Ask them if the customer service agents can see the last four or if they have to enter them first before the customer's records come up.
They can see the last four right away.
Call paypal and ask them which card you have on file, you cannot remember. The agent can give you last four to identify it.
Exactly. I've done this before when services ask me for my full credit card number or expiration date (to verify), and I ask them for the last four digits (to remind me which card I used).
What PayPal did may be bad, but what GoDaddy did (use the last six digits) to verify is even worse.
If you know the last four digits, you have a better than 1% chance of guessing the previous two, since they are not uniformly distributed: http://en.wikipedia.org/wiki/Luhn_algorithm
(There are actually even more restrictions than the Luhn algorithm on credit card numbers, but I won't go into them here. Suffice to say, there's a reason than the attacker says he was able to guess it in a single try - he was lucky, but not that lucky).
If you're only required to specify the last 2, you can narrow it down significantly by only looking at valid combinations of those last 2, which is far smaller than 100.
I've written up some of this here: http://tech.bluesmoon.info/2011/01/how-guessable-is-your-cre...
One correction thought: the attacker didn't guess the two digits in a single try, they guessed them in a single phone call. The GoDaddy agent allegedly let them just try numbers until they got it.
PayPal says that they did find records of the attempt, and they state affirmatively that they did not provide any credit card details. It sounds to me like they are saying they listened to a recording of the call, and they know they didn't disclose any credit card details.
If you're PayPal in this situation, how do you know the hacker doesn't have their own recording of the call? It would be one thing to claim no record of a call. But I think it would be incredibly reckless to claim you found the records, and you know you didn't disclose anything, if/when in fact you did.
The fact is, there's nothing PayPal can do to prove a negative. If the hacker, or anyone else, produces actual proof that PayPal discloses this information improperly (not just claiming it's easy), I'm sure we will see how PayPal responds then.
If I were PayPal, I would asks the question: Why would a hacker keep a recording -- of obtaining information illegally -- that would only incriminate himself?
Obviously I have no way of knowing either way, but PayPal has earned the mistrust many have in their security best practices. PayPal has much more to gain by covering this up than the hacker would by lying about it.
Would the story have gone viral, though, had he just said, "I'm not going to say anything about how I did it."? The story would have just been another "I got hacked" story.
If the hacker were really clever enough to fabricate such an elaborate hoax, I think he would have been clever enough to realize the best way to divert attention from the story, would have been to just keep quiet.
I don't think he was clever enough to have foresight that a) this would get this much attention, and b) he would need to deflect said attention by fabricating an elaborate hoax.
The guy was simply wanting to brag about what he did in the excitement of him actually pulling it off. I think this is much more believable than him fabricating this story.
A simple google search for the email firstname.lastname@example.org revealed this link http://mydomaintest.com/index.php?query=getgamesfree.net with owner douglas
A password reset on that account shows the following accounts listed. do * * * @gmail.com do * * * @aim.com
A password reset on aim.com for user name douglas(just guessing) also revealed the email d * * * *email@example.com
Searching for the name douglas parmele and 5167, brenda gave a result http://welfare.im/dox/index.php?name=communist
There is a reference of froze.us in the dox.
Here you get his hackerforums.net profile http://www.hackforums.net/member.php?action=profile&uid=1399...
search for his posts and you see most of them are selling novelty twitter and other accounts
Here he gives out advice on securing accounts. http://www.hackforums.net/showthread.php?tid=3610513
You have to have an account on hackforums.net to view those links.
Not being snarky, that's a real question. I don't know the minds and rationale of hackers.
I generally get the impression hackers honestly feel they're invincible, until they get caught. Maybe that's a misperception though.
That may not be tough to do, i.e. if you call a call center, select the wrong department and request an internal transfer, it is quite possible that the person receiving the call would not be able to distinguish between an internal call or a customer call.
So if the hacker told them he was Jack from xyz department, who would know the difference, better still, would they log the call at all?
The alleged breach could in this situation be quite easy.
What is the third word on the second paragraph of page 42 of the Dungeon Master's manual? Etc.
"Hi I'm an employee calling from [X]"
"OK, can I get the security code?"
(caller gives security code)
Any employee in the company could also request a no-questions-asked reset at any time. I actually had cause hit the big red button once when the call went:
"Hi, this is [employee] calling from [branch]"
"All right, can I get the security code?"
