Vancouver Off-Topic / Current Events The off-topic forum for Vancouver, funnies, non-auto centered discussions, WORK SAFE. While the rules are more relaxed here, there are still rules. Please refer to sticky thread in this forum. | |
01-19-2016, 05:44 PM
|
#1 | I WANT MY 10 YEARS BACK FROM RS.net!
Join Date: Oct 2007 Location: Vancouver BC
Posts: 22,033
Thanked 9,822 Times in 3,903 Posts
| PSA: Paypal Phishing
Just saw a fairly clever phishing that could've fooled the average person
sender's name: service@intl.paypal.com
sender's E-mail yerros@cloudgrwark.onmicrosoft.com
It says it's a confirmation that some (random E-mail) was just added to your PayPal account...if you didn't add this, let them know right away and it prompts you to login, on of course a 3rd party site that looks like paypal. The Email has identical log and font as the real thing.
|
| |
01-20-2016, 08:15 AM
|
#2 | Everyone wants a piece of R S...
Join Date: Mar 2012 Location: YVR
Posts: 352
Thanked 208 Times in 110 Posts
|
If you don't have 2-factor activated on your Paypal account, you're a fool.
|
| |
01-20-2016, 08:16 AM
|
#3 | Zombie Mod
Join Date: Aug 2003 Location: Langley
Posts: 9,883
Thanked 5,170 Times in 1,552 Posts
|
2FA EVERYTHING!
__________________ Romans 10:9 |
| |
01-20-2016, 10:31 PM
|
#4 | I WANT MY 10 YEARS BACK FROM RS.net!
Join Date: Oct 2007 Location: Vancouver BC
Posts: 22,033
Thanked 9,822 Times in 3,903 Posts
|
so you have to add a sms pin each time you log in? sounds like a hassle...if current paypal is as secured as my online banking then I'm not too concerned...esp if it's only tied to a CC and not to chequing/savings account.
|
| |
01-20-2016, 11:36 PM
|
#5 | RS has made me the bitter person i am today!
Join Date: Nov 2010 Location: /
Posts: 4,697
Thanked 2,422 Times in 918 Posts
|
Anyone else get spammed with paypal phishing emails twice a day?+
__________________
2022 Velo N
2005 S2000
2007 CSX Type-S [Sold]
2002 RSX-S [T-Boned] |
| |
01-21-2016, 12:10 AM
|
#6 | Revscene.net has a homepage?!
Join Date: Feb 2009 Location: Surrey
Posts: 1,253
Thanked 219 Times in 128 Posts
|
Please explain this 2 factor sorcery
__________________
S14.5
|
| |
01-21-2016, 12:22 AM
|
#7 | ninja edits your posts without your knowledge
Join Date: Jan 2004 Location: Vancouver
Posts: 14,957
Thanked 6,310 Times in 1,777 Posts
| Quote:
Originally Posted by Kilinim Please explain this 2 factor sorcery | I imagine it's a 2-step login.
If it's anything like the banks, the first page is the login with username and the second page will have a special phrase and/or photo that you've selected or been assigned so you know it's legit before you submit your password.
|
| |
01-21-2016, 06:56 AM
|
#8 | Everyone wants a piece of R S...
Join Date: Mar 2012 Location: YVR
Posts: 352
Thanked 208 Times in 110 Posts
| Quote:
Originally Posted by CRS I imagine it's a 2-step login.
If it's anything like the banks, the first page is the login with username and the second page will have a special phrase and/or photo that you've selected or been assigned so you know it's legit before you submit your password. | No.
2-factor authentication is a method that provides identification of users by means of the combination of two different components.
Two-factor authentication is used to prove one's identity is based on the premise that an unauthorized person is unlikely to be able to supply both factors required for access. If, in an authentication attempt, at least one of the components is missing or supplied incorrectly, the user's identity is not established with sufficient certainty and access to the asset.
In the case of my bank, I provide a card and a PIN when using the ATM.
In the case of paypal, I provide a password and a one-time-use code SMSed to me.
In the case of my Gmail, I provide a password and code from the Authenticator app (time based, new code every 30 seconds).
In the case of my work PC, I provide a password and I must plug in a special USB stick.
Thanks Wikipedia
This way, if I was successfully phished and I entered my password on the phishy site, the phishers could not trigger the SMS and could not gain access to my account.
However, it is theoretically possible that:
Phishers could have created an API to immediately take my information that they just phished and push it to a real Paypal login page
Use it to trigger the SMS
Wait for my subsequent entry of the one-time code
Use their access to my paypal account to immediately drain funds OR turn off 2-FA
Oh! But A510! That sounds like a hassle! Remember the fappening? Could have been prevented with 2-FA
Last edited by ancient_510; 01-21-2016 at 07:07 AM.
|
| |
01-21-2016, 07:08 AM
|
#9 | Willing to sell body for a few minutes on RS
Join Date: Jul 2001 Location: Cloverdale
Posts: 11,534
Thanked 3,731 Times in 1,322 Posts
| Quote:
Originally Posted by ancient_510 No.
