hacker get the last 4 of the CC from? GoDaddy has confirmed the hacker had a large amount of info, including presumably the last 4 of the CC when he called them, so somewhere in this whole thing someone gave that data away.

(I can't reply to jessedhillon's follow-up comment yet & i don't want to wait so I'll just reply here....)

If you look as far as... oh say, the top of this thread on HN, you will hear accounts from people who have apparently done this very thing (asking PayPal for last 4 digits and gotten an answer). So it seems like their policy did not forbid it, anyone could do it, so why not believe the hacker's claim?

You can't have a policy of routinely giving out certain info then deny that you gave it out in a case where it caused a security breach. What is the defense there? "Well yeah ordinarily we DO give that out but we could tell this guy was a hacker so we didn't." Yeah, they wish. If they regularly give out last 4 digits, then the claim that they didn't in this case is absurd.

...the question becomes where did the hacker get the last 4 of the CC from?

That's always been the question. Until you know better, what you have is a situation where you're believing the word of an anonymous criminal, relayed to you second-hand, over PayPal. I'm just saying you have no evidence either way at this point, and are simply expressing your preconceptions, which are not helpful.

> It's more like extrapolation from a known set of data points. PayPal has a certain history.

Exactly, the child who cried "wolf."

Perhaps the cracker is actually employed at PayPal for real? :) This thought amuses me, since it's a scenario with no leaks outside the circle of PayPal employees, yet it gives the opportunity to the bad guy to gain the info necessary for the deed.


"Our review of the situation reveals that the hacker was already in possession of a large portion of the customer information needed to access the account at the time he contacted GoDaddy. The hacker then socially engineered an employee to provide the remaining information needed to access the customer account. The customer has since regained full access to his GoDaddy account, and we are working with industry partners to help restore services from other providers. We are making necessary changes to employee training to ensure we continue to provide industry-leading security to our customers and stay ahead of evolving hacker techniques."

It's likely the attacker obtained credit card info from GoDaddy rather than PayPal.

"evolving hacker techniques"?

I'm pretty sure that these fancy tactics can be found in The Art of Deception, which was released in 2002. Social engineering is nothing new.

They can probably be found in any writing since about when people discovered that manipulation and lying got them a warmer spot in the cave and a bigger slice of mammoth pie.

Alternatively, if this hacker had a method different than what he/she described to obtain the necessary information, it would make sense that he/she would describe a false sequence of events in order to throw the account holder off the trail.

I am more interested in Twitter's response to all of this.

While I think the right thing of Twitter would be to give the account back, they didn't really do anything wrong (if the story is to be believed). Hiroshima simply changed the account name, and let the hacker know it was available.

Not sure Twitter could have done anything to prevent this from happening.

I am too. Just because Twitter can very easily prove that account was stolen and return it to the owner. I don't think it is possible to steal, for example, twitter name "jack" or "barackobama".

All the hacker claims to have obtained from PayPal is the last four digits of the credit card number. Perhaps this failed attempt they mention was them asking the hacker to provide the complete credit card number ending in XXXX as a form of verification?

Well PayPal once flagged a non-existent transaction on my account as suspicious. I had to call them to get it sorted out. The fact that something like that can happen surely doesn't help me trust PayPal...

Why? Sounds like they did you a favour.

I'd be reporting them to the authorities. Then I'd sue them, and get the recording in discovery.

Who's going to cover the lawyer costs? I'd love to see a 'no win no fee' company prepared to take on paypal

It's done all the time with class actions.

This line of reasoning doesn't make a whole lot of sense. As a member of several class action lawsuits over the past 20+ years, I bet I've made out like a bandit - no less than $2.50 distributed over maybe 5-7 CALs. Sweet! The lawyers, however, probably made $500,000,000 with those 5-7 lawsuits.

So while there's a financial want from the lawyers' perspective, why would I want to go that route?

Generally speaking, class action suits--especially for smaller claims, like what chris_wot implies--are less about seeking individual relief and more about leveraging the potential for significant damages to force a defendant to initiate a change in a given behavior. So even though you might only walk away with a few pennies, on balance, there's a net benefit to the public value that stems from behavioral changes.

If Mr. Burns is dumping his chemical waste into Lake Springfield and you're winding up with little three-eyed fish as a result, you're hoping to force Mr. Burns to stop polluting the lake.

Are there sleazy class action attorneys? Absolutely. They can be found on late night television, ugly billboards with creepy mugshots, and stalking ambulance drivers (:D). Basically, anywhere your regular run-of-the-mill scheister attorneys can be found. But they're also fewer in number, mainly because class action litigation is significantly more resource-intensive than other types of litigation. And since class action attorneys are almost always working on a contingency basis, there's a lot to support the idea that they earn their fees here.