"Oh, (mutters "security code"), it's $foo"
See, that counted as a compromise because someone in the lobby may have overheard her.
A couple other fun stories:
- Once I called a branch and got transferred to someone else. The conversation at the other end:
Him: "Did you give the code already?"
Me: "...are you seriously going to believe me if I say 'Yes'?"
- Apparently there was a phishing attempt where people would call our center opening with:
"Hi this is [person] from the fraud department, before we begin can I get the security code?"
I don't know if it ever worked, but we got several memos warning us not to fall for it.
I took that to mean the hacker posed as an employee of Naoki Hiroshima. I wonder which it was.
- The situation you describe in particular, where one employee might cold transfer to another employee without the receiver verifying whether the customer had identified already...if that is even possible, it's gross negligence.
- Call centers typically record all calls regardless of origin; it's not like a human being manually hits a record button on a case-by-case basis.
If I was in PayPal's situation I'd want to record every call, because dealing with money is a lot more critical than dealing with call quality.
Why does the message when you call say something like '...may be recorded...' where "may" sounds like it's synonymous with "might"?
I know why they have to have the message but I was just curious if there was a reason for the apparently odd wording.
> PayPal Denies Providing Payment Information
> to Twitter Username Hacker
If PayPal didn't do anything wrong, they would probably be far more eager to provide their customer with assistance. In their initial communication they should have volunteered whether or not there is a recording of any conversation they may have had with the attacker. If there is a recording, they should have immediately volunteered to play it back for the victim in order to give him peace of mind. That's basic customer service.
The thief allegedly got the last 4 digits of the CC by posing as an employee.
If true, it would mean paypal gave out financial information to an unknown third-party, which would be a breach of a bunch of laws, terms, internal policies etc.
The burden to prove innocence in this situation would definitely fall on paypal.
Excerpts from the original article:
>I called paypal and used some very simple engineering tactics to obtain the last four of your card (avoid this by calling paypal and asking the agent to add a note to your account to not release any details via phone)
>Yes paypal told me them over the phone (I was acting as an employee) and godaddy let me “guess” for the first two digits of the card
edit: financial companies, or any company when dealing with a financial or privacy breach usually needs to prove their innocence when they are attributed to allegedly causing financial loss (to varied extents depending on the situation).
This is an expectation from society in general. It may not seem fair or be legally required, but that's just the way it is.
Thats why I completely believe the posters here claiming this wouldn't be possible in a banks call centre. What I don't know is whether PayPal operates at the same standard.
When debating any issue, there is an implicit burden of proof on the person asserting a claim. The fallacy of an argument from ignorance occurs if, when a claim is challenged, the burden of proof is shifted to be on the challenger.
The burden of proof is a philosophical concept which extends into the legal domain. In fact, it's the only sane way to process assertions made by purportedly rational actors, it's hardly limited to 'social/legal' contexts.
But I'm not sure why you didn't go look this up in Wikipedia before you commented.
You are looking at this as a claim between the thief and PayPal. The thief made the claim, so the burden of proof is on the thief.
But that's not what's going on. PayPayl is asserting a claim that they are safe, and the other party is every potential customer of PayPal. The burden is on PayPal to convince us of their claim that they are safe, in light of the claim against them.
To me, it is credible that the thief got the information from PayPal. Between the thief and PayPal, I think the thief has little incentive to lie about where he got the information, but PayPal has high incentive to cover up.
We're concerned with figuring out what we think is most likely. You are correct that we have insufficient information to know with high confidence who is telling the truth, but if we are in a position to use PayPal, we have to make a judgement anyway. Further, not having enough information to know most things with high confidence is the common case; we usually have to make decisions based on imperfect information.
In such cases, we have to use the imperfect information available to us. Prejudices is one word for it; Bayesians call it our priors.
For the record, I actually think PayPal is a net-good. I think that most of the negative press they put up with is unwarranted, and is a result of people not understanding how they are allowed to use the service. In addition, I think most people do not appreciate that PayPal is much more tolerant than the alternative that was the only-game-in-town before PayPal, which were merchant accounts with banks.
if paypal is so shit why is everyone using them.
vote with your feet
Not only did they screw up; but they also can't man up, tell the truth and be transparent - as usual. Shit happens. Slamming us with a denial that shit happened is implying that you aren't going to do anything about it; admitting it is a clear statement that you are not proud of it and will work to make sure it never happens again.