2-factor authentication is a method that provides identification of users by means of the combination of two different components.
Two-factor authentication is used to prove one's identity is based on the premise that an unauthorized person is unlikely to be able to supply both factors required for access. If, in an authentication attempt, at least one of the components is missing or supplied incorrectly, the user's identity is not established with sufficient certainty and access to the asset.
In the case of my bank, I provide a card and a PIN when using the ATM.
In the case of paypal, I provide a password and a one-time-use code SMSed to me.
In the case of my Gmail, I provide a password and code from the Authenticator app (time based, new code every 30 seconds).
In the case of my work PC, I provide a password and I must plug in a special USB stick.
Thanks Wikipedia
This way, if I was successfully phished and I entered my password on the phishy site, the phishers could not trigger the SMS and could not gain access to my account.
However, it is theoretically possible that:
Phishers could have created an API to immediately take my information that they just phished and push it to a real Paypal login page
Use it to trigger the SMS
Wait for my subsequent entry of the one-time code
Use their access to my paypal account to immediately drain funds OR turn off 2-FA
Oh! But A510! That sounds like a hassle! Remember the fappening? Could have been prevented with 2-FA | Oh, so like CRS said it's a 2 step login.
__________________
The world ain't all sunshine and rainbows. It's a very mean and nasty place... and I donīt care how tough you are, it will beat you to your knees and keep you there permanently, if you let it. You, me or nobody, is gonna hit as hard as life. But ain't about how hard you hit... It's about how hard you can get hit, and keep moving forward... how much you can take, and keep moving forward. Thatīs how winning is done. Now, if you know what you worth, go out and get what you worth. - Rocky Balboa |
| |
01-21-2016, 07:13 AM
|
#10 | Everyone wants a piece of R S...
Join Date: Mar 2012 Location: YVR
Posts: 352
Thanked 208 Times in 110 Posts
| Quote:
Originally Posted by quasi Oh, so like CRS said it's a 2 step login. | Yes, but the method he mentioned is not 2-FA.
The display of a recognised image or phrase is not an active security measure and many financial institutions are phasing them out right now. Mine will actually turn them off on January 25th.
It does not actively interject into the login process. A user can simply blunder by the "security measure."
It can be replicated by a phisher using a simple iframe.
|
| |
01-21-2016, 07:43 AM
|
#11 | Zombie Mod
Join Date: Aug 2003 Location: Langley
Posts: 9,883
Thanked 5,170 Times in 1,552 Posts
|
Two-Factor Authentication significantly increases the difficulty of unauthorized access. Normally, authentication is based on a password, which is something you know. 2FA adds another level of security by requiring something you have, like an authenticator, smartcard, or even email.
__________________ Romans 10:9 |
| |
01-21-2016, 08:09 AM
|
#12 | OMGWTFBBQ is a common word I say everyday
Join Date: Apr 2006 Location: Tres Ciudades
Posts: 5,407
Thanked 3,680 Times in 1,522 Posts
|
i've noticed that they're getting better at making things look legit
i ignore most of my emails though, even the most-likely legit ones from my bank
i remember the very first few attempts at email scams were so pathetic, i wanted to find the sender and personally laugh in his face
__________________ "There's a lot of dead people who had the right of way." "Never argue with stupid people, they will drag you down to their level and beat you with experience." "I have a lot of beliefs, and I live by none of them. They're just my beliefs, they make me feel good about who I am. But if they get in the way of a thing I want, like I wanna jack off or something, I just do that." |
| |
01-21-2016, 08:28 AM
|
#13 | I *heart* Revscene.net very Muchie
Join Date: Apr 2006 Location: 3rdrckfrmthesn
Posts: 3,701
Thanked 3,899 Times in 1,380 Posts
| Quote:
Originally Posted by ancient_510 The display of a recognised image or phrase is not an active security measure and many financial institutions are phasing them out right now. Mine will actually turn them off on January 25th. | I know where you bank . Lol! Unless other banks are doing the same.
I guess I've been lucky with Paypal over the 10 years I've used it. Unless their servers get hacked I'm feeling pretty safe. I don't see any other way it can happen as I don't respond to any emails that weren't instigated by me. If it's really important they know how to get a hold of me.
|
| | |
Posting Rules
| You may not post new threads You may not post replies You may not post attachments You may not edit your posts HTML code is Off | | | All times are GMT -8. The time now is 02:48 AM. |