Go homepage(回首页)
Upload pictures (上传图片)
Write articles (发文字帖)

The author:(作者)delv
published in(发表于) 2014/1/27 8:20:40
CCTV exposure Alipay password vulnerability

CCTV exposure PayPal-PayPal password vulnerabilities, CCTV-IT news CCTV exposure Alipay password vulnerability

CCTV news channel of the Oriental horizon program recently aired a PayPal password feature of vulnerability account security is threatened. CCTV shows, after PayPal leaks lead to information leaks, lawless elements to look for confidence of victims, through forgot password to access PayPal access to users, go to PayPal funds.

Following is a program full text:

Moderator: according to crime people of introduced, they master has party of name, and phone number and ID number these information zhihou does, on can through paid Polaris steal these people of bank card within of deposits, first crime suspects is according to prior from online gets of party of personal information forged fake of ID, then again uses fake ID replacement a Zhang party of phone card, if party of paid Po and this phone, bound words, so crime suspects on can easy of landed party of paid Po account, Party bank card through the PayPal account transfer.

Suspect what the landing party's PayPal account? We then read on ...

Narrator: PayPal has a password feature, once users have forgotten your password you can use this feature to set a new password, and it is precisely this convenience feature to leave criminals exploit.

Reporter according to the suspects on their own computer to validate the reporters after you open the PayPal login page click on the forgot password option the system retrieve password page pops up, after you enter the user name and passcode, how there were two back on the page, reporter chose the system recommended by code adding document numbers way back. Soon receives a verification code on your phone text messages.

However you are prompted in order to retrieve this PayPal password you must enter a personal identification number, when you check code and ID number are entered correctly, you can PayPal password reset, after entering the PayPal, the reporter also uses the same method to reset payment password, so that you can successfully complete the transfer operation.

However, cases like Ms WONG that, as soon as the phone number, social security number at the same time been compromised, account security will be threatened.

Cui Baojiang (bupt computer college associate professor): except related of some phone validation yards, also can increased third heavy of, say e-mail validation, fourth heavy of including related security problem of some validation, II generation ID inside are has a non-contact type IC card, this IC card does it manufacturing of cost also has related involves some technology is comparison complex of, often this crime suspects wanted to forged II generation ID this non-contact type IC card difficulty is comparison big of.

Narrator: However, this reporter learned that, in many small mobile communication business halls have no valid identification documents authenticity of a device. Another noteworthy aspect is the suspect what really gets people's personal information, such as Ms Wang?

Yang (the suspect): personal information because this year (2013) has a network leaks through leaks, a number of customers spread to the list of online, I passed the event collected lists of these people on the Internet where random screening.

央视曝光支付宝找回密码有漏洞 - 支付宝,央视 - IT资讯
央视曝光支付宝找回密码有漏洞

近日央视新闻频道《东方时空》栏目播出了《支付宝找回密码功能有漏洞账号安全受威胁》。央视节目称，因为此前一次支付宝泄密事件导致的信息泄漏，不法分子以此寻找受害人信心，通过找回密码来获得用户支付宝访问权限，从而将支付宝的钱款转走。

以下是节目文字实录：

主持人：根据犯罪人的介绍，他们掌握了当事人的姓名、手机号码和身份证号码这些信息之后呢，就能通过支付宝来盗取这些人的银行卡内的存款，首先犯罪嫌疑人是根据事先从网上获取的当事人的个人信息伪造假的身份证，然后再利用假身份证补办一张当事人的手机卡，如果当事人的支付宝和这个手机号绑定的话，那么犯罪嫌疑人就能易如反掌的登陆当事人的支付宝账户，通过支付宝账户将当事人银行卡内的存款转走。

犯罪嫌疑人究竟怎么样登陆当事人的支付宝账户呢？我们接着往下看。

解说：支付宝有一个找回密码功能，用户一旦忘记密码可以使用这个功能设置新密码，而正是这个为了方便用户的功能给不法分子留下了可乘之机。

记者按照嫌疑人的说法在自己的电脑上进行了验证，记者打开支付宝登陆页面之后点击忘记登陆密码选项系统弹出找回登陆密码页面，在输入用户名和验证码后，页面上出现了两种找回方式，记者选择了系统推荐的通过手机验证码加证件号码的方式进行找回。很快手机上就收到了一条验证码短信。

不过系统提示，要想找回支付宝密码还必须输入个人身份证号码，当校验码和身份证号码都输入正确后，就可以为支付宝重新设置密码，进入支付宝后，记者又用相同的方法重新设置了支付密码，这样就可以成功完成转账等操作了。

但是，像王女士这种情况，一旦手机号码，身份证号码同时被泄露，帐号的安全性就会受到威胁。

崔宝江（北京邮电大学计算机学院副教授）：除了相关的一些手机验证码，还可以增加第三重的，比方说电子邮件验证，第四重的包括相关安全问题的一些验证，二代身份证里边都有一个非接触式IC卡，这个IC卡呢它制造的成本还有相关涉及到一些技术是比较复杂的，往往这种犯罪嫌疑人想伪造二代身份证这种非接触式IC卡难度是比较大的。

解说：然而，调查中记者了解到，在很多中小型移动通讯营业厅都没有有效识别身份证件真伪的设备。另外一个值得关注的环节是，犯罪嫌疑人到底是怎么获取王女士等人的个人信息的呢？

杨某（犯罪嫌疑人）：个人信息是因为今年（2013年）3月份有一个网络泄密事件，通过泄密事件有一批客户的名单流传到网上了，我就通过那个事件在网上收集他们这批人的名单，在上面随机筛选的。

赞