I *think* I read about this possible DOS here. If not it was incidents, I'm not sure. I wrote paypal about it. First the original problem: Hi, I read the below on a net security list. Please comment. *** A recent encounter with PayPal has made me discover a fairly serious DOS condition with PayPal. If the user was to input the wrong password 3 times then PayPal will automatically disable that users account and issue them a new password via USPS. When I did this, it took nearly a week to get that letter and until then my account was useless. Calls and e-mails to PayPal went unanswered. If someone was to do something as simple as harvest PayPal users from eBay or some other way, all they would have to do is try logging in as those people three times then effectively lock them out of PayPal for a week. *** I'd like to know what you think of this security issue. Their response: *** If a person forgets their password, there is an email, sent to the primary email address, that will lead them to a page with their secret questions. If the questions are answered correctly the password will be reset and the user is prompted to enter a new password. If the customer cannot remember the answers to the secret questions, the can send us an email and we will give them the number to the password line. The representative will then help them access the account after they have verified the items we require. We no longer mail passwords. The only time the account will become locked is if the user enters the password incorrectly 20 times. When this happens, they would need to contact us to and verify the information on the account. We will then unlock the password and assist them to access the account and create a new password. *** It's amazing what you find out when you do a little research. -- Mimi L. Carpenter, Network Security Engineer Screen Actors Guild Producers Pension and Health Plans mailto:mcarpenterat_private I speak only for myself.
This archive was generated by hypermail 2b30 : Mon May 21 2001 - 08:26:33 PDT