Comment by crooked-v
8 years ago
> and for security reasons we're unable to offer further details
To give a little behind-the-scenes here, I worked for a bit for a web hosting company that had this as standard policy. This was because, before it was put in place, scammers would actually use coordinated campaigns of support calls with otherwise legitimate accounts in order to extract piecemeal details about how the company's fraud investigations worked, then reorganize their scamming to precisely evade the time periods and credit card checks used at the time.
This was how Simplii and BMO (two Canadian banks) were hacked earlier this year.
> The hackers explained that they were able to breach the banks’ sub-par security by using an algorithm to generate account numbers and then posing as customers who had forgotten their passwords.
“They were giving too much permission to half-authenticated account which enabled us to grab all these information,” the email said, adding that the system “was not checking if a password was valid until the security question were input correctly.”
Source: https://www.ccn.com/hackers-demand-1-million-in-xrp-after-br...
That part makes total sense. It doesn’t make sense that a human could not override.
At my company, there was a specially-trained fraud department that could handle cases like that, with specially arranged hoop-jumping to prevent social engineering for information. I would expect that Paypal has something similar, but maybe the phone drone in that case was too untrained or unmotivated to transfer things to them.