lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 1 Apr 2005 10:55:30 -0500
From: "Jeremy Rasmussen" <jeremycec@....com>
To: "bugtraq" <bugtraq@...urityfocus.com>
Subject: PayPal "security" measures


When you login to your PayPal account, you now get a message asking you to 
reconfirm your credit card and/or bank account number.  This seems to me to 
be training people to be phishing victims.  I don't know of any other 
financial site that has asked me to reconfirm this data.  Why does PayPal 
need it?  I can't contact them about this because they always throw up that 
"randomly selected" screen wanting my sensitive info before I can even email 
them or leave feedback.  How hard would it be for a phisher to guess the 
last two digits of your PayPal account with some random number generator?
    Jeremy R.

>From www.paypal.com:

Security Measures

We are currently performing regular maintenance of our security measures. 
Your account has been randomly selected for this maintenance, and you will 
now be taken through a series of identity verification pages.

Protecting the security of your PayPal account is our primary concern, and 
we apologize for any inconvenience this may cause.

Please choose ONE category, then fill in the correct information for that 
category to verify your identity.

For your security, PayPal will never ask you to re-enter your full bank 
account, credit, or debit card number without providing you at least the 
LAST TWO DIGITS of the number. These digits let you know that we already 
know the full number and are asking you for the rest of it. Beware of any 
website or email asking for these numbers for "verification" that does not 
PROVE that it knows the number by providing at least the last two digits.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