It might not seem fair when you're looking at a $2.50 check, but that's the tradeoff you accept in order to bolster your ability to force a change.

I think that the lawyers suing for class action status use one (or a few people) as their "examples" of people harmed by the complaint. Those people may make some money... You may just need to get into your class action suits much earlier...

Sounds like a lot of other scams.

Why doesn't Twitter simply quarantine the handle until some sort of dispute resolution is completed? Oh wait, Twitter doesn't "do" customer service, so forget about any sort of common sense solutions.

Shouldn't it be easy enough for Twitter to just return the handle to the original owner? I guess Twitter has to cover their own ass to a degree, and it is possible the original owner is making up this story and actually sold the Twitter handle (though I suspect this would be against Twitter's policies).

However, based on what I've read, the people involved, and Occam's Razor, I believe the published story. Twitter should transfer ownership of the handle back to Naoki Hiroshima, do the right thing, and get some good press at the same time.

Paypal's value lies in it's network and it's trustworthiness. There is no way in a million years they would divulge a f*-up of this magnitude unless there's was cold hard proof.

But I think there is pretty convincing proof, and I think if anything, this makes them less trustworthy than if they had come out and accepted partial wrong doing.

The "hacker" had no incentive to lie; the ace was in his hand.

Actually, neither the hacker nor PayPal has presented any proof whatsoever (there is as yet no proof that the hacker even had the last four digits of the card number, and if he did, there are plenty of sources to get those from).

Either could for all we know be telling the truth, but if you find yourself automatically taking the word of a known thief over that of a legitimate company, it's time to stop and re-examine, not only your conclusion in this case, but every aspect of the thought processes you use for such things. The hacker had several possible incentives to lie, and I'm sure you'd be able to figure out at least some of them if you stepped back and looked at the question objectively.

I am very interested in what comes out of this. When I read Hiroshima's blog post, I was getting chills thinking how angry I would be if I could not get into my own accounts thanks to someone taking over them simply by exercising human engineering tactics. Big and small companies need to implement 2-step verification, or better, and never give out information.

Alternative option, thief has an insider at PayPal, or even worse, works at PayPal.

But PayPal is probably just trying to cover their ass.

I'm not a PayPal fan but reading how he supposedly obtained the digits, I immediately thought it was bullshit.

An insider seems likely, and it doesn't even have to be at PayPal. Most companies where you use your credit card either have your email, or could figure it out using your name / address.

PayPal records every call, 100% and also all the screen captures of the agent answering the call. So, either they're telling the truth, or they're lying. Not sure how anyone could tell the difference. but I guarantee you, they listened to the call.

I can't see why a hacker would actually give his secrets away.

I didn't expect them to come forth and accept it. If it's an employee mistake, and not a standard broken process, they can erase the tracks.

If it's possible for employees to be able to make such a mistake, that's a standard broken process. It should not be possible for them to reveal the last four no matter how badly someone wants them to and how clever their social engineering skills. It shouldn't be possible from a technical perspective, not from a "we told employees not to do this" perspective.

If you display 4 digits to the user for CC validation, as basically everyone does, then there will always be someone who can read those 4 digits and give them to someone else.

You don't need to display them to the user. The user can ask for them from the customer. The user types in the 4 digits the customer provides. The computer compares the two strings. The user need never see the real stored digits.

Sorry, in my argument I meant user with what you've called customer.

Now who do we blame?


I'm waiting for the day that Godaddy buys Twitter and then is acquired by PayPal. At this point the nexus of evil will be mainly concentrated around one company.

It would make a good acquisition target for EMC.

And then they would rename it to "Umbrella corporation"

Did I miss something - why are Twitter evil now?

I'd tell you, but I can't fit my explanation into less than 140 characters.

I'm guessing "Sponsored Tweets", but I would call them "pretty annoying" and not "evil".

They mean the same thing on the Internet. Same as "mildly interesting" and "epic".

As if they would say if they were :-)


Take a timeout, come back in 20 and reread your post. Is it really worth it to get so angry and malicious? And protip, if you're going to get this angry, don't post it. It makes you look nuts, and does nothing to anyone about how they might feel about PayPal.

I didn't see the original post, but this is an extremely thoughtful reply to anyone who is angry and acting illogically. Well done.

Honestly I think telling the corporation of PayPal that it should be destroyed, or truly threatened with destruction if they don't shape up, is a reasonable response to their abusive behavior. People are far too forgiving of misdeeds done by large corporations.

It's certainly an angry and illogical post but I can't bring myself to actually disagree with it.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact