Lazy Authentication Still the Norm


My PayPal account was hacked on Christmas Eve. The perpetrator tried to further stir up trouble by sending my PayPal funds to a hacker gang tied to the jihadist militant group ISIS. Although the intruder failed to siphon any funds, the successful takeover of the account speaks volumes about why most organizations — including many financial institutions — remain woefully behind the times in authenticating their customers and staying ahead of identity thieves.

Junaid Hussain's Twitter profile photo.

Junaid Hussain’s Twitter profile photo.

On Christmas Eve morning, I received an email from PayPal stating that an email address had been added to my account. I immediately logged into my account from a pristine computer, changed the password, switched my email address back to to the primary contact address, and deleted the rogue email account.

I then called PayPal and asked how the perpetrator had gotten in, and was there anything else they could do to prevent this from happening again? The customer service person at PayPal said the attacker had simply logged in with my username and password, and that I had done everything I could in response to the attack. The representative assured me they would monitor the account for suspicious activity, and that I should rest easy.

Twenty minutes later I was outside exercising in the unseasonably warm weather when I stopped briefly to check email again: Sure enough, the very same rogue email address had been added back to my account. But by the time I got back home to a computer, my email address had been removed and my password had been changed. So much for PayPal’s supposed “monitoring;” the company couldn’t even spot the same fraudulent email address when it was added a second time.

PayPal locked the account shortly after the assailant allegedly tried to send my money to the email account of the late Junaid Hussain, a 17-year-old member of the hacktivist group Team Poison. Hussain — who used the nickname “TriCk” and is believed to have been a prominent ISIS propagandist online — was reportedly killed in a U.S.-led drone strike earlier this year in Raqqa, Syria. No doubt, the attempted transfer was a bid to further complicate matters for me by associating my account with known terrorists.

In my second call to PayPal, I insisted on speaking with a supervisor. That person was able to tell me that, as I suspected, my (very long and complex) password was never really compromised. The attacker had merely called in to PayPal’s customer support, pretended to be me and was able to reset my password by providing nothing more than the last four digits of my Social Security number and the last four numbers of an old credit card account.

Let’s leave aside for a moment the reality that all of this static information about Brian Krebs has been posted online by various miscreants over the years (and probably remains online): Any company that authenticates customers with nothing more than static identifiers — address, SSN, DOB, phone number, credit card number, etc. — is vulnerable to these takeover attempts.

This almost certainly includes all of the companies that supply utilities to your residence, your bank or credit union, and a host of other companies. They’re vulnerable because those static identifiers about you are no longer secret and are available for sale in the underground.

I asked the PayPal supervisor why the company couldn’t simply verify my identity by sending a text message to my phone, or a special signal to a PayPal mobile app? After all, PayPal has had the same mobile number of mine on file for years (the attacker also deleted that number from my profile as well). The supervisor explained that the company didn’t have any mobile authentication technologies, and that in order to regain access to the funds in my account I had to send the company a photocopied or scanned copy of my driver’s license.

Nevermind that it was PayPal’s lack of any modern authentication methods that led to this mess. Also, let’s forget for the moment that there are a half-dozen services online that let customers create fake but realistic looking scans of all types of documents, including utility bills, passports, driver’s licenses, bank statements, etc. This is the ultimate and most sophisticated customer authentication system that PayPal has: Send us a copy of your driver’s license.

When I pressed the PayPal representative about whether he had any other ways to validate my identity short of sending a copy of my license, he offered to do so “using public records.” Now, I understand that what he actually meant was that PayPal would work with a major credit bureau to ask me a series of so-called “out of wallet” or “knowledge-based authentication” (KBA) questions — essentially yet more requests for static information that can be gleaned from a variety of sources online. But that didn’t stop me from playfully asking the representative why a security challenge should rely on answers from public records? He responded that someone probably would have to go down to a courthouse somewhere to do that, which made me laugh out loud and wish him a Merry Christmas.

For better or worse, this isn’t the first time I’ve had to deal with weaknesses in PayPal’s anti-fraud systems. Last year, my account was the recipient of a large number of fraudulent donations made through hacked PayPal accounts that all were funded by credit cards instead of bank balances. The problem with fraudulent credit card donations via PayPal is that PayPal assesses the inevitable $20 Visa or MasterCard chargeback fee against the unwitting recipient of the fraudulent donation, effectively taking $20 out of the recipient’s account for each phony donation!

I called my contact at PayPal who’d helped work out a stopgap solution to the phony credit card payments, and that person said PayPal would lock my account so that no further account changes would be allowed. I’m grateful that they were able to do this (so far) but it probably goes without saying that most PayPal users will not have that line of contact or influence at the company.

