REVscene - Vancouver Automotive Forum


Welcome to the REVscene Automotive Forum forums.

Registration is Free!You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so please, join our community today! The banners on the left side and below do not show for registered users!

If you have any problems with the registration process or your account login, please contact contact us.


Go Back   REVscene Automotive Forum > Automotive Chat > Vancouver Off-Topic / Current Events

Vancouver Off-Topic / Current Events The off-topic forum for Vancouver, funnies, non-auto centered discussions, WORK SAFE. While the rules are more relaxed here, there are still rules. Please refer to sticky thread in this forum.

Reply
 
Thread Tools
Old 01-19-2016, 06:44 PM   #1
Orgasm Donor & Alatar owned my ass twice!
 
Join Date: Oct 2007
Location: Vancouver BC
Posts: 16,343
Thanked 5,612 Times in 2,301 Posts
PSA: Paypal Phishing

Just saw a fairly clever phishing that could've fooled the average person

sender's name: service@intl.paypal.com

sender's E-mail yerros@cloudgrwark.onmicrosoft.com

It says it's a confirmation that some (random E-mail) was just added to your PayPal account...if you didn't add this, let them know right away and it prompts you to login, on of course a 3rd party site that looks like paypal. The Email has identical log and font as the real thing.
Advertisement
__________________
My BST Feedback
twitchyzero is offline   Reply With Quote
This post thanked by:
Old 01-20-2016, 09:15 AM   #2
Captain Happy Bubble is my Homeboy
 
ancient_510's Avatar
 
Join Date: Mar 2012
Location: YVR
Posts: 345
Thanked 205 Times in 109 Posts
If you don't have 2-factor activated on your Paypal account, you're a fool.
ancient_510 is offline   Reply With Quote
Old 01-20-2016, 09:16 AM   #3
Zombie Mod
 
Presto's Avatar
 
Join Date: Aug 2003
Location: Langley
Posts: 9,264
Thanked 4,394 Times in 1,275 Posts
2FA EVERYTHING!
__________________
Romans 10:9
Presto is online now   Reply With Quote
This post thanked by:
Old 01-20-2016, 11:31 PM   #4
Orgasm Donor & Alatar owned my ass twice!
 
Join Date: Oct 2007
Location: Vancouver BC
Posts: 16,343
Thanked 5,612 Times in 2,301 Posts
so you have to add a sms pin each time you log in? sounds like a hassle...if current paypal is as secured as my online banking then I'm not too concerned...esp if it's only tied to a CC and not to chequing/savings account.
__________________
My BST Feedback
twitchyzero is offline   Reply With Quote
Old 01-21-2016, 12:36 AM   #5
I contribute to threads in the offtopic forum
 
Join Date: Nov 2010
Location: /
Posts: 2,899
Thanked 1,308 Times in 380 Posts
Anyone else get spammed with paypal phishing emails twice a day?+
__________________
2000 Corolla
2006 IS350
Gerbs is offline   Reply With Quote
Old 01-21-2016, 01:10 AM   #6
Need to Seek Professional Help
 
Kilinim's Avatar
 
Join Date: Feb 2009
Location: Surrey
Posts: 1,065
Thanked 171 Times in 95 Posts
Please explain this 2 factor sorcery
__________________
S14.5
Kilinim is online now   Reply With Quote
Old 01-21-2016, 01:22 AM   #7
CRS
ninja edits your posts without your knowledge
 
CRS's Avatar
 
Join Date: Jan 2004
Location: Vancouver
Posts: 14,364
Thanked 5,489 Times in 1,480 Posts
Quote:
Originally Posted by Kilinim View Post
Please explain this 2 factor sorcery
I imagine it's a 2-step login.

If it's anything like the banks, the first page is the login with username and the second page will have a special phrase and/or photo that you've selected or been assigned so you know it's legit before you submit your password.
CRS is offline   Reply With Quote
This post thanked by:
Old 01-21-2016, 07:56 AM   #8
Captain Happy Bubble is my Homeboy
 
ancient_510's Avatar
 
Join Date: Mar 2012
Location: YVR
Posts: 345
Thanked 205 Times in 109 Posts
Quote:
Originally Posted by CRS View Post
I imagine it's a 2-step login.

If it's anything like the banks, the first page is the login with username and the second page will have a special phrase and/or photo that you've selected or been assigned so you know it's legit before you submit your password.
No.

2-factor authentication is a method that provides identification of users by means of the combination of two different components.
Two-factor authentication is used to prove one's identity is based on the premise that an unauthorized person is unlikely to be able to supply both factors required for access. If, in an authentication attempt, at least one of the components is missing or supplied incorrectly, the user's identity is not established with sufficient certainty and access to the asset.

In the case of my bank, I provide a card and a PIN when using the ATM.
In the case of paypal, I provide a password and a one-time-use code SMSed to me.
In the case of my Gmail, I provide a password and code from the Authenticator app (time based, new code every 30 seconds).
In the case of my work PC, I provide a password and I must plug in a special USB stick.

Thanks Wikipedia

This way, if I was successfully phished and I entered my password on the phishy site, the phishers could not trigger the SMS and could not gain access to my account.

