Hackers managed to gain access to the PayPal account (twice in fact) which uses investigative reporter Brian Krebs on Christmas Eve. However, Krebs managed to stop them twice from trying to transfer money to an account linked to ISIS.
Krebs, who has been the target of several previous unsuccessful defamation attempts (he was most recently mailed heroin by Dark Web) calculates that his account was taken over using social engineering and not by breaking his password.
“The attacker just called her support πελατών της PayPal, προσποιήθηκε ότι είμαι εγώ, και ήταν σε θέση να επαναφέρει τον κωδικό πρόσβασής μου με την παροχή των τεσσάρων τελευταίων ψηφίων του αριθμού Κοινωνικής Ασφάλισης μου και τα τέσσερα τελευταία ψηφία μιας παλιάς πιστωτικής μου cardKrebs says in his blog.
The second hack was done, while PayPal had previously promised to track the journalist's account for suspicious activity after the first attack he received only a few hours ago, the reporter said.
The black hats who gained access to Krebs' account tried to transfer money to the account e-mail of Junaid Hussain (yes he of ISIS), recently killed by a US drone strike in Syria.
PayPal has currently locked Krebs' account. However, the whole incident serves to remind us of the weaknesses of PayPal's anti-scam systems, as well as the weakness of its two-factor authentication technology via mobile.
The technology used by PayPal, and called it Security Key, did not prevent the account from being breached.
"PayPal Security Key is not useful if the company lets thieves reset your phone password using your Social Security number," said the researcher.