Re: Possible paypal security problem

[Eric Marden <security () xentek net>]

I also logged in with no issue. I'm also on Bright House, Orange  
County, FL.

Here's the cert I got:
6E:6B:9C:A3:F7:52:35:B4:95:37:86:D4:E5:13:54:A9

So it looks as if we are being served the same one.

I'd say it was legit - given that the last 2 digits were recognized  
by you - It would be pretty hard to phish in the manner you describe  
(but maybe not?) - with out specifically targeting users they had  
info on already - i.e. the chance for them getting the numbers wrong  
seems improbably high.

However, were there any help links, or "call us if you're confused"  
type messaging? You'd think that they'd at least provide an alternate  
route for you to verify your identity if that's what they were going  
for.


Eric Marden
xentek: enlightened internet solutions
http://xentek.net/

On Dec 19, 2007, at 10:43 AM, Albert R. Campa wrote:

> I just logged into my paypal and didnt get that form.
> You may want to verify from paypal that this form is new practice on
> their part. Worst case, they dont know what it is.
>
> Saludos
>
> Albert
>
> On Dec 18, 2007 5:31 PM, Harry Henry Gebel <hgebel () fusemail com>  
> wrote:
> > I tried to log in to paypal about half an hour ago. I manually typed
> > www.paypal.com to login. I got the normal paypal login page, and  
> > after
> > entering my password I got the following message:
> >
> > ---------------------
> > Security Measures
> >
> > Help with this page ?
> >
> > We are currently performing regular maintenance of our security
> > measures. Your account has been randomly selected for this  
> > maintenance,
> > and you will now be taken through a series of identity  
> > verification pages.
> >
> > Protecting the security of your PayPal account is our primary  
> > concern,
> > and we apologize for any inconvenience this may cause.
> > ---------------------
> >
> > It then had a dropdown box listing the last two digits of the cards I
> > had registered with paypal and asking me to pick one and type in the
> > full number associated with that card. This looked extremely  
> > phishy to
> > me, so the first thing I did was look at the url to make sure I was
> > actually at paypal, then I checked the security certificate and it  
> > says
> > it is verified to be associated with www.paypal.com by verisign (The
> > certificate's serial number is
> > 6E:6B:9C:A3:F7:52:35:B4:95:37:86:D4:E5:13:54:A9 if anyone knows  
> > paypal's
> > actual serial number.) I checked what ip address my computer thinks
> > www.paypal.com is and used several web dns reverse lookups to verify
> > that it really belongs to www.paypal.com. Then I closed Firefox and
> > tried to log in with Internet Explorer and it brought me to the same
> > page (I also verified the certificate with IE). Then I rebooted the
> > computer in Linux and tried to log in again and it brought me to the
> > same page and I was able to verify the security certificate.. I  
> > searched
> > on the internet to see if this message was associated with  
> > phishing, and
> > found several phishing emails with the same or similar text but no
> > reference to any man-in-the-middle type attacks using this text.  
> > During
> > all this I also shut down my router's wireless capabilities in case
> > someone was doing anything strange with the wireless network.
> >
> > I looked at the page source and it was a straightforward web page
> > without frames or anything that might disguise where parts of the  
> > page
> > were coming from. It pulled some stylesheet information and images  
> > from
> > paypalobjects.com, but they are registered with paypal, and in any  
> > case
> > the form was sending it's results going to paypal.com.
> >
> > I was still afraid that someone could be between me and paypal, but I
> > picked a card with a very small dollar amount available and tried  
> > to see
> > what would happen. If they were in the middle they already had my
> > password and I figured I could cancel that card if this turned out  
> > to be
> > fake. When I submitted the information I just got a screen asking to
> > retry. Now I was really nervous. I picked a card from a company I no
> > longer have an account with and tried that, I got the retry screen
> > again. Finally, I tried the first card again and got the retry  
> > screen a
> > third time.
> >
> > I then looked at my e-mail and every time I had tried to log in I had
> > gotten an e-mail from paypal warning that someone had tried to log  
> > into
> > my account from a foriegn IP address and urging me to change my  
> > password
> > if it wasn't me.
> >
> > EMAIL BEGINS:
> >
> > Dear Harry Henry Gebel,
> >
> > We recently noticed one or more attempts to log in to your PayPal  
> > account from a foreign IP address.
> >
> > If you recently accessed your account while traveling, the unusual  
> > log in attempts may have been initiated by you. However, if you  
> > did not initiate the log ins, please visit PayPal as soon as  
> > possible to change your password:
> >
> > https://www.paypal.com/us/cgi-bin/?cmd=_login-run
> >
> > Changing your password is a security measure that will ensure that  
> > you are the only person with access to the account.
> >
> > Thanks for your patience as we work together to protect your account.
> >
> > Sincerely,
> > PayPal
> >
> >
> > ----------------------------------------------------------------
> > PROTECT YOUR PASSWORD
> >
> > NEVER give your password to anyone, including PayPal employees.  
> > Protect yourself against fraudulent websites by opening a new web  
> > browser (e.g. Internet Explorer or Netscape) and typing in the  
> > PayPal URL every time you log in to your account.
> >
> >
> > ----------------------------------------------------------------
> >
> >
> > Please do not reply to this email. This mailbox is not monitored  
> > and you will not receive a response. For assistance, log in to  
> > your PayPal account and click the Help link located in the top  
> > right corner of any PayPal page.
> >
> > ----------------------------------------------------------------
> >
> > :EMAIL ENDS
> >
> > The email had was pure text with no links or images so I'm fairly  
> > sure
> > it's genuine. This makes me even more nervous that there is a
> > man-in-the-middle attack going on. I can't change my password since
> > there is no way for me to finish logging in (it just keeps saying
> > retry). Can anyone figure out what is going on here, and what I  
> > should
> > do to fix it? It is also occurring to me that maybe paypal thinks  
> > that
> > my IP address (68.205.xxx.xxx, Brighthouse Cable in Orange County,
> > Florida) is foreign for some reason and that that misconception is
> > causing all of these problems. If anyone can help or at least  
> > explain to
> > me what's going on I would appreciate it.
> >
> > -Harry