PayPal's security token isn't much use if the company lets thieves reset your password over the phone using your Social Security number.

PayPal’s security token isn’t much use if the company lets thieves reset your password over the phone using your Social Security number.

PayPal does offer additional security protections — including a PayPal Security Key fob that periodically generates a new one-time password which needs to be entered at login in addition to a username and password. I’ve used this solution since shortly after the company began offering it almost a decade ago, but a fat lot of good it does if PayPal is going to continue letting users reset their passwords by regurgitating static data that is trivial to purchase from the cybercrime underground.

Many companies will offer customers more account security options, but only if asked. Most often, when companies are asked for non-standard security precautions it is because the account holder has stated that he or she was previously the target of cyber stalking or concerted harassment or threats online. I can recall doing this with most of the utilities we use — including our ISP — after having ne’er-do-wells try to shut off our power, phone and water service by calling in with those static identifiers. None of those companies offered more advanced authentication options — such as mobile device authentication — but most would let me place a flag on my account that no changes were to be made unless I showed up at the utility’s offices in person and presented a photo ID and my username and password.

Although this is effectively the same solution that PayPal offered after it froze my account and available funds, having to visit an office and present my ID to close or make changes to my account is significantly less onerous and aggravating than trying to work that out after the fact while having no electricity, water or Internet.

Longer term, PayPal should review which of its users have already provided mobile phone information, and then seek to validate those contact numbers. Once that process is done, PayPal can start upgrading its authentication systems — and hopefully become less reliant on static (read: already-compromised) identifiers to validate customers. This would help cut down on account takeovers and reduce the threat of costly, fraudulent credit card donations via hacked accounts.

Until then, PayPal will continue to expose its users unnecessarily to security and privacy threats (bear in mind that a crook who gains access to your PayPal account can see all of your transactions and financial data from associated bank accounts).

Many KrebsOnSecurity readers have been quite generous in supporting my efforts this year, and to those folks (and to anyone else who’s read this far) I offer a hearty and heartfelt THANK YOU!

Tags: ISIS, TeaMp0isoN, PayPal authentication failures, Junaid Hussain

This entry was posted on Monday, December 28th, 2015 at 1:17 pm and is filed under A Little Sunshine, Ne’er-Do-Well News.
You can follow any comments to this entry through the RSS 2.0 feed.

You can skip to the end and leave a comment. Pinging is currently not allowed.

Original URL:  

Original article

Faker.js – generate massive amounts of fake data in the browser and node


Build Status

npm version


Hosted API Microservice

  • Supports all Faker API Methods
  • Full-Featured Microservice
  • Hosted by

Help Support!

The mantainer of this project is currently running a Kickstarter campaign to help fund the very awesome open-source project.

If you like Faker.js, please support!



  var randomName =; // Caitlyn Kerluke
  var randomEmail =; //
  var randomCard = faker.helpers.createCard(); // random contact card containing many properties


var faker = require('faker');

var randomName =; // Rowan Nikolaus
var randomEmail =; //
var randomCard = faker.helpers.createCard(); // random contact card containing many properties



As of version v3.0.0 faker.js contains a super useful generator method Faker.fake for combining faker API methods using a mustache string format.


console.log(faker.fake('{{name.lastName}}, {{name.firstName}} {{name.suffix}}'));
// outputs: "Marks, Dean Sr."

This will interpolate the format string with the value of methods name.lastName(), name.firstName(), and name.suffix()

API Methods

  • address
    • zipCode
    • city
    • cityPrefix
    • citySuffix
    • streetName
    • streetAddress
    • streetSuffix
    • streetPrefix
    • secondaryAddress
    • county
    • country
    • countryCode
    • state
    • stateAbbr
    • latitude
    • longitude
  • commerce
    • color
    • department
    • productName
    • price
    • productAdjective
    • productMaterial
    • product
  • company
    • suffixes
    • companyName
    • companySuffix
    • catchPhrase
    • bs
    • catchPhraseAdjective
    • catchPhraseDescriptor
    • catchPhraseNoun
    • bsAdjective
    • bsBuzz
    • bsNoun
  • date
    • past
    • future
    • between
    • recent
    • month
    • weekday
  • fake
  • finance
    • account
    • accountName
    • mask
    • amount
    • transactionType
    • currencyCode
    • currencyName
    • currencySymbol
  • hacker
    • abbreviation
    • adjective
    • noun
    • verb
    • ingverb
    • phrase
  • helpers
    • randomize
    • slugify
    • replaceSymbolWithNumber
    • replaceSymbols
    • shuffle
    • mustache
    • createCard
    • contextualCard
    • userCard
    • createTransaction
  • image
    • image
    • avatar
    • imageUrl
    • abstract
    • animals
    • business
    • cats
    • city
    • food
    • nightlife
    • fashion
    • people
    • nature
    • sports
    • technics
    • transport
  • internet
    • avatar
    • email
    • userName
    • protocol
    • url
    • domainName
    • domainSuffix
    • domainWord
    • ip
    • userAgent
    • color
    • mac
    • password
  • lorem
    • words
    • sentence
    • sentences
    • paragraph
    • paragraphs
  • name
    • firstName
    • lastName
    • findName
    • jobTitle
    • prefix
    • suffix
    • title
    • jobDescriptor
    • jobArea
    • jobType
  • phone
    • phoneNumber
    • phoneNumberFormat
    • phoneFormats
  • random
    • number
    • arrayElement
    • objectElement
    • uuid
    • boolean


