Troy Cunningham - a friend, colleague and office neighbour of mine whom you have already met - came steaming over to my desk yesterday.
"It can't be right," he said, "that Paypal makes it so easy to bypass my two-factor authentication. I paid them for a security token and now I've found out I can authorise transactions without it. That can't be right!"
Let me explain.
Two-factor authentication (2FA) means you need a second piece of digital identity, as well as your regular password, when you login or carry out a transaction.
One form of 2FA offered by PayPal is an authentication token. Your second piece of digital identity is the ever-changing and unguessable number on the token. This boosts security in two main ways:
- The token code changes every 30 seconds. An attacker who finds out your token code today, for example by using a keylogger or looking over your shoulder, can't use it again tomorrow. It's a one-time password.
- The token is a tamper-proof unit that operates independently. It can't be affected by spyware or keylogging malware that might infect your computer.
Token-based 2FA can't eliminate cybercrime, but it makes things much tougher for the crooks.
You can read more about the hows and whys in my VB2006 conference paper, which remains relevant despite its age: Can Strong Authentication Sort Out Phishing and Fraud?
(No download registration required.)
By purchasing a PayPal token, Troy imagined that he would be able to configure his account to require the token code to be used every time.
Why have a token, if not to improve security? Why improve security, but only some of the time?
But that's not how it works. Troy forgot his regular password, and needed to reset it.
When he did so, PayPal sent a one-time weblink to his email address, asked him for two secondary passwords - PayPal calls them security questions, but they're effectively just passwords by another name - and then let him log in without asking for his token code.
At first he assumed that this would be some sort of limited login related to password reset only, but it wasn't.
He was able to pay out money without using his token at all.
Now you could, if you were so inclined, argue that PayPal's password reset process maintains 2FA.
Indeed, you could stretch the facts a little and say that there are three factors here: one private email and two special-purpose passwords.
But no token code is needed - even though one of the token's main purposes is to shield you from keylogging, just the sort of attack that would enable a crook to harvest your email account credentials and your PayPal secondary passwords.
Indeed, a crook who already "owned" your computer by means of spyware could easily trick you into performing a password reset, for example by adding bogus characters into the PayPal password field as you logged in, making you think you had misremembered it.
Then he'd grab your email password plus your PayPal secondaries as you chose a new password. That information would be enough for him to reset your password again later, and to bypass your token at the same time.
And that's why Troy started this article by saying, "That can't be right!"
Do you agree? Tell us what you think by voting in our poll: