http://www.proz.com/forum/money_matters/117475-how_to_hack_your_mb_paypal_account_etc.html?float=true




G'day everyone

The reason for this thread is to find ways in which we can protect ourselves. If we know how we can be hacked, then we can take steps to prevent it.

I don't use PayPal, so I don't know how one would possibly hack a PayPal account, but I do use Moneybookers, so I'd like to start this thread that we can speculate about ways in which people might hack our money accounts. In a recent thread many people spoke about their MB accounts hacked, so perhaps those people can tell us how they suspect could have happened.

I've also Googled for MB hacks. One quite an angry fellow gave an essential clue in his post when he mentioned that the e-mail from MB about the failed login attempt had disappeared from his Gmail account. Well, there's your clue -- it is your Gmail account that is hacked. About a year ago there was a security vulnerability in Gmail that allowed hackers to set an automatic forwarding-and-deleting filter on certain mails (eg if the mail contains the word "password", Gmail forwards it to another address and deletes the original mail). Read about it here: http://www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/ . So, if you're using web-based mail, go check your filters to see if you're not perhaps unknowingly forwarding mail to a hacker.

How to hack a moneybookers account?

Well, You need the person's password, his date of birth, and his postal code. Alternatively, you need access to the person's mail account, plus his date of birth and his postal code. Hackers do research, so the latter two can often be found.

MB will lock the account if it thinks suspicious activities are going on, so a hacker often has one shot at this (but if he knows that you're on holiday or likely asleep, he has a bit of leeway).

MB's other methods of re-authentication include making a small payment from your credit card and asking you to tell them the exact amount, or sending you a snailmail letter with a code in it, that you have to fill in on the web site.

MB requires a longish password with at least one non-alphabetic character in it, but you are allowed to use a well-known personal name as part of the password.

How to hack a PayPal account?

Well, tell me what information is needed for it. What is the password limitations, and what information does a hacker need to change your password and/or to access your password? Does PayPal ask additional information when sending money? Eg MB asks your date of birth every time you send money. Does PayPal send notice to you if you've made a payment? Eg MB sends notice via e-mail when you've received money, but not
when you've made a payment.

Bad habits make you hackable?

What habits of a person can make him more easily hackable? Well, the Gmail hack depended on the user having an active Gmail session open in the browser while at the same time having the hacker's web site and/or e-mail open (even in a different program).

Things that I do to make my surfing more secure, are:
* I use two browsers -- one for general surfing and one for mail and money matters.
* I don't have any other windows or programs open while doing online banking.
* For money stuff, I don't let the browser remember my password (eg FireFox offers to remember my MB password, but I always say "no").
* I don't use my money stuff passwords for any other purpose.
* I don't use my mail account passwords for any other purpose.
What else is there?

Examples of security breaches

* The other day I re-installed my mail program on a new laptop, and found that I had forgotten one of my passwords (for a mail account I use for one client only, who insists that I use that particular account for his work). I phoned the hosting company, explained who I am and why I needed the password, and... the support guy gave me my password, over the phone!!!

* When surfing at internet cafes, it is often enlightening to check the cookies and/or the browser's password remember section. Many people allow the internet cafe's computer to remember all sorts of details about them.

* Two weeks ago I went to the bank to do a money transfer. They have little booths there where you can log into internet banking using your own account details. Near the end of my session, I must have clicked something weird because the browser window showed the login screen again. For a moment I thought, "aah, I've been logged out" and I nearly got up and walked away, but then I tried Alt+TAB etc, and I found that I had merely hidden or minimised my active session. Public terminals often have the taskbar etc removed, leaving the impression with people that their open sessions have been terminated or closed.

* Some browsers minimise to the systray, not to the task bar. You also get utilities that do this to any other program. If someone had used a computer with such a browser or such a setting, they could be under the impression that they had closed the session, not realising that in that browser, clicking the x merely minimises the browser to the systray.

I look forward to your replies. I'm particularly interested in how PayPayl can be hacked and thus how PayPal users can prevent their accounts from being emptied without their consent.