User
Thread poster: Samuel Murray
How to hack your MB/PayPal account etc

Samuel Murray  Identity Verified
Netherlands
Local time: 00:49
Member (2006)
English to Afrikaans
+ ...
Oct 8, 2008

G'day everyone

The reason for this thread is to find ways in which we can protect ourselves. If we know how we can be hacked, then we can take steps to prevent it.

I don't use PayPal, so I don't know how one would possibly hack a PayPal account, but I do use Moneybookers, so I'd like to start this thread that we can speculate about ways in which people might hack our money accounts. In a recent thread many people spoke about their MB accounts hacked, so perhaps those people can tell us how they suspect could have happened.

I've also Googled for MB hacks. One quite an angry fellow gave an essential clue in his post when he mentioned that the e-mail from MB about the failed login attempt had disappeared from his Gmail account. Well, there's your clue -- it is your Gmail account that is hacked. About a year ago there was a security vulnerability in Gmail that allowed hackers to set an automatic forwarding-and-deleting filter on certain mails (eg if the mail contains the word "password", Gmail forwards it to another address and deletes the original mail). Read about it here: http://www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/ . So, if you're using web-based mail, go check your filters to see if you're not perhaps unknowingly forwarding mail to a hacker.

How to hack a moneybookers account?

Well, You need the person's password, his date of birth, and his postal code. Alternatively, you need access to the person's mail account, plus his date of birth and his postal code. Hackers do research, so the latter two can often be found.

MB will lock the account if it thinks suspicious activities are going on, so a hacker often has one shot at this (but if he knows that you're on holiday or likely asleep, he has a bit of leeway).

MB's other methods of re-authentication include making a small payment from your credit card and asking you to tell them the exact amount, or sending you a snailmail letter with a code in it, that you have to fill in on the web site.

MB requires a longish password with at least one non-alphabetic character in it, but you are allowed to use a well-known personal name as part of the password.

How to hack a PayPal account?

Well, tell me what information is needed for it. What is the password limitations, and what information does a hacker need to change your password and/or to access your password? Does PayPal ask additional information when sending money? Eg MB asks your date of birth every time you send money. Does PayPal send notice to you if you've made a payment? Eg MB sends notice via e-mail when you've received money, but not
when you've made a payment.

Bad habits make you hackable?

What habits of a person can make him more easily hackable? Well, the Gmail hack depended on the user having an active Gmail session open in the browser while at the same time having the hacker's web site and/or e-mail open (even in a different program).

Things that I do to make my surfing more secure, are:
* I use two browsers -- one for general surfing and one for mail and money matters.
* I don't have any other windows or programs open while doing online banking.
* For money stuff, I don't let the browser remember my password (eg FireFox offers to remember my MB password, but I always say "no").
* I don't use my money stuff passwords for any other purpose.
* I don't use my mail account passwords for any other purpose.
What else is there?

Examples of security breaches

* The other day I re-installed my mail program on a new laptop, and found that I had forgotten one of my passwords (for a mail account I use for one client only, who insists that I use that particular account for his work). I phoned the hosting company, explained who I am and why I needed the password, and... the support guy gave me my password, over the phone!!!

* When surfing at internet cafes, it is often enlightening to check the cookies and/or the browser's password remember section. Many people allow the internet cafe's computer to remember all sorts of details about them.

* Two weeks ago I went to the bank to do a money transfer. They have little booths there where you can log into internet banking using your own account details. Near the end of my session, I must have clicked something weird because the browser window showed the login screen again. For a moment I thought, "aah, I've been logged out" and I nearly got up and walked away, but then I tried Alt+TAB etc, and I found that I had merely hidden or minimised my active session. Public terminals often have the taskbar etc removed, leaving the impression with people that their open sessions have been terminated or closed.

* Some browsers minimise to the systray, not to the task bar. You also get utilities that do this to any other program. If someone had used a computer with such a browser or such a setting, they could be under the impression that they had closed the session, not realising that in that browser, clicking the x merely minimises the browser to the systray.

I look forward to your replies. I'm particularly interested in how PayPayl can be hacked and thus how PayPal users can prevent their accounts from being emptied without their consent.


Direct link Reply with quote
 

Mulyadi Subali  Identity Verified
Indonesia
Local time: 06:49
English to Indonesian
+ ...
my two cents Oct 8, 2008


Samuel Murray wrote:
How to hack a PayPal account?
Well, tell me what information is needed for it. What is the password limitations, and what information does a hacker need to change your password and/or to access your password? Does PayPal ask additional information when sending money? Eg MB asks your date of birth every time you send money. Does PayPal send notice to you if you've made a payment? Eg MB sends notice via e-mail when you've received money, but not when you've made a payment.


to change password:
- credit card/checking account info
- current password

password requirements:
- at least 8 characters including at least one special character

i used paypal for a purchase recently, i don't recall it required anything than logging into my account for the purchase. it did email me on the purchase though.

note:
if you open paypal account on a tab in firefox, close it (ctrl + w) then restore it (ctrl + shift + t), you can still access your account without having to re-login. scary?


Samuel Murray wrote:
Things that I do to make my surfing more secure, are:
* I use two browsers -- one for general surfing and one for mail and money matters.
* I don't have any other windows or programs open while doing online banking.
* For money stuff, I don't let the browser remember my password (eg FireFox offers to remember my MB password, but I always say "no").
* I don't use my money stuff passwords for any other purpose.
* I don't use my mail account passwords for any other purpose.
What else is there?


- use your own browser, i.e., portable one, when you're on public terminal.
- use on-screen keyboard, also portable one, when logging into your account.

another note:
there have been several illegal attempt to access my moneybookers account recently. although they maybe just a coincidence, i also got a lot of information request from agencies in the same period. so, i think it would be better to separate email for finance related stuff with the one you use for correspondence.

[Edited at 2008-10-08 09:53]


Direct link Reply with quote
 

Tomás Cano Binder, CT  Identity Verified
Spain
Local time: 00:49
Member (2005)
English to Spanish
+ ...
A solution - When travelling, use your own work computer... Oct 8, 2008


Samuel Murray wrote:
* When surfing at internet cafes, it is often enlightening to check the cookies and/or the browser's password remember section. Many people allow the internet cafe's computer to remember all sorts of details about them.


My solution: using my own office computer to make any bank or Paypal transactions over the web when I am away.

I use an encrpypted remote control service to log in, and in order to get into my office computer you need to know two separate passwords. The remote control system does not leave any trace (not a single cookie and of course no typed information) in the computer at the hotel or internet cafe.


Direct link Reply with quote
 

Samuel Murray  Identity Verified
Netherlands
Local time: 00:49
Member (2006)
English to Afrikaans
+ ...
TOPIC STARTER
Secure login for PayPal? Oct 8, 2008


Mulyadi Subali wrote:
if you open paypal account on a tab in firefox, close it (ctrl + w) then restore it (ctrl + shift + t), you can still access your account without having to re-login. scary?


This would only be possible if PayPal doesn't use a secure login (https). MB does use https, and on the login screen it reminds users to check if the address bar says "https" and if there is a little lock icon somewhere near it.

Can we get confirmation from other ProZians about PayPal using unsecured logins?


Direct link Reply with quote
 
xxxJPW  Identity Verified
Local time: 23:49
Spanish to English
+ ...
HTTPS Oct 8, 2008

As far as I am aware (I don't use it that often) PayPal does use https, i.e. secure login: it would be unbelievable if they did not!

If you look to the left of the address bar, there is quite a large green lock symbol: you can double-click this for more info on the security of the site (I think it is authenticated by Verisign or similar).

If you see a PayPal screen without https, then that to me is a fake website, a phishing one, and you should not use it.

[Just recently I have been receiving e-mails from several UK 'banks' (with whom I have no connection), asking me to "click on the link to verify your account info."

