Equifax claims process is now open
-
Brian Krebs did a good write-up on this.
https://krebsonsecurity.com/2019/07/what-you-should-know-about-the-equifax-data-breach-settlement/
-
@travisdh1 one good thing to remember is that any time you spent freezing your credit is eligible for the $25/hour reimbursement. If you spent an hour with each agency turning on the freeze then that's $100.
-
submitted my request for $125...
-
@Dashrender nice! I put in for the 10 years protection, and the full 20 hours for $500. I had my Paypal hacked twice last year, despite having (shitty phone based) 2FA and security questions in place. They were cloning my SIM and resetting my password. The hackers ended up spending $700 on a fake Airbnb listing. Paypal did get me the money back, but I spend a long time online playing whack-a-mole with password resets and on the phone with Paypal.
-
@Nic said in Equifax claims process is now open:
@Dashrender nice! I put in for the 10 years protection, and the full 20 hours for $500. I had my Paypal hacked twice last year, despite having (shitty phone based) 2FA and security questions in place. They were cloning my SIM and resetting my password. The hackers ended up spending $700 on a fake Airbnb listing. Paypal did get me the money back, but I spend a long time online playing whack-a-mole with password resets and on the phone with Paypal.
Holy hell dude! They cloned your SIM? so what, that's pretty easy to to do? Or did they call the carrier and socially engineer them to change the phone to their SIM?
-
@Dashrender said in Equifax claims process is now open:
@Nic said in Equifax claims process is now open:
@Dashrender nice! I put in for the 10 years protection, and the full 20 hours for $500. I had my Paypal hacked twice last year, despite having (shitty phone based) 2FA and security questions in place. They were cloning my SIM and resetting my password. The hackers ended up spending $700 on a fake Airbnb listing. Paypal did get me the money back, but I spend a long time online playing whack-a-mole with password resets and on the phone with Paypal.
Holy hell dude! They cloned your SIM? so what, that's pretty easy to to do? Or did they call the carrier and socially engineer them to change the phone to their SIM?
Extremely easy to socially engineer the phone companies into sending/changing a SIM card. Like with just publicly available information stupidly simple.
-
@travisdh1 said in Equifax claims process is now open:
@Dashrender said in Equifax claims process is now open:
@Nic said in Equifax claims process is now open:
@Dashrender nice! I put in for the 10 years protection, and the full 20 hours for $500. I had my Paypal hacked twice last year, despite having (shitty phone based) 2FA and security questions in place. They were cloning my SIM and resetting my password. The hackers ended up spending $700 on a fake Airbnb listing. Paypal did get me the money back, but I spend a long time online playing whack-a-mole with password resets and on the phone with Paypal.
Holy hell dude! They cloned your SIM? so what, that's pretty easy to to do? Or did they call the carrier and socially engineer them to change the phone to their SIM?
Extremely easy to socially engineer the phone companies into sending/changing a SIM card. Like with just publicly available information stupidly simple.
yeah, that seems like the more likely way it happened - but Nic say specifically cloned.. so I'm curious which way happened?
If it were me - I'd leave the carrier that failed most likely - but at bare minimum - I'd call and put a password on the account - no password no access, period!
-
Yeah they were definitely social engineering and using stolen info to do so. They were answering my Paypal security questions before they resorted to the SIM cloning. I had to change my answers to the security questions to strong passwords instead of actual answers about what my first pet was named. I knew they were fucking with my phone because it kept ringing and then hanging up instantly. I'm assuming they were testing out their setup before triggering the 2FA text.
-
Surprisingly, I'm not on the list.
-
-
@murpheous You have no credit history??
-
@Nic said in Equifax claims process is now open:
@murpheous You have no credit history??
56% or something close was affected, not 100% of US population.
-
@Nic said in Equifax claims process is now open:
Yeah they were definitely social engineering and using stolen info to do so. They were answering my Paypal security questions before they resorted to the SIM cloning. I had to change my answers to the security questions to strong passwords instead of actual answers about what my first pet was named. I knew they were fucking with my phone because it kept ringing and then hanging up instantly. I'm assuming they were testing out their setup before triggering the 2FA text.