However, it is theoretically possible that:
Phishers could have created an API to immediately take my information that they just phished and push it to a real Paypal login page
Use it to trigger the SMS
Wait for my subsequent entry of the one-time code
Use their access to my paypal account to immediately drain funds OR turn off 2-FA

Oh! But A510! That sounds like a hassle!
Remember the fappening? Could have been prevented with 2-FA

Last edited by ancient_510; 01-21-2016 at 08:07 AM.
ancient_510 is offline   Reply With Quote
Old 01-21-2016, 08:08 AM   #9
Willing to sell body for a few minutes on RS
 
quasi's Avatar
 
Join Date: Jul 2001
Location: Cloverdale
Posts: 10,230
Thanked 2,279 Times in 827 Posts
Quote:
Originally Posted by ancient_510 View Post
No.

2-factor authentication is a method that provides identification of users by means of the combination of two different components.
Two-factor authentication is used to prove one's identity is based on the premise that an unauthorized person is unlikely to be able to supply both factors required for access. If, in an authentication attempt, at least one of the components is missing or supplied incorrectly, the user's identity is not established with sufficient certainty and access to the asset.

In the case of my bank, I provide a card and a PIN when using the ATM.
In the case of paypal, I provide a password and a one-time-use code SMSed to me.
In the case of my Gmail, I provide a password and code from the Authenticator app (time based, new code every 30 seconds).
In the case of my work PC, I provide a password and I must plug in a special USB stick.

Thanks Wikipedia

This way, if I was successfully phished and I entered my password on the phishy site, the phishers could not trigger the SMS and could not gain access to my account.

However, it is theoretically possible that:
Phishers could have created an API to immediately take my information that they just phished and push it to a real Paypal login page
Use it to trigger the SMS
Wait for my subsequent entry of the one-time code
Use their access to my paypal account to immediately drain funds OR turn off 2-FA

Oh! But A510! That sounds like a hassle!
Remember the fappening? Could have been prevented with 2-FA
Oh, so like CRS said it's a 2 step login.
__________________



“The world ain't all sunshine and rainbows. It's a very mean and nasty place... and I donīt care how tough you are, it will beat you to your knees and keep you there permanently, if you let it. You, me or nobody, is gonna hit as hard as life. But ain't about how hard you hit... It's about how hard you can get hit, and keep moving forward... how much you can take, and keep moving forward. Thatīs how winning is done. Now, if you know what you worth, go out and get what you worth.” - Rocky Balboa
quasi is online now   Reply With Quote
Old 01-21-2016, 08:13 AM   #10
Captain Happy Bubble is my Homeboy
 
ancient_510's Avatar
 
Join Date: Mar 2012
Location: YVR
Posts: 345
Thanked 205 Times in 109 Posts
Quote:
Originally Posted by quasi View Post
Oh, so like CRS said it's a 2 step login.
Yes, but the method he mentioned is not 2-FA.

The display of a recognised image or phrase is not an active security measure and many financial institutions are phasing them out right now. Mine will actually turn them off on January 25th.

It does not actively interject into the login process. A user can simply blunder by the "security measure."
It can be replicated by a phisher using a simple iframe.
ancient_510 is offline   Reply With Quote
Old 01-21-2016, 08:43 AM   #11
Zombie Mod
 
Presto's Avatar
 
Join Date: Aug 2003
Location: Langley
Posts: 9,264
Thanked 4,394 Times in 1,275 Posts
Two-Factor Authentication significantly increases the difficulty of unauthorized access. Normally, authentication is based on a password, which is something you know. 2FA adds another level of security by requiring something you have, like an authenticator, smartcard, or even email.
__________________
Romans 10:9
Presto is online now   Reply With Quote
Old 01-21-2016, 09:09 AM   #12
OMGWTFBBQ is a common word I say everyday
 
Join Date: Apr 2006
Location: Tres Ciudades
Posts: 5,406
Thanked 3,689 Times in 1,526 Posts
i've noticed that they're getting better at making things look legit

i ignore most of my emails though, even the most-likely legit ones from my bank

i remember the very first few attempts at email scams were so pathetic, i wanted to find the sender and personally laugh in his face
__________________
"There's a lot of dead people who had the right of way."
"Never argue with stupid people, they will drag you down to their level and beat you with experience."
"I have a lot of beliefs, and I live by none of them. They're just my beliefs, they make me feel good about who I am. But if they get in the way of a thing I want, like I wanna jack off or something, I just do that."
6o4__boi is offline   Reply With Quote
Old 01-21-2016, 09:28 AM   #13
Rs has made me the man i am today!
 
white rocket's Avatar
 
Join Date: Apr 2006
Location: Your Moms House
Posts: 3,143
Thanked 2,916 Times in 1,120 Posts
Quote:
Originally Posted by ancient_510 View Post
The display of a recognised image or phrase is not an active security measure and many financial institutions are phasing them out right now. Mine will actually turn them off on January 25th.
I know where you bank . Lol! Unless other banks are doing the same.

I guess I've been lucky with Paypal over the 10 years I've used it. Unless their servers get hacked I'm feeling pretty safe. I don't see any other way it can happen as I don't respond to any emails that weren't instigated by me. If it's really important they know how to get a hold of me.
__________________
"The bitterness of poor quality remains long after the sweetness of low price is forgotten"
white rocket is offline   Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off



All times are GMT -8. The time now is 12:12 PM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
SEO by vBSEO ©2011, Crawlability, Inc.
Revscene.net cannot be held accountable for the actions of its members nor does the opinions of the members represent that of Revscene.net