It's come to the point where if someone said that PayPal are responsible for climate change; I would be inclined to believe them. No matter how much they denied it.
Great, that's what we need. More people commenting who have all the answers. What if PayPal were telling the truth, how exactly would that situation look different than the one we are in? Good thing PayPal's always wrong though!
If PayPal is in fact telling the truth (and that's a big if), then the question becomes where did the hacker get the last 4 of the CC from? GoDaddy has confirmed the hacker had a large amount of info, including presumably the last 4 of the CC when he called them, so somewhere in this whole thing someone gave that data away.
If you look as far as... oh say, the top of this thread on HN, you will hear accounts from people who have apparently done this very thing (asking PayPal for last 4 digits and gotten an answer). So it seems like their policy did not forbid it, anyone could do it, so why not believe the hacker's claim?
You can't have a policy of routinely giving out certain info then deny that you gave it out in a case where it caused a security breach. What is the defense there? "Well yeah ordinarily we DO give that out but we could tell this guy was a hacker so we didn't." Yeah, they wish. If they regularly give out last 4 digits, then the claim that they didn't in this case is absurd.
That's always been the question. Until you know better, what you have is a situation where you're believing the word of an anonymous criminal, relayed to you second-hand, over PayPal. I'm just saying you have no evidence either way at this point, and are simply expressing your preconceptions, which are not helpful.
Exactly, the child who cried "wolf."
"Our review of the situation reveals that the hacker was already in possession of a large portion of the customer information needed to access the account at the time he contacted GoDaddy. The hacker then socially engineered an employee to provide the remaining information needed to access the customer account. The customer has since regained full access to his GoDaddy account, and we are working with industry partners to help restore services from other providers. We are making necessary changes to employee training to ensure we continue to provide industry-leading security to our customers and stay ahead of evolving hacker techniques."
It's likely the attacker obtained credit card info from GoDaddy rather than PayPal.
I'm pretty sure that these fancy tactics can be found in The Art of Deception, which was released in 2002. Social engineering is nothing new.
Not sure Twitter could have done anything to prevent this from happening.
So while there's a financial want from the lawyers' perspective, why would I want to go that route?
If Mr. Burns is dumping his chemical waste into Lake Springfield and you're winding up with little three-eyed fish as a result, you're hoping to force Mr. Burns to stop polluting the lake.
Are there sleazy class action attorneys? Absolutely. They can be found on late night television, ugly billboards with creepy mugshots, and stalking ambulance drivers (:D). Basically, anywhere your regular run-of-the-mill scheister attorneys can be found. But they're also fewer in number, mainly because class action litigation is significantly more resource-intensive than other types of litigation. And since class action attorneys are almost always working on a contingency basis, there's a lot to support the idea that they earn their fees here.
It might not seem fair when you're looking at a $2.50 check, but that's the tradeoff you accept in order to bolster your ability to force a change.
Sounds like a lot of other scams.
However, based on what I've read, the people involved, and Occam's Razor, I believe the published story. Twitter should transfer ownership of the handle back to Naoki Hiroshima, do the right thing, and get some good press at the same time.
But I think there is pretty convincing proof, and I think if anything, this makes them less trustworthy than if they had come out and accepted partial wrong doing.
The "hacker" had no incentive to lie; the ace was in his hand.
Either could for all we know be telling the truth, but if you find yourself automatically taking the word of a known thief over that of a legitimate company, it's time to stop and re-examine, not only your conclusion in this case, but every aspect of the thought processes you use for such things. The hacker had several possible incentives to lie, and I'm sure you'd be able to figure out at least some of them if you stepped back and looked at the question objectively.
But PayPal is probably just trying to cover their ass.
An insider seems likely, and it doesn't even have to be at PayPal. Most companies where you use your credit card either have your email, or could figure it out using your name / address.
I can't see why a hacker would actually give his secrets away.
It would make a good acquisition target for EMC.
It's certainly an angry and illogical post but I can't bring myself to actually disagree with it.