Brian Krebs has made a lot of enemies.
He’s a famed cybersecurity journalist who formerly worked for The Washington Post, and now breaks stories on his blog, KrebsOnSecurity.
But his reporting on hacking and the dark side of the internet has angered some, and he’s a now a frequent target of fraudsters and cybercriminals.
Krebs was targeted again on Christmas Eve, he says in a blog post — when someone broke into his PayPal account and tried to send money to ISIS.
On December 24, the journalist noticed an email address had been added to his account — a sign that someone else had gained access. He immediately reached out to PayPal, and the company said it would “monitor” the account for suspicious activity. Despite this, the same thing happened again 20 minutes later — and this time, he was locked out with the password changed.
The unknown attacker apparently then tried to send money to Junaid Hussain — an ISIS-affiliated hacker believed to have been killed in a drone strike, prompting PayPal to freeze his account.
Krebs uses this incident to highlight what he views as the shoddy security practices still used by many big companies. The hacker didn’t discover his password: They “had merely called in to PayPal’s customer support, pretended to be me and was able to reset my password by providing nothing more than the last four digits of my Social Security number and the last four numbers of an old credit card account.”
One popular security measure that could have potentially helped avert this is two-factor authentication. This is when any log-in attempt is accompanied with a code texted to a known phone number: You then have to enter this code to complete the logging in process. Without direct access to Krebs’ phone, the hacker might not have been able to attempt to frame him as an ISIS supporter.
This is by no means the worst thing that has happened to Krebs, however. He’s had his credit report and pictures of his house shared online, along with other sensitive bits of information. In 2013, he was targeted by a “swatting” attempt — when a hoaxer makes a fake phone call to the police in order to get a SWAT team sent to the victim’s address.
He has even had heroin ordered to his house, by someone planning to tip off the police and frame him as a drug dealer. The plan failed after Krebs caught wind of it early, and with his help, the alleged culprit — a Ukrainian hacker who uses the alias “Fly,” has since been arrested.
Business Insider Emails & Alerts
Site highlights each day to your inbox.