agent69
Member of DD Central
Posts: 5,587
Likes: 4,182
|
Post by agent69 on Sept 16, 2021 16:55:37 GMT
On a related matter, be aware that some companies (like Hotmail) will recycle any email address you give up or allow to lapse. After x months of you not logging in, they return it to the mix and if somebody else happens to apply for that address they'll get it. This happened to me. I applied for an address which turns out to have been previously owned by a Mr H*****. The reason I know that: Paypal has regularly emailed me on this address for years now, despite my never being a customer of theirs, addressing me as Mr H. Mr H, the previous owner of my email address, had recorded this address with Paypal and has never rescinded it. It's permanently on Paypal's records... meaning I have access into his Paypal account! (Just a simple matter of resetting his password and I was in). In an effort to convince Paypal of the security breach, I " ethically hacked" into his Paypal account in this way, and could read his personal details, home address and account balance... but Paypal simply aren't interested. I even changed his home address to "This account has been hacked" to demonstrate the fact, and told them to look at the record, and they still weren't bothered! They're thick and I can't get through to anyone who understands or cares. They insist I'm their customer "because I own the email address on their records", and I cannot get them to understand the security problem inherent in recycled addresses. Interestingly, the exact same was true of this chap's linked eBay account, but there I did manage to speak to a techie who was savvy enough to thank me and suspend the account. Emails from that company regularly inviting me to log in to Mr H's account then ceased, but Paypal's continue to this day. The moral is, if you allow an email address to lapse, first ensure you have deleted it from all your accounts. The moral is that if you 'ethically' hack into somebody's account you are committing a criminal offence.
Don't worry. I'll visit while you're banged up somewhere nice
|
|
|
Post by bernythedolt on Sept 16, 2021 23:39:19 GMT
On a related matter, be aware that some companies (like Hotmail) will recycle any email address you give up or allow to lapse. After x months of you not logging in, they return it to the mix and if somebody else happens to apply for that address they'll get it. This happened to me. I applied for an address which turns out to have been previously owned by a Mr H*****. The reason I know that: Paypal has regularly emailed me on this address for years now, despite my never being a customer of theirs, addressing me as Mr H. Mr H, the previous owner of my email address, had recorded this address with Paypal and has never rescinded it. It's permanently on Paypal's records... meaning I have access into his Paypal account! (Just a simple matter of resetting his password and I was in). In an effort to convince Paypal of the security breach, I " ethically hacked" into his Paypal account in this way, and could read his personal details, home address and account balance... but Paypal simply aren't interested. I even changed his home address to "This account has been hacked" to demonstrate the fact, and told them to look at the record, and they still weren't bothered! They're thick and I can't get through to anyone who understands or cares. They insist I'm their customer "because I own the email address on their records", and I cannot get them to understand the security problem inherent in recycled addresses. Interestingly, the exact same was true of this chap's linked eBay account, but there I did manage to speak to a techie who was savvy enough to thank me and suspend the account. Emails from that company regularly inviting me to log in to Mr H's account then ceased, but Paypal's continue to this day. The moral is, if you allow an email address to lapse, first ensure you have deleted it from all your accounts. The moral is that if you 'ethically' hack into somebody's account you are committing a criminal offence.
Don't worry. I'll visit while you're banged up somewhere nice
😁 Possibly, but my defence is they keep sending me emails inviting me to login to this account and review their latest t&c's, etc. If PayPal prosecute, they'd have to reveal they've operated a pretty grave security flaw over several years, potentially affecting probably dozens or hundreds of customers by now. Companies tend to bury this stuff, not highlight it. But if I go dark for a period, you now know why 😁.
|
|
|
Post by bernythedolt on Sept 16, 2021 23:45:31 GMT
|
|
|
Post by mfaxford on Sept 17, 2021 8:51:42 GMT
The question is what makes it ethical hacking. The first step is probably to have some sort of agreement/permission from the organisation that you can "ethically hack" them. If you don't have that permission then it's not ethical hacking. As for talking to the right person to raise a security concern that can sometimes be a challenge, especially if you're having to go through the standard customer services route. For the PayPal case I'd probably try the regulatory approach and ask for it to go to their GDPR or financial compliance people before you take the matter up with the ICO/FCA.
|
|
adrianc
Member of DD Central
Posts: 8,948
Likes: 4,787
|
Post by adrianc on Sept 17, 2021 8:59:00 GMT
...but I feel I should still have the right to search through old, legitimate ones if ever necessary. That's entirely within your power. Instead of using webmail (it's a useful backup, but it's godawful to actually use), simply set up a mail client such as Thunderbird (https://www.thunderbird.net ) on your machine, and point it to the mail account. community.talktalk.co.uk/t5/Articles/Email-settings-IMAP-amp-POP3/ta-p/2204399 Download all your old mail. It's on your machine. If you only have a phone or tablet, that already has a mail client app built in. It works in exactly the same way. Then, do the same with your new mail account - and you can copy/paste all that old mail over into it, should you wish.
|
|
michaelc
Member of DD Central
Posts: 4,844
Likes: 2,758
Member is Online
|
Post by michaelc on Sept 17, 2021 10:26:03 GMT
On a related matter, be aware that some companies (like Hotmail) will recycle any email address you give up or allow to lapse. After x months of you not logging in, they return it to the mix and if somebody else happens to apply for that address they'll get it. This happened to me. I applied for an address which turns out to have been previously owned by a Mr H*****. The reason I know that: Paypal has regularly emailed me on this address for years now, despite my never being a customer of theirs, addressing me as Mr H. Mr H, the previous owner of my email address, had recorded this address with Paypal and has never rescinded it. It's permanently on Paypal's records... meaning I have access into his Paypal account! (Just a simple matter of resetting his password and I was in). In an effort to convince Paypal of the security breach, I " ethically hacked" into his Paypal account in this way, and could read his personal details, home address and account balance... but Paypal simply aren't interested. I even changed his home address to "This account has been hacked" to demonstrate the fact, and told them to look at the record, and they still weren't bothered! They're thick and I can't get through to anyone who understands or cares. They insist I'm their customer "because I own the email address on their records", and I cannot get them to understand the security problem inherent in recycled addresses. Interestingly, the exact same was true of this chap's linked eBay account, but there I did manage to speak to a techie who was savvy enough to thank me and suspend the account. Emails from that company regularly inviting me to log in to Mr H's account then ceased, but Paypal's continue to this day. The moral is, if you allow an email address to lapse, first ensure you have deleted it from all your accounts. The moral is that if you 'ethically' hack into somebody's account you are committing a criminal offence.
Don't worry. I'll visit while you're banged up somewhere nice
It was a nice story and made me think twice as I'd assumed something like Paypal would need more than just access to registered email in order to hack. i.e. 2fa or change of password requiring something else in addition to email link to click (?) . The law around computer misuse was created for a reason. I'd think even less of the justice system if it handed down a criminal record to someone for doing what btd apparently did. As an aside, I used to hate those info security types at work. Security at all costs without considering the costs of over burdensome security vs it being too lax. Reminds me of some epidemiologists...
|
|
|
Post by bernythedolt on Sept 17, 2021 10:46:50 GMT
The moral is that if you 'ethically' hack into somebody's account you are committing a criminal offence.
Don't worry. I'll visit while you're banged up somewhere nice
It was a nice story and made me think twice as I'd assumed something like Paypal would need more than just access to registered email in order to hack. i.e. 2fa or change of password requiring something else in addition to email link to click (?) . [...] You might think so, but it really was as easy as I described. Must have been well over a year ago that I last logged in and changed his address (temporarily, to convince them during my phone call to explain the security lapse - following which I reinstated his original address). Perhaps by now they have introduced a second factor in line with many organisations. I'm not going to push my luck and try again though...😁
|
|
|
Post by mfaxford on Sept 17, 2021 10:55:48 GMT
It was a nice story and made me think twice as I'd assumed something like Paypal would need more than just access to registered email in order to hack. i.e. 2fa or change of password requiring something else in addition to email link to click (?) . [...] [...] Perhaps by now they have introduced a second factor in line with many organisations. I'm not going to push my luck and try again though...😁 In a lot of cases I think 2fa is something you have to actively turn on. Some older services/accounts may not have a mobile number registered which then makes 2fa harder (or at least slower and more expensive). There is some 2fa available on Paypal, I was getting annoyed by it a few weeks ago as it logged me off after a few minutes and wanted a 2fa sms on each login (sounds similar to comments about a P2P company that recently added 2fa which is now unlikely to get my mobile number).
|
|
|
Post by bernythedolt on Sept 17, 2021 11:00:18 GMT
|
|
michaelc
Member of DD Central
Posts: 4,844
Likes: 2,758
Member is Online
|
Post by michaelc on Sept 17, 2021 11:21:28 GMT
[...] Perhaps by now they have introduced a second factor in line with many organisations. I'm not going to push my luck and try again though...😁 In a lot of cases I think 2fa is something you have to actively turn on. Some older services/accounts may not have a mobile number registered which then makes 2fa harder (or at least slower and more expensive). There is some 2fa available on Paypal, I was getting annoyed by it a few weeks ago as it logged me off after a few minutes and wanted a 2fa sms on each login (sounds similar to comments about a P2P company that recently added 2fa which is now unlikely to get my mobile number). For anything other than something that could directly cost me a significant sum of money, I also don't like it. But some companies (and I'd naively assumed paypal) would ask for something else on reset. e.g. d.o.b. or "memorable" information etc. I'm not in any way doubting Berny's story though by the way.
|
|
|
Post by overthehill on Sept 17, 2021 11:23:10 GMT
Ethical hacking usually requires permission from your employer or client and it means simulating a real criminal hacker. If you don't have permission I don't know how the boundary between ethical and criminal is defined or decided by companies and governments. I'm fairly sure companies like Google pay people to uncover vulnerabilities but what happens when the hacker gains access, delays notifying Google and Google discover the break in ??
I know someone who did that course, it has a lot of general computing theory as well, I'm sure there must be other uni's doing something similar by now.
|
|
|
Post by bracknellboy on Sept 17, 2021 12:12:54 GMT
In a lot of cases I think 2fa is something you have to actively turn on. Some older services/accounts may not have a mobile number registered which then makes 2fa harder (or at least slower and more expensive). There is some 2fa available on Paypal, I was getting annoyed by it a few weeks ago as it logged me off after a few minutes and wanted a 2fa sms on each login (sounds similar to comments about a P2P company that recently added 2fa which is now unlikely to get my mobile number). For anything other than something that could directly cost me a significant sum of money, I also don't like it. But some companies (and I'd naively assumed paypal) would ask for something else on reset. e.g. d.o.b. or "memorable" information etc. I'm not in any way doubting Berny's story though by the way. In the last few days I've experienced how difficult 2FA can be for those who are elderly/diminished concentration/cognitive skills. I now fully understand how my father recently managed to get into position where both his bankcards were invalidated and unusable, and he couldn't log in online for a period. Though I still don't understand - or forgive - the bloody awful bank which made his life a misery for several months by failing to properly engage to get it sorted, even more so when the 'dedicated' 'aged support line/service' then treated him like an idiot, didn't solve the problem, and consequently made the situation that more difficult. For logging onto his bank, he requires his username, password and a separate pin, of course. He was then being required to: a) put his (and not my mother's) debit card system into his card reader b) press the right buttons before entering another pin into the card reader c) enter the resultant 8 digit code into the online system. If banks want to properly support their aging customer base and help them to be independent, they really need to get far more serious and focussed.
|
|
|
Post by bernythedolt on Sept 17, 2021 12:28:22 GMT
In a lot of cases I think 2fa is something you have to actively turn on. Some older services/accounts may not have a mobile number registered which then makes 2fa harder (or at least slower and more expensive). There is some 2fa available on Paypal, I was getting annoyed by it a few weeks ago as it logged me off after a few minutes and wanted a 2fa sms on each login (sounds similar to comments about a P2P company that recently added 2fa which is now unlikely to get my mobile number). For anything other than something that could directly cost me a significant sum of money, I also don't like it. But some companies (and I'd naively assumed paypal) would ask for something else on reset. e.g. d.o.b. or "memorable" information etc. I'm not in any way doubting Berny's story though by the way. I'd have nothing to gain by wasting time inventing stuff... and I've outlined the situation twice before:- p2pindependentforum.com/thread/17924/paypal-security-loopholep2pindependentforum.com/post/432041A bit of googling today suggests Hotmail accounts at least are no longer being recycled.
|
|
|
Post by bernythedolt on Sept 17, 2021 13:23:19 GMT
Ethical hacking usually requires permission from your employer or client and it means simulating a real criminal hacker. If you don't have permission I don't know how the boundary between ethical and criminal is defined or decided by companies and governments. I'm fairly sure companies like Google pay people to uncover vulnerabilities but what happens when the hacker gains access, delays notifying Google and Google discover the break in ??
I know someone who did that course, it has a lot of general computing theory as well, I'm sure there must be other uni's doing something similar by now.
They do, it's called penetration testing and it's conducted by experts determined to break in, armed with all the hacking tools available. For my last several years at work, I used to configure and maintain all the firewalls in my medium-sized organisation. I used to take great delight in reading the pen testers' reports after they'd been in and tried to hack the various departments. It was always a stressful experience, but they never once managed to defeat my configurations! I retired contented. 😎
|
|
james100
Member of DD Central
Posts: 983
Likes: 1,191
|
Post by james100 on Sept 17, 2021 15:19:19 GMT
For anything other than something that could directly cost me a significant sum of money, I also don't like it. But some companies (and I'd naively assumed paypal) would ask for something else on reset. e.g. d.o.b. or "memorable" information etc. I'm not in any way doubting Berny's story though by the way. In the last few days I've experienced how difficult 2FA can be for those who are elderly/diminished concentration/cognitive skills. I now fully understand how my father recently managed to get into position where both his bankcards were invalidated and unusable, and he couldn't log in online for a period. Though I still don't understand - or forgive - the bloody awful bank which made his life a misery for several months by failing to properly engage to get it sorted, even more so when the 'dedicated' 'aged support line/service' then treated him like an idiot, didn't solve the problem, and consequently made the situation that more difficult. For logging onto his bank, he requires his username, password and a separate pin, of course. He was then being required to: a) put his (and not my mother's) debit card system into his card reader b) press the right buttons before entering another pin into the card reader c) enter the resultant 8 digit code into the online system. If banks want to properly support their aging customer base and help them to be independent, they really need to get far more serious and focussed. Sounds like Barclays. The most customer-unfocused bank in the world. I'll spare you my stories (of which there are many, gathered carefully over the past 30 years) except to say that apart from the most basic bank account they should be avoided at all costs. Whoever it was, I'm angry with them on your father's behalf.
|
|