Paypal, False Authority Syndrome and Movie Plot Threats

Was out to dinner earlier this week with a friend and a number of her friends. This friend, knowing some of my technology background, started sharing with me some of the experiences she’s had recently with her paypal account being hacked. She had been in contact with paypal and her bank and everything was being refunded which is the good news. While she was on the phone with her bank they suggested that she close her account and open a new one, which is probably part of her bank’s script. My friend was asking me if I felt there was a threat to her bank account.

I sat for a second, probably with a crinkled brow trying to picture the Paypal interface, thinking about whether her account number or credit card information would have been available to the cracker. I knew her address and phone number would be visible, but was pretty sure that Paypal kept all other information hidden. Before I could say that the person on my right said, “your bank is right you should change your account, it’s the only way to be safe”. I replied, “I’m not sure, I’m pretty sure that paypal obfuscates the bank account and credit card information in their interface”. She looked at me and then said, “it’s not that, you don’t know what was attached to the transaction so they could track it back.. They could track the transaction through the banking system based the the size of the transaction”. I sort of nodded because I knew where this was going and didn’t want to engage it any further. But my friend pushed on, “I’m curious how can they do that?”. “I don’t want to go into the nefarious activities of hackers” was the only response. I must admit to having to suppress a smile both because she didn’t know anything about my background (irony is funny sometimes) and partially because her delivery seemed to require an organ from a 1960’s soap opera, where’s Eddie Layton when you need him?

Before I break this down, I want to point out, for the record, that I have since checked, paypal does not expose your credit card or bank account information while logged in. Well actually, they expose the last 4 digits, not enough to be able to reverse engineer or brute force the account without raising eyebrows. If you’re not a tech, just so you know Paypal works as a proxy for your accounts if you are paying someone or they are sending you money, there’s no way for for them to learn anything out about you except that you use paypal and what your email address is.

So now my reaction. If you couldn’t guess from the title, the more I thought about this, the more I thought of Rob Rosenberger’s False Authority Syndrome and Bruce Schneier’s Movie Plot Threats.

The concept of following a financial transaction through the financial system sounds like something out of the movie Hackers. I can see it now, Z3r0 C001 and Ac1d Burn make a number of financial transactions against Agent Richard Gill’s account while L0rd Nik0n and C3r341 Ki113r use their 3D fly through the computer like a video game interface tracking the financial transaction like onstar tracks your Chevy.

While discussing this, she tried to speak with an air of authority. If it wasn’t for my knowledge I might have been inclined to listen to her some more because she was certain persuasive in her argument mostly due to her passion and certainty that she was correct. Where myself and my friend weren’t buying into it, others at the table certainly were. If there was

Of course, someone’s going to comment now and say “changing her bank account can’t hurt”, but that’s not the point. I’m not a fan of FUD intentional or unintentional. Often times because computers seem mysterious, people take the advice of anyone who sounds knowledgeable, I see it all the time. When you get technology advice, you should think about who’s giving it and why. You should try an understand the issue before you take actions proposed by anyone.