Aww - yeah that definitely sucks. And they did this twice?
Does PP not offer a OTP option - i.e. offline app only on your phone, not SMS for 2FA?
-
@Dashrender said in Equifax claims process is now open:
@Nic said in Equifax claims process is now open:
Yeah they were definitely social engineering and using stolen info to do so. They were answering my Paypal security questions before they resorted to the SIM cloning. I had to change my answers to the security questions to strong passwords instead of actual answers about what my first pet was named. I knew they were fucking with my phone because it kept ringing and then hanging up instantly. I'm assuming they were testing out their setup before triggering the 2FA text.
Aww - yeah that definitely sucks. And they did this twice?
Does PP not offer a OTP option - i.e. offline app only on your phone, not SMS for 2FA?
Yeah they did it twice, within the span of a couple weeks. The first time I didn't realize they were using info about me to answer security questions to reset the password, so I just changed my password and turned on 2FA. The second time was when they started using the text 2FA to get a verification code to change the password.
PP didn't offer any other 2FA options than SMS at the time, but it looks like they've finally gotten with the times:
https://benbrian.net/authenticator-app-support-in-paypal-finally/ -
@Nic said in Equifax claims process is now open:
@Dashrender said in Equifax claims process is now open:
@Nic said in Equifax claims process is now open:
Yeah they were definitely social engineering and using stolen info to do so. They were answering my Paypal security questions before they resorted to the SIM cloning. I had to change my answers to the security questions to strong passwords instead of actual answers about what my first pet was named. I knew they were fucking with my phone because it kept ringing and then hanging up instantly. I'm assuming they were testing out their setup before triggering the 2FA text.
Aww - yeah that definitely sucks. And they did this twice?
Does PP not offer a OTP option - i.e. offline app only on your phone, not SMS for 2FA?
Yeah they did it twice, within the span of a couple weeks. The first time I didn't realize they were using info about me to answer security questions to reset the password, so I just changed my password and turned on 2FA. The second time was when they started using the text 2FA to get a verification code to change the password.
PP didn't offer any other 2FA options than SMS at the time, but it looks like they've finally gotten with the times:
https://benbrian.net/authenticator-app-support-in-paypal-finally/Oh.. the first time, there was no 2FA...got it.
-
@Nic said in Equifax claims process is now open:
PP didn't offer any other 2FA options than SMS at the time, but it looks like they've finally gotten with the times:
https://benbrian.net/authenticator-app-support-in-paypal-finally/When did this happen? I know PP has supported third party tokens of OTP for many years - at least 5. They might not have supported, say Google authenticator, or MS authenticator, but they definitely supported purchasable tokens.
-
@Dashrender said in Equifax claims process is now open:
@Nic said in Equifax claims process is now open:
PP didn't offer any other 2FA options than SMS at the time, but it looks like they've finally gotten with the times:
https://benbrian.net/authenticator-app-support-in-paypal-finally/When did this happen? I know PP has supported third party tokens of OTP for many years - at least 5. They might not have supported, say Google authenticator, or MS authenticator, but they definitely supported purchasable tokens.
According to the blog post link above:
Until recently, PayPal really only offered one form of 2FA, which they call “2-step verification”: SMS.On the seller side you might have more options:
https://www.paypal.com/us/smarthelp/article/how-do-i-enable-2fa-(two-factor-authentication)-for-my-paypal-powered-by-braintree-user-faq3500but as just a regular Paypal user you were stuck with SMS until two months ago.
-
In the past, you could purchase a physical PayPal security key, which would generate one-time codes, similar to a Yubikey device. That doesn’t seem to be an option any longer.
So they used to offer a third party key, but apparently stopped at some point.
-
thanks for this thread - I did have simple SMS 2FA enabled - I've now converted to MS authenticator.
-
Thanks for posting this @Nic. I had someone open a credit card in my name with information stolen from Equifax. Luckily they didn't use it for anything before it got flagged.