[ale] PayPal "Man in the Middle" attack?

JD jdp at algoloma.com
Fri May 3 22:40:03 EDT 2013 

For those critical logins that also mandate too-short-for-me passwords - you
know - every financial institution in the USA - I use a randomly created userid
too.  I couldn't tell you my brokerage account userid, as an example.

Whether this adds to the security or not, I don't know, but I do know that the
userid won't be guessed accidentally.

On 05/03/2013 07:13 PM, David Tomaschik wrote:
> I don't consider user ids secret.  Often they're the same as your email,
> commonly used, etc.  With a strong password, the userid shouldn't be part of the
> security strategy.  (I suppose changing the username might have benefits from a
> social engineering or DOS perspective.)
> 
> 
> On Fri, May 3, 2013 at 2:24 PM, Mondo Hondo <knerdly1 at gmail.com
> <mailto:knerdly1 at gmail.com>> wrote:
> 
>     Thanks all, I write this after booting from a live-disk and changing all
>     passwords of any consequence.
> 
>     Why isn't changing the user ID a part of the security equation? This I've
>     always wondered.
> 
> 
>     On Fri, May 3, 2013 at 1:49 PM, Mondo Hondo <knerdly1 at gmail.com
>     <mailto:knerdly1 at gmail.com>> wrote:
> 
>         My dilemma is as follows:
> 
>         1) I fat fingered the following: "www.lpaypal.com
>         <http://www.lpaypal.com>" .
>         2) I did not reach PayPal, but some alternative site offering things I
>         did not want.
>         3) I retyped, "www.paypal.com <http://www.paypal.com>" in the address bar.
>         4) Signed-in PayPal, endeavored to transfer funds and got a security
>         warning , "You probably are not reaching the site you wanted...click
>         here...back to safety."
>         5) The warning stated that I was reaching (IIRC) "www.roverpal.com
>         <http://www.roverpal.com>" the address bar read "www.paypal.com/....
>         <http://www.paypal.com/....>."
>         6) I figured that there were DNS  shenanigans, so I: shutdown, reset my
>         clear modem and Linksys router, and then rebooted.
>         7) I signed into PayPal, conducted my business, and logged-out.
> 
>         Now I feel remorse. Was that foolish?
> 
>         Thanks,
>         Preston
> 
> 
> 
>     _______________________________________________
>     Ale mailing list
>     Ale at ale.org <mailto:Ale at ale.org>
>     http://mail.ale.org/mailman/listinfo/ale
>     See JOBS, ANNOUNCE and SCHOOLS lists at
>     http://mail.ale.org/mailman/listinfo
> 
> 
> 
> 
> -- 
> David Tomaschik
> OpenPGP: 0x5DEA789B
> http://systemoverlord.com
> david at systemoverlord.com <mailto:david at systemoverlord.com>
> 
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
> 


-- 
JD Pflugrath
 Value | Results
Direct: +001.678.685.8882
Ofc: 1.866.963.2546
Managing Director
Algoloma Systems, LLC

More information about the Ale mailing list