Hacker News new | past | comments | ask | show | jobs | submit login

lol

> Paypal, which displays five digits including area code to anyone knowing the email address (but only three if the attacker knows the target’s password), decided this is working as designed and will not take action.

Wild.

Does anyone know how scammers are getting numbers off of LinkedIn? Or correlating them to numbers from elsewhere? I know a company whose employees are constantly getting fake CEO texts.




I just realized this is from 2019 and confirmed this literally still works on PayPal. SMH


An objective observer would conclude PayPal only exists to cause security problems.

I once called PayPal to report an "your account is suspended" phishing email and they angrily told me to follow the directions in the email.


My sister got married and changed her surname. PayPal has inexplicably also changed my surname to my sister’s new surname.

I can’t for the life of me figure out why, or why they would do that without notifying me. At least no good reason. It’s the strangest thing.

I haven’t even fixed it. I just stopped using PayPal because I don’t trust them any more.


Is it possible you had the "Edit your details" page open and your web-browser "helpfully" auto-filled the form with her details and you submitted the form without noticing?

It gets worse: there's a lot of web-apps out there (both SSRs and SPAs) with <form> elements for personal details which are in the DOM, but "hidden" by doing tricks like `position: absolute; left: -99999px` inside a div with `overflow: hidden` (instead of doing something like `display: none;`) - or have the form hidden by using a z-index behind some curtain/cover element - and I've seen browsers auto-fill those fields and they get POSTed and cause a data overwrite on the server without the user being aware.

It's a fun way to steal PII from people: have a random public webpage that contains a registration form with all kinds of personal details, but has HTML+CSS such that it's visually obscured from the user, but the browser thinks it's a fully visible form, and simply yet the browser autofill it and submit it using JS (getting around the "user must interact with the page" filter by binding it to a big pink button that says "click here to see dancing bunnies!").

Browser auto-fill is dangerous.


Uh, I don't think so. We don't live together and we don't share computers.

Its strange that Paypal would even consider our accounts associated in any way. I wonder if she put a support ticket in to change her name and they changed mine too because we shared the same surname? Does paypal know we're related somehow, or did they just change another random account with our surname when they changed her name, and happened to get her brother? The more I think about it the more questions I have.


"Does anyone know how scammers are getting numbers off of LinkedIn?"

They probably have their phone number visible on their profile or they have an email and the scammer found the number on another platform (like facebook)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: