I asked Dave if he would agree to play a pivotal role in a little hack. I recently arranged to meet up with Dave and a few more friends who I had only seen a handful of times in the last 18 months. In fact, Dave is a guru when it comes to computer security and very few scams pass his eyes without him realizing what’s going on. Which is why I chose to target a friend (let’s call him Dave) who’s been in the security industry for well over 20 years. In order to demonstrate this latest proof of concept, I didn’t choose to target just anyone – I wanted to fully test my hypothesis on someone who would be very likely to spot what was going on, especially when money was involved. However, I have found a way to take ownership of someone’s PayPal account and prove it in a legitimate and legal experiment even more importantly, you’ll also learn how to avoid this attack on your account. On the other hand, they are difficult to properly experiment with on someone under test conditions simply because the “victims” are aware of the proposed attack vector and this immediately throws the trial out of the window without proving its viability. Social engineering attacks are increasingly common and rising in popularity among criminal gangs. Turns out, with just the simple art of “shoulder surfing”, your PayPal account could indeed be compromised and you could lose thousands of dollars. This left me wondering whether I should up the ante and attempt to gain control of a financial account using similar tactics. To put things into perspective, over the last 18 months I have successfully shown how easy it is to hijack a WhatsApp or Snapchat account without the right security set on the accounts. However, if banks are so secure, I wondered if there may be a way of attacking one of the most popular third parties that often already have complete access to people’s funds – PayPal. The security of typical banking apps impresses me immensely, and with my security hat on I have not yet thought of a way to bypass the usually robust in-built measures designed to protect the money of banks’ customers, which is entirely the way it should be. I have been fascinated with the thought of being able to break into a bank ever since my love for bank robbery films began in the 1990s, and I think I may have finally uncovered a way to do it – well, sort of. I have reached out to PayPal for comment regarding why account two-factor authentication isn't mandatory.Somebody could easily take control of your PayPal account and steal money from you if you’re not careful – here’s how to stay safe from a simple but effective attack It is worrying that PayPal does not currently enforce multi-factor authentication at login as default which would protect accounts more fully and virtually stop credential stuffing attacks altogether." At best, this should be connected via a security key or authenticator app rather than with SMS. Entry should also be bolstered by enabling multi-factor authentication. Everyone by now should be using unique, strong passwords for all of their online accounts, particularly those connected to finances. It remains one of the easiest of attack vectors for cybercriminals, but users can easily fight back and protect their accounts in just a few steps. Credential stuffing is an automated process where a threat actor uses reused log-on credentials stolen from subsequent password breaches on another account. "The owners of the affected accounts should by now have been notified, and it would be advisable for those people to remain on high alert due to the amount of personal data that may have been accessed in this unfortunately simple breach. Jake Moore, the global cyber security advisor at ESET, has further advice for concerned PayPal customers among the 34,942 account holders impacted here. Affected PayPal customers need to remain on high alert
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |