E-Privacy (Postscript)

Bronx over 11 years ago 1 minute read time

I find it ironic that as the author of E-Privacy, my own personal PayPal account got hacked into over the weekend. Needless to say, I was robbed of more than $300. I understand the humor here so please take a moment to laugh. Done? Good, now let's learn from this unfortunate event.

Password Protection

After speaking at length with the security people at both PayPal and my bank, I have a pretty good picture of how the thieves pilfered my account. My account was the victim of a brute force attack. From what I've learned, the thieves used this method to attack multiple random accounts until access was granted. Once access was granted, the thieves would steal a small sum of money in the hopes of having hacked a corporate account, where the absence of such small sums often goes unnoticed. At the time, my password was eight characters long and a mixture of various alphanumeric characters. I thought a password of this strength was fairly safe seeing as how the code to launch nuclear weapons in the movie WarGames was only ten characters. (Let's pray the government sees this article and ups their nuclear warhead codes to at least 128-bit encryption!)

The Discovery

Saturday morning I received several emails from PayPal confirming that my "donation to Africa" had been processed. At first, I thought this was just your typical phishing scam. However, as a matter of practice, I manually logged into my accounts (as opposed to clicking the links in the emails - never do that) to verify my money was safe. It was not. The money actually was removed from my bank account via PayPal and transferred out of the country.

SolarWinds Customer?

Fortunately for the SolarWinds customer, our products, like NPM, SAM, and WPM, among others, are very secure and continue to grow stronger at breakneck speed.

The Postscript

Even after taking all possible precautions, I was still vulnerable. At this point, the only thing left to do was to create longer and more difficult passwords and disassociate my bank account with PayPal (at least temporarily). The good news is I will get my money back. The bad news is...the hassle just sucks.

Top Comments

Bronx over 9 years ago +2

Life lesson #1694: RTFM.
kevincrouch4 over 9 years ago +1

A lot of people think that they can just let the card chill and they’re not responsible “Oh, but that’s not my signature, I’m not responsible” “I didn’t give them my pin you shouldn’t have taken it” and…
kevincrouch4 over 9 years ago +1

jkump over 8 years ago

I found out my debit card was toasted by the Home Depot breach. My bank called me, told me the issue, informed me that my card was dead, and informed me that I had to stop by and choose the "style" of my new card. I had a replacement 24 hours later. Sooner or later we are all going to go through this.
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel
kevincrouch4 over 9 years ago

I actually work at best buy and I've had customers try that on me. My manager was about to make me match it (even though I was showing him on our computer that the price was wrong!) when I asked to see their tablet and hit refresh. They claimed it "must have changed in the last few minutes" >.> I hate people
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel
clubjuggle over 9 years ago

No. Verisign VIP and Google Authenticator are both timer based, much like a physical token.
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel
kevincrouch4 over 9 years ago

Did you still have Wifi on while in airplane mode?
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel
clubjuggle over 9 years ago

PayPal now supports 2FA using the Verisign VIP Access app as a virtual token. It works even without a data connection (I tested it in airplane mode).
- Cancel
- Vote Up 0 Vote Down
- More
- Cancel