How is that sort of technology not possible? Is it not possible to connect to a secured wireless network with enough effort, and then maybe perform a MITM attack? Maybe the user used the same password on sites not protected with SSL. Or the hacker maybe manipulated traffic at router-level etc.
A far fetched scenario indeed, but not impossible.
However I do agree with you that the most likely scenario was him being phished or exposed to a trojan.
All this effort to steal money from someone who (I think) lives with their parents?!
A lot of the things you say "far fetched, but not impossible"/"enough effort" are misleading. These things are about as likely as winning the lottery several weeks in a row. Possible. But be realistic.
What is realistic and happens a lot is (a) bad computers security (b) password reuse (c) simple passwords ("password1" and friends) (d) one site someone gets hacked and people know that password (e) some malware on the machine. These things are much more likely than someone sitting outside their house.
Haha, how is my statement of it being far fetched misleading? The scenario is far fetched, but possible, didn't say it was likely. The only reason I replied to your comment was that you said "That sort of technology per se is not possible.".
If you're a criminal who wants to do something from someone's IP, what's easier - (a) drive to their house, hack their wifi, and sit outside or (b) install a trojan on their computer and remote control it
I'm going to go for (b) personally. (a) would work, though!
Yes I agree, I wouldn't have come to the conclusion of option a originally if I had not watched a quite in-depth report on tv about it. It was quite unreal really how easy it was, they sat on a quiet suburb area, scanned for all the wireless networks and waiting for information to come in
All along, I've been hoping that the average person would start to take computers seriously and make an honest effort to learn what is going on with them... since the average person has started using computers throughout the day, unlike say, 1992.
However, this has not happened and indeed, people are pleased to obliviously broadcast their personal details across their neighborhood without even considering 'if I can pick this up, can my neighbor next door listen in?'. They'd probably figure it out if it was just a radio, right?
Security hazards of unsecured (or poorly secured, say WEP) wifi has been known for some time, of course. My current favorite is coffee shop that don't use AP isolation... nothing is more exciting than eavesdropping on students doing their nursing homework.
The reason they came to this conclusion is because they said the transfer initiated from his IP address. It's the only possible conclusion I came to.
And it is entirely possible, the was a story in the UK running warning people of open wireless networks. I know data between the client and Paypal is encrypted but it's the only conclusion I came to.
Like I say, I only followed his issue in passing but that is the only way I could see it happening (without his parents actually stealing the money!)
It is more likely that it was a trojan/virus. There are several out there that monitor for just banking/paypal/payroll details, once it has something good the operator can easily bounce through the machine it's controlling to move the money.
If you do any amount of tech support, you'll find users who will misremember, outright lie, or have silly ideas about computer security. A user could tell you that of course they never go to any of those website where you might get a virus, or that their computer is acting fine, and that's how they know they don't have a virus, or that of course they would never use the same password anywhere. All of these things make me doubt users.
No, it was report on the TV where they sat outside their house and monitored all purchases they were making. They then ran a report off and went to the persons door with the report.
If you read further comments I admit a more feasible reason will probably be trojans.
I highly doubt this story. That sort of technology per se is not possible.
More likely someone used the same password on the email and or paypal account and it got out.