As of version v2.0.0 faker.js supports over 27 different language definition packs.

The default language is set to English.

Setting a new locale is simple:

// sets locale to de
faker.locale = "de";
  • de
  • de_AT
  • de_CH
  • el_GR
  • en
  • en_AU
  • en_BORK
  • en_CA
  • en_GB
  • en_IE
  • en_IND
  • en_US
  • en_au_ocker
  • es
  • es_MX
  • fa
  • fr
  • fr_CA
  • ge
  • it
  • ja
  • ko
  • nb_NO
  • nep
  • nl
  • pl
  • pt_BR
  • ru
  • sk
  • sv
  • tr
  • uk
  • vi
  • zh_CN
  • zh_TW

Individual Localization Packages

As of vesion v3.0.0 faker.js supports incremental loading of locales.

By default, requiring faker will include all locale data.

In a production environment, you may only want to include the locale data for a specific set of locales.

// loads only de locale
var faker = require('faker/locale/de');


npm install .
make test

You can view a code coverage report generated in coverage/lcov-report/index.html.

Projects Built with faker.js

Fake JSON Schema

Use faker generators to populate JSON Schema samples.


Run faker generators from Command Line.

Want to see your project added here? Let us know!


Meteor installation

  meteor add practicalmeteor:faker

meteor usage, both client and server

  var randomName =; // Rowan Nikolaus
  var randomEmail =; //
  var randomCard = faker.helpers.createCard(); // random contact card containing many properties

Version Release Schedule

faker.js is a popular project used by many organizations and individuals in production settings. Major and Minor version releases are generally on a monthly schedule. Bugs fixes are addressed by severity and fixed as soon as possible.

If you require the absolute latest version of faker.js the master branch @ should always be up to date and working.


Matthew Bergman & Marak Squires

faker.js – Copyright (c) 2014-2015
Matthew Bergman & Marak Squires

faker.js was inspired by and has used data definitions from:

Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
“Software”), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:

The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.


Original URL:  

Original article

Linode is suffering on-going DDoS attacks


The maintenance on Xen Linodes due to the embargoed XSAs was completed as scheduled.

Dec 19, 15:14 UTC

In progress

Scheduled maintenance is currently in progress. We will provide updates as necessary.

Dec 13, 02:00 UTC


Linode has received several Xen Security Advisories (XSAs) that require us to perform updates to our host servers. In order to apply the updates, hosts and the Linodes running on them must be rebooted. The XSAs will be publicly released by the Xen project team on December 17th, therefore we must complete the updates before that date.

These security advisories only affect Xen Linodes. KVM Linodes are not vulnerable and do not require a reboot. Any customer that upgrades to KVM prior to the maintenance can avoid it entirely.

These updates are required to protect the security and safe operations of not only our infrastructure, but yours as well. We understand that a disruption with such limited notice is inconvenient, and we hope you understand that these measures are warranted due to the severity of the XSAs.

Each host server will be assigned a maintenance window in which the reboot will occur. The maintenance schedule is still being worked out on our end, however we can tell you that all maintenance windows will start Sunday December 13th at 9 p.m. EST and will be completed before December 17th.

We will have the maintenance schedule defined within the next few days. Each Linode’s maintenance window will be communicated to you via email and will also be visible within the Linode Manager. Unfortunately, due the logistical demands of this effort, your assigned windows are not changeable and the host reboots are mandatory.

During the maintenance window Linode instances will be cleanly shut down while we perform the updates. Your Linode will be inaccessible during this time. A two-hour window is allocated, however the actual downtime can be much less. After the maintenance, each Linode will then be booted. See our Reboot Survival Guide for tips and hints on configuring and testing that your Linode services boot properly.

Stay tuned for more information.

Dec 10, 17:35 UTC

Original URL:  

Original article

Proudly powered by WordPress | Theme: Baskerville 2 by Anders Noren.

Up ↑

%d bloggers like this: