There was nothing to detect and there was nothing to disclose it was a stuffing attack. The fallout of another company's breach, they took the proactive course of action to mitigate and inform their customers it should be applauded and not condemned.
If I read this correctly this is a case of credential stuffing meaning the breach isn't really related to PayPal as much as people had credentials stolen other places and had used the same ones at PayPal. Maybe PayPal needs to enforce 2FA if they don't already do. 2FA SMS factor should be discontinued for any financial or otherwise important/sensitive service as SIM jacking is apparently quite easy.
But anyone with properly secured accounts seems to not have been affected by this breach.
PayPal, at least for me, forces FaceID and an SMS 2FA to access it at all which is crazy. Probably would be great if they moved away from SMS though :(
I've had to ignore my account. I originally want TOTP 2FA, but it wasn't an option. I set up 2FA through Google Voice because my number changes frequently. A few years later I tried to log in and Google Voice has been blocked as a 2FA option for SMS. I go to seek support and you, circularly, need to be authenticated to get support for authentication, and asking support on Twitter got me banned from their account.
The last 2 years directly emailed all independent sellers to set up alternative payment options to not go through such a careless operation.
Always have a backup payment processor. PayPal especially, but even Stripe will shut you down or freeze your balance with little recourse.
Amazon killed my parents business by just sheer incompetence and support took a year to get partially back to operation, by which time it was over.
Facebook incorrectly nuked my wife’s Instagram account and hopes of becoming an influencer. No recourse.
Google can ban your account with your email with no recourse. You lose your email history, contacts, documents, etc with no way to login to a myriad of online services.
I’m really low on patience with the big tech companies. I hope the government reins them in.
I think support shouldn't be 100% automated. The big tech companies are automating everything and sometimes those false positives need to be corrected and there isn't a way to actually do so. I don't know how the government could enforce proper support but I believe something as simple as requiring the ability to discuss your critical issue with a human being as a start.
Then you get into what is a 'critical' issue but I think being locked out of your account that is used as a gateway to multiple other accounts qualifies.
I believe those are called barriers to entry to protect vested interests. Also known as pulling the ladder up behind you. Why that works in the US is beyond me. I recall a recent study from one of the Ivy leagues that shows that historically the elected representatives favor the elite over the people in the US.
I think the elected representatives have to represent the people, otherwise you don’t really have a democracy, right?
Advertising works because it is a psychological hack. Influencers are using the same hack and once it becomes more than a passion or hobby project then the monetary incentive perverts their judgement.
I'm all for people sharing their knowledge and hobbies to inform others but the term 'influencer' has a connotation in which they are earning money from 'influencing' others and that seems an awful lot like basic advertising to me.
>I'm all for people sharing their knowledge and hobbies to inform others
And I'm all for them getting paid to do so. I'm not sure where you draw the line. Is a cocktail influencer sharing a cool hobby or pushing a product? The answer is usually "both." So where do they fit in for you?
If the cocktail influencer started making videos with the intent of getting paid then their judgement is already clouded. Even if they decided they wanted to do the morally correct thing and give honest reviews, their livelihood now depends on this income and as such they are biased subconsciously. Ultimately they are self-employed advertisers. We need less advertising in this world, IMO.
So making movies with the intention of getting paid means my judgment is clouded? Can’t a job be a job? Does it have to always be in the service of some grander or more artistic purpose?
You aren't wrong. "Influencer" is another word for "manipulator" and the world sure doesn't need more ads, but companies wanting to take from us love influencers because a lot of people, children especially, consume that "content" without even recognizing that they're watching an ad.
Seems plenty do given the number of influencers who have made it into basically a career. I in some way share your cynicism towards it, but there are plenty of jobs we don't "need" yet don't look down on in the same way. For all you know this guy's wife is spreading valuable information and genuinely helping people. Not all influencers are Andrew Tate and such. Hell my wife's cousin is big into legos and has a thriving instagram showing off their builds and talking about what goes in to them. Tons of hobbyists genuinely enjoy their insight. I don't see the harm.
If a company has your livelihood, bank balance, etc by the balls - they should at least be required to offer a minimum level of human support with a path for escalating things or a way to reasonably handle disputes with a neutral adjudicator. The stakes are too high to simply leave decisions up to algorithms.
> If a company has your livelihood, bank balance, etc by the balls
Whose fault is it that people are relying on free email service (with no human support) for critical things like livelihood, bank balance, etc.? Is the provider of a free email service liable for the damages they can cause? What do their terms and conditions say about it? Do they have a disclaimer in there for this kind of things?
At the very least the right to get a dump of your data after they close your account.
Also, for money things like PayPal, they should only be able to hold your funds for a reasonable amount of time, then they have to transfer them to your bank account. They should not be allowed to just keep your money.
For sales of digital items, they should not be allowed to revoke your access to the items you have bought. Maybe they should just have to provide a basic file download for a certain amount of time.
1. When a service is blocked or terminated, the terminating company must provide clear and specific reasons for the termination (they almost never do this now)
2. Additionally, there must be a human support channel to discuss the matter - even if it requires payment for the privilege of gaining support help (think 900 numbers of the past)
3. Human support and decision paths must be documented and followed such that a final decision can be understood within the context of the rules of the organization (thereby enabling possible efficient legal options for the consumer to further dispute the ruling)
4. As other people have noted, having access to export your data if you are being permanently blocked from the service
5. Having financial compensation (refunds) or post-service DRM access to content you have paid for
There's lot's of things government could do. Start with codifying some concepts that define when a service is responsible for having too much impact on a user's life, and attach responsibility to that, instead of just 'private company, do anything you want'
It's not an accurate or sufficient or desirable representation of reality to allow these various big companies to actively seek out having you entrust them with parts of various critical paths in your life, and then be able to nuke those with no protection or recourse on your part.
In 1975 when no one had an email address or a cell phone, and neither were required to do anything in life, it was fine to treat them like luxiries that if you lose them, so what?
That was still true but just a bit less so a few years later, and it's just been gradually becoming less so every year, and by now, it is simply not true at all.
It should essentially be illegal for a service provider to completely break some of these services without some sort of graceful shutdown or hand-off process, in the same way and for the same reasons it's illegal to shut off electricity and gas and phone in a lot of cases even after the subscriber has failed to pay. They get shut off eventually of course, but there are exceptions and ways for the subscriber to fight, and they are mandated by the government, not out of the goodness of the power companies hearts. Basically the power company isn't allowed to just let grandma freeze in the winter even if she fails to pay. It's not unfair to the power company. The investors in the power company are free to be in some other business if they don't like those terms.
Today, an email account should not be treated the same way as a spotify account, even if you're not even charging money for the service. If you don't like that, you don't have to offer an email service at all.
The requirement I imagine is some minimal level of continued function enough to complete other account management procedures, which means being able to both receive and send at least some emails. Maybe a limited amount, maybe limited attachment size etc, but enough to at least send the one or few emails from the previously recognized address to other parties as part of the proof of identity to direct them to a new address.
This even in cases where the account was terminated for supposed cause like illegal activity.
This means that one of the other things government can do is recognize that exception for liability. The government can determine not to penalize a service provider or allow others to sue them for having one of these accounts active at that limited level of functionality if the account sends someone a phising email or something.
Or maybe the procedure is the accounts do stop functioning so no email is passed, but, it can still be used by the owner to contact the service provider to invoke some kind of recourse procedure 9f they need it. So the spammer is blocked but mom can still jump through hoops and eventually regain access, including old mails and maybe even including unread received mails while it was down.
There are all kinds of things a government can do, and fully fairly and defensibly and officially, just by codifying some principles.
What do I expect from the government? Something. They can absolutely do something. It's work to work out exactly what and how and develop some consistent rational legal theory to base it on, but that it literally their job is to to exactly that.
The problem is that few card processors will underwrite you for your small transaction volume at the start, so PayPal/Braintree and Stripe are go-to solutions with the promise to scale up without ever needing to rewrite your payment processing code. Once you get big, you can either seek out a real contract with the services (but this requires a lot of scale) or go for something like Adyen or Chase which seem to still require some level of scale but not a million dollars a day or anything.
Credential stuffing and password spraying are two distinct classes of attack. [0] Stuffing is when you try passwords for certain users (hoping they re-used a known password), and spraying is when you try common passwords for every username.
I don't use PayPal but was told by a user that their 2FA SMS system isn't really a second factor, but rather it replaces the password. Basically when you log in (with username only) it sends you an SMS code and you enter the code to log in with no password necessary. So basically this becomes a single factor.
I hope they got rid of this feature now and went back to "traditional" 2FA requiring both a password and code.
And people (especially here on HN) really can’t see why so many are invested in and believe in crypto / bitcoin?
Your data is being hoarded by incompetent people in giant, minimally secured databases not to provide you with a better service, but to make a very small number of people bucket loads of money.
They put in minimal viable effort to provide a minimal viable service and make money hand over fist without consequence when their incompetence result in your data that you entrusted them with being compromised.
Once that data is “compromised” it is free for anyone to use for any reason, outside the ToS defined by the org. They ate not held accountable, there is a proven record of no oversight nor any accountability.
Do you really wonder why people are putting their faith and confidence in physics / mathematics with crypto as opposed to these joke methodologies?
Look around you. The system is on fire. Get out while you still can.
And people (especially here on HN) really can't see why so many are invested in and believe in actual money?
Your shitcoins are being hoarded by incompetent people in giant, minimally secured exchanges not to provide you with a better service, but to make a very small number of people bucket loads of money.
They put in minimal viable effort to provide a minimal viable service and make money hand over fist without consequence when their incompetence result in your cryptocurrencies that you entrusted them with being rug-pulled.
Once that crypto is “compromised” it is free for the attacker to use for any reason, outside the ToS defined by the exchanges. They are not held accountable, there is a proven record of no oversight nor any accountability.
Do you really wonder why people are putting their faith and confidence in actually regulated currencies as opposed to these joke shitcoins?
Look around you. The Web3 is going great[0]. Get out while you still can.
Just use Bitcoin. Don't trust anyone except yourself. You can store your coins in your phone, hardware wallet, paper wallet. You can encode it in steel and bury it in your backyard. You can "horcrux" them (e.g. via MultiSig or SSS) and store the parts (and copies of them) at different locations (friends, family, attorney, ...). Or put them in a safe deposit box if you like. Put a small amount on your phone and you can send them in seconds via the Lightning Network to anyone in the world at minimal fees, without relying on or needing permission from anybody else.
Few actual need custodial services and nobody needs the greedy shitcoin casino. Decentralize. Be your own bank.
This isn’t as clever as you think it is, and it will not age well. Fiat does not have a future within a spacefaring civilization.
Cryptocurrency is not an exchange. Bitcoin is not an exchange. The technology is unprecedented and revolutionary. It removes parasitic intermediaries and allows the common man to transact at light speed directly with each other.
The same old parasites are hard at work to inject themselves in the process. How anyone could conflate centralized exchanges with decentralized protocols is beyond me. May as well complain at the sun for being hot or complain at water for being wet.
Water is a good example actually. You know, it is possible to drown with water, should we all stop drinking it? Some people even take the water, bottle it up, then sell it back to us. Those companies must be water, I don’t like them. We should stop using water because it’s centralized with Nestle.
Just remember FDIC insurance has limits; I know you know how much you have and it might not be over the limit but folks should know “all of my cash is insured” may not be entirely accurate.
Bitcoin ledgers are public so your data is still out there.
Plus crypto currencies are subject practically zero oversight and accountability so the situation is even worse there. Hence why you hear about so many exchanges going bang.
The problems cryptocurrencies attempt to solve are different from the arguments you’re favouring them for.
Cryptocurrency exchanges are not the same thing as cryptocurrencies. And not all exchanges are created equal.
Yes it is the wild west out there and consumers have gotten hurt. It is unfortunate. But crypto does serve a real and needed function of decentralized digital cash. I'm optimistic we'll have good regulated exchanges someday.
PayPal isn’t the same thing as fiat currencies either — it’s more analogous to an exchange. And since we are already talking about PayPal and crypto currencies, crypto exchanges should be in the scope of the conversation as well
Most companies wouldn't even act on a credential stuffing attack against their users. They'd shrug and say 'not our problem if our users don't secure their passwords properly'.
Kudos to Paypal here for considering it a breach, and reporting it as such.
As a bank, your agreements are with the actual humans, and your duty is to protect their money.
The fact that you choose to use usernames and passwords to authenticate humans is your choice. It is well known that humans don't secure passwords well (reuse, writing on postit notes, etc). As a bank, any losses attributable to someone evil finding/guessing a password are your own.
That's why credential stuffing counts as a breach. Even though most banks will try to tell you that it's your responsibility to protect your passwords, the law doesn't see it that way.
Technically, Paypal is not regulated as a bank (per FDIC). That said, they certainly have immense fiduciary & privacy duty to their customers considering the format of their business.
PayPal now supports FIDO U2F keys like the Yubikey (very recent addition, only a month or two). Unfortunately, they do it wrong and only allow to register a single key, which means you will be locked out if you break or lose it.
"We have also secured the services of Equifax to provide identity monitoring services at no cost to you
for two years. Below please find information on signing up for a complimentary membership to Equifax’s
identity monitoring services, including key product features"
The security breach problem altogether has been turned in to a source of extra profit for the credit reporting companies whose faulty systems, lack of data verification, and resulting poor data quality are the root cause of these issues in the first place.
The problem has never been "oh no someone stole your identity!".
Identity can not be stolen, only temporarily misattributed in the eyes of one party or another.
The actual problem is that companies like banks and credit card issuers don't actually know who they are dealing with and don't want to put any effort in to verifying that. Using just a few pieces of already available, static information about a customer was never enough to say you actually know who your company is signing a contract with.
Calling it "identity theft" when someone feeds your faulty signup process incorrect information is merely a means of passing the problem with your systems off to the customer. Now we're going as far as pretending the root cause of this stupidity can also sell us the cure? Nonsense.
If anyone ever "steals my identity", I'm going to sue the credit reporters for libel. They have admitted before that some 70% of their records contain inaccurate information and they know full well that a few bits of static information is not enough the identify an individual among hundreds of millions. They also know they don't do anything to establish that any new reports coming in from partner businesses are actually real and accurate. Yet they still peddle that inaccurate information to third parties. That is the same as if a journalist made up a story saying you did some shit you didn't do. They are knowingly giving out information about a person that is either provably false or which they have no good reason to believe is true in a way that can cause financial harm and loss of reputation. Classic libel.
Further, if some business reported that I took a loan from them when I didn't, that isn't my problem, it's theirs. They failed to adequately verify who they were dealing with. Not my problem. Reporting that inaccuracy to a third party who then broadcasts that to a bunch of other companies, is also libel.
They can make a case that they didn't know for sure that their claim that I owe them was false at the time, but they actually never had a good reason to believe it was true. Static information alone, especially that which we already know is in circulation among public entities, is not a valid way of identifying who you are dealing with. Pretending that it is anyway is just bad business.
People need to hold these businesses accountable for the damage their faulty system designs are causing.
I personally wouldn't call it a data breach as such if it's just credential stuffing, but it's great that Paypal put out a notice on it so their customers are aware.
What's insane is thinking that a bank that handles people's money shouldn't be required to report a coordinated successful attack, regardless of whether their technology is at fault.
If all it takes is someone to download one of the countless publicly-available-on-github plaintext password compilations and automate login attempts to require a company to file a breach notification, I think all of the top services in the world would have to file one every hour.
Wondering if this isn't related to the LastPass breach?
Paypal's 2FA is a bit of a joke. IIRC (this was quite some time ago) when I went to initially setup 2FA SMS was the only option, eventually they added support for authenticators but you can just click get a text instead of the authenticator. Last time I checked there was no way to tell paypal to only accept OTPs from an authenticator.
Probably not. "Credential stuffing" means getting a big list of formerly-leaked usernames and passwords and trying them everywhere. It mainly targets people who use low-entropy passwords or who reuse the same password on multiple sites.
Why do companies offer only 2yrs of identity protection coverage for breaches? There are tons of these happening and so people can wait a couple of years to use them if it's going to be less of a hassle. Ofcourse, I don't trust that the identity protection coverage is of any use, but still trying to think about the effectiveness of the data after 2 years. Is there a reason to believe the information is not useful after 2 yrs? Why the 2yrs? It should be at least 10yrs if not more to be meaningful.
> Why do companies offer only 2yrs of identity protection coverage for breaches?
Two years seems like the minimum they feel they can get away with. They just need to make it seem like they've done "something" to compensate their victims out of fear that if they didn't some regulation will come along that requires that they actually make up for the harm their negligence has caused in an actually meaningful (and more costly) way.
Awesome. They are providing 24 mo identity theft protection by Equifax. So the day after the fox broke into the henhouse, they are going to secure the premises by adding a sign: "Please do not eat the chickens"
Gotta hand it to Equifax, they know how to sell nothing for something.
"Only" 35k affected so must be some narrow scope. The linked page doesn't seem to provide more details.
reply