They also come with an attachment of the type .gif, which, if you clicked on it to download (curiosity having a notorious reputation for killing cats), you'd be in real trouble. It would be one of those trojans which logs your keystrokes, thus learning your passwords.]

As for moneybookers, I have read so much bad press about them that I give them a wide berth.


Direct link Reply with quote
 
xxxJPW  Identity Verified
Local time: 23:49
Spanish to English
+ ...
One more thing... Oct 8, 2008

I also use web-based e-mail, and I have noticed that genuine e-mails from PayPal (I got one this morning, coincidentally) and Proz.com too (and others) have a small golden key symbol in the "From" field, which means the domain from where it is sent is verified as authentic. Just one more little item to look out for when trying to figure out the real from the spoof, especially when it involves password security or online banking and that sort of thing.

Direct link Reply with quote
 

Marie-Hélène Hayles  Identity Verified
Local time: 00:49
Italian to English
+ ...
Moneybooker Oct 8, 2008

My moneybooker account was hacked a few weeks ago, and I'm pretty sure that whoever did it had managed to hack into my e-mail account (thereby accessing all the personal info they needed). They didn't delete the e-mails "failed login attemnpt" and "lost password request" though, which is how I found out about it an hour later when I came home from the gym. (I'm sure it was my e-mail account that had been hacked as at the same time I also received password assistance and password revision e-mails from Amazon.com, where I had an account that I never use.)

Anyway this was a month ago now, I have had no response from MB to my e-mails about the matter and no response to my request to close my account (they had locked it, so I'm not allowed to close it myself - I need their approval, when they deign to get round to it).

So my advice is simply not to use MB - it's not their fault my e-mail account got hacked, of course, but their client service is frankly appalling, especially when you consider the nature of their business.


Direct link Reply with quote
 

Samuel Murray  Identity Verified
Netherlands
Local time: 00:49
Member (2006)
English to Afrikaans
+ ...
TOPIC STARTER
What is the difference? Oct 8, 2008


Marie-Hélène Hayles wrote:
Anyway this was a month ago now, I have had no response from MB to my e-mails about the matter and no response to my request to close my account (they had locked it, so I'm not allowed to close it myself - I need their approval, when they deign to get round to it).


What is the practical difference between a locked account and a closed account?

MB is a UK company, so I'm sure there must be watchdogs you can set on them.


Direct link Reply with quote
 

Mulyadi Subali  Identity Verified
Indonesia
Local time: 06:49
English to Indonesian
+ ...
locked account @ mb Oct 9, 2008

imo, locked account means that you can access your account but won't be able to do anything with it. closed one means you don't have any access at all.
my mb account got locked several months ago. apparently, they impose a new requirement in which account holder should send credentials, i.e., copy of passport etc. unfortunately, i was never contacted directly on this issue. no email at all.
i did contact their support, but never got any reply. i then called them, and only then they told me about the problem.
after i sent them copy of my passport, they unlocked my account, then everything is back to normal. personally, i still prefer mb than paypal as it has lower fee.


Direct link Reply with quote
 

Marie-Hélène Hayles  Identity Verified
Local time: 00:49
Italian to English
+ ...
difference Oct 9, 2008


Samuel Murray wrote:

What is the practical difference between a locked account and a closed account?

MB is a UK company, so I'm sure there must be watchdogs you can set on them.


If I close it I will no longer have an account, which might hopefully stop all the "failed login attempt" e-mails - yes I know some of these are attempts at phishing, but every one I've received and actually checked has genuinely come from Moneybookers. It also means that my details will no longer be there for any other hackers to see. Frankly I have no trust left in MB whatsoever and I'd prefer to remove all my information from their website - if only they'd let me! But I an understandably reluctant to send them copies of my documents.


Direct link Reply with quote
 


To report site rules violations or get help, contact a site moderator:

Moderator(s) of this forum
Andy Lemminger[Call to this topic]
Jorge Rodrigues[Call to this topic]
Jenn Mercer[Call to this topic]
Natalia Volkova[Call to this topic]

You can also contact site staff by submitting a support request »