Issues with Security, Passwords and PayPal Account

Question

I have a strange case with my PayPal account and I wanted the community assistance on what can be done and how to spot the security hole.

I have a private PayPal which has been constantly attacked lately.
When I say attacked I mean some one tried and gained access to it.

Now, what I can't understand is how.

The Facts

• I have 2 Factor Authentication (Access Key) in my PayPal account using my Phone.
  Namely if I want to log on I need to enter both my Password and the code I get on my phone.

• I have very hard password, unique to the PayPal account.

• I have my security questions answered using very long string (Not the answer to the question, just another password hard like string).
• The password and the strings are memorized and not written anywhere.
• From the talks with PayPal security team I understand the person accessed to my account using the password (Whether he used the SMS or not, is not known or at least I'm not being tolled).
• I'm on Windows 10 no suspicious behavior seen what's so ever.
• No suspicious activity seen on my Email's or any other site I log onto.

The first thing I though about is someone is key logging my computer.
Or any kind of MaleWare.

Actions Done

• I tried any Maleware and Anti Virus out there. Including Security Disks and Rootkits Killers (Though feel free to give me more options to try). I tried Kaspersky, Avira, MalewareBytes, ClamWin, Microsoft Defender and BitDefender.
• I changed passwords and security questions.

Still, yesterday he managed to get, again, access of my PayPal account.

I must say that PayPal has been, generally, great and everything is restored.
Yet I want to stop it as it happens once a week for the few last weeks.

What are the other options to find what security hole I have?

I don't have trouble to format my computer, I just need to understand what can guarantee it won't get back (This is why I think I must figured out how it is done before that)?

Any special tricks to really understand what is going on?

Thank You.

Answer 1

I strongly believe that your hacked account was strictly social engineering, and was not a technical failure at all. You are already dedicated to taking extremely good security procedures and practices. The specific failure is in our institutions, that are usually 10-20 years behind the bad guys. They simply cannot understand how to protect us by quickly adopting new procedures to new risks. The solution to your problem may require all of us to push for changes at PayPal and other institutions.

In PayPal's case, Krebs details exactly how his PayPal account was repeatedly hacked, despite being an expert in security and already using 2 factor authentication. His story should alert all of us to the significant dangers that currently exist, so we can start mitigating some of the risks.

2016 Reality: Lazy Authentication Still the Norm, by Brian Krebs

Your hack was likely a result of Paypal's practice to use STATIC information that is supposedly hard to come by. This definitely was how Krebs was repeatedly hacked. After verbally answering these questions, despite having a "locked account", PAYPAL GAVE the BADGUYS ACCESS to KREB'S ACCOUNT, REPEATEDLY. Krebs was already USING 2FA, and it did him no good. Also note that Krebs, being a security expert, had a much easier time getting the cooperation of PayPal's management, but that STILL didn't help enough.

Almost as troubling, is that the photos of "official documents" are used for KYC procedures, as part of many organizations' due diligence. They are easily and inexpensively forged. There are services available that will produce fraudulent documents for you for a small fee, anytime you'd like to "prove" you are someone that you are not.

Read through this whole article, and I think you will see that we all must start educating and forcing our institutions to completely overhaul our security procedures and practices, and then apply technology that actually works today.

But, what works today, may not work next month, and those procedures and technology will need to change often and quickly to adapt to new threats.

The problem is that our institutions themselves are specifically crafted so that they can never adapt quickly to any changes. This aspect must change, before we can expect them to adapt quickly. The larger the institution, the harder it is to change any procedure, no matter how stupid it becomes.

An example of several institutions' attempts to solve a security problem is social security numbers. Allowing the bad guys easy access to these SS#, and then maintaining systems that relies in this 1950s technology to protect your account has been a known problem for decades. In 2006, it was legislated to remove all SS# from Medicaid cards, and I believe Medicare cards as well. The agencies not only have yet to remove the numbers, the current plan is scheduled to be completed by 2027. No, that was not a typo--TWENTY ONE YEARS to remove a visible SS# from these cards! OF course, by then, the point will likely be moot. Without an overhaul of these organizations, no amount of technology will help protect us.

Understanding enough security to stay safe is increasingly difficult, even for experts. It requires our constant readjustment, learning, and adopting our own procedures that are cost effective in time, frustration, and cash outlay.

I believe this social solution is the only solution to his problem, even if it is not a technical one. This is not generally the place for any solution that is not an established fact-based technology solution. But there are some aspects of our technology that merge with policies and procedures that must also change, or we will never solve many of the new security problems. Security requires applied technology with policies and procedures. Without all three, there is no security.