最有看点的互联网金融门户

最有看点的互联网金融门户
其他国际资讯

PayPal加密货币用户信息疑似泄露

上周,不少PayPal用户都收到了一封看似来自PayPal官方的名为《加密货币警告》的邮件。

在线支付平台PayPal成立已经有20年左右,在全球200多个市场从事25中货币的支付交易运作。一直以来,PayPal都被认为是加密货币的直接竞争对手,因为后者希望取代PayPal的这种中间商交易模式。虽然PayPal一直对加密货币的态度都比较矛盾,而就在本月初,PayPal还悄悄申请了加密相关专利。

这封《加密货币警告》的邮件指责收件方,称:

“在审查您的账户时,我们注意到您的活动涉及交易或转移加密货币,这在我们的可接受使用政策中是禁止的。由于PayPal平台不允许这样做,所以我们要求您停止任何导致交易或转账加密货币的活动。如果您继续在Paypal上进行此项活动,我们将无法继续提供我们的服务。”

邮件一出现便在相关社区和PayPal用户中引发了轩然大波,不过对此PayPal公司一直没有给出官方正式反馈意见,只是通过客服机构告知投诉的用户,“这个发件方地址是假造的,不是PayPal官方的。”

现在问题在于这些电子邮件是如何蒙混过关的。有用户指出:“SMTP协议中没有发件人地址的域验证过程。 “有一些供应商使用单独的可选发件人ID框架。此电子邮件也是使用该协议签署的。我无法解释这一点。“

一位论坛评论员坚持说:“这很容易。任何人都可以下载一些被盗的BTC相关的数据库。 (bitcointalk数据库、btc-e数据库等)。然后,骗子就可以获取到与BTC相关的电子邮件列表,并将其与包含全名的另一个数据库交叉比对运用,最终就可以获得一个同事包含BTC用户全名和电子邮件地址的列表。 (在许多情况下,用户名、密码哈希、DOB、meatspace地址,ssn,各种其他私人数据取决于他们正在使用的数据库。)任何拥有一学期计算机科学类的人都应该能够编写一个脚本这个。然后发送一些垃圾邮件。”

“I am a PayPal user,” David Veksler of the Foundation for Economic Education and The Atlanta Bitcoin Embassy explained to News.Bitcoin.com. “My account is 17 years old. This morning I got the email linked in my message.” Friday, March 16 Mr. Veksler, and presumably a sizeable chunk of Paypal’s nearly 200 million users, received an official-looking email seemingly from the company, complete with letterhead, titled Cryptocurrency Warning.

The two decades-old popular online payments system includes founders such as Peter Thiel and Elon Musk. The company’s revenue routinely ranks in billions, and it operates in over 200 markets and in 25 currencies around the world. Paypal is often seen as a direct competitor to cryptocurrencies, which wish to remove its centralized business model from everyday transactions. The company has made conflicting statements about crypto in general and bitcoin in particular, but there’s no denying they can see the future, as just this month it was discovered the company applied for crypto-related patents.

After appreciating their business, the receiver of Cryptocurrency Warning was scolded: “While reviewing your account, we noticed that your activity involves the trading or transfer of crypto currency which is prohibited under our Acceptable Use Policy. As this is not permitted on the Paypal platform we ask that you cease any activity that results in the trading or transfer of crypto currency. If you continue to engage in this activity on Paypal, we’ll be unable to continue offering our services.”

“It appears to be legit,” Mr. Veksler worried. “I checked the from address and the DKIM. Then I called Paypal support and got a [customer service representative] on the line. She said that from the email address, it does not appear to be legitimate. She then checked my account and said that it is fine – there are no flags of any kind on it. I then posted on the Paypal community site and Reddit, and a bunch of people replied saying that they got the same email.”

For its part, the company has issued no formal statement, preferring, it seems, to take the complaints one at a time rather than whip up a frenzy. The potential problem with this outlook is not everyone understands information technology semantics or where to go to ultimately ask for clarification. Mr. Veksler has a Masters degree in the science, and even he was a little put off. It’s not unreasonable to believe company users would feel as though buying and selling crypto were somehow wrong.

“I don’t know,” Mr. Veksler continued. “All I can tell you is that customer support said it’s fake but the email looks legit, including the digital signatures. I’ve never bought or sold crypto with my account.” Reading of the company’s policy makes no mention of prohibiting cryptocurrency trading of any kind. On the company’s community page, it appears to have labeled the issue solved, with users confirming through representatives the email is indeed a fake.

At issue now is how the emails were spoofed. Perps were able to secure an official company website email string and users’ names. “There is no domain verification process for sender address in the SMTP protocol,” Mr. Veksler pointed out. “There is a separate, optional Sender ID framework which some providers use. This email is also signed with that protocol. I cannot explain that.”

A forum commenter insisted, “It’s pretty easy. Anybody can download a number of hacked BTC-related databases. (bitcointalk database, btc-e database, etc.). Then the scammer takes the list of BTC-related emails and cross references it with another database that includes full names. Now the scammer has a list of BTC users’ full names and e-mail addresses. (Also in many cases username, password hash, DOB, meatspace address, ssn, all sorts of other private data depending on what database they’re using.) Anybody with a semester of computer science class should be able to write a script that does this. Then just send out some spam emails.” For a deeper dive on the hacking details, Nadeem Walayat has some interesting theories about the affair.


用微信扫描可以分享至好友和朋友圈

扫描二维码或搜索微信号“iweiyangx”
关注未央网官方微信公众号,获取互联网金融领域前沿资讯。

发表评论

发表评论

您的评论提交后会进行审核,审核通过的留言会展示在下方留言区域,请耐心等待。

评论

您的个人信息不会被公开,请放心填写! 标记为的是必填项

取消

PayPal携手万事达卡推出借记卡服务

Emily Nico... 04-11

携手M-Pesa,PayPal进军非洲市场

高旭 04-10

PayPal 2017年年报:营收同比增长20% 市值逼近千亿美元

李昕 | 零壹财经 03-07

申请专利,PayPal加快加密货币支付布局

PYMNTS | PYMNTS 03-06

PayPal孵化器再度成功培育三家金融科技创企

常笑 03-06

版权所有 © 清华大学五道口金融学院互联网金融实验室 | 京ICP备17044750号-1