You might like

28 Responses to Why buy a PayPal authentication token if a crook can login without it? [POLL]

  1. J. P. · 734 days ago

    Well, when you goto those forms guess what? You'll leave behind your IP# and if things were done without- your authorization doesn't PayPal offer a dispute mechanism?

    • Paul Ducklin · 734 days ago

      True, but it would be better to avoid the dispute stage altogether.

      As I mentioned, one major reason for a 2FA token is to insulate against malware on your computer. Without the token, even a crook who has full remote control over your computer by means of a malware infection shouldn't be able to log in as you.

      He can run your browser, connect from your IP number, type in keystrokes and click mouse buttons as though he were seated right in your own chair in front of your own computer; he can behave, from an internet point of view (and from the point of view of the dispute committee :-), indistinguishably from you...

      ...but he can't get the token out of your pocket (or your handbag, rucksack, etc.) and read the magic code off it.

  2. Tony · 734 days ago

    I voted "No 2FA should be required" on the premise that, what better a mechanism to use validate the legitimacy of a password reset request *than* the 2nd Fact Auth mechanism?

    If I had 2FA *and* my password is being reset I *would* expect to need to use my 2FA to complete the reset process. Surely it increases the probability that the reset is legitimate v. someone trying to hack into my account.

    • Paul Ducklin · 734 days ago

      Great minds think alike.

      The irony is, as far as I can see, that PayPal seems to have a separate procedure (what I think is called a "workflow" these days) for dealing with the case that you've lost your token. In other words, PayPal seems to assume that if you have forgotten your password, you still have your 2FA token handy.

      As you say, what better mechanism...

  3. Freida Gray · 734 days ago

    In other words, PayPal seems to be saying that buying the token to improve your security is just a waste of money.

    • Paul Ducklin · 734 days ago

      Well...it improves your security most of the time - it's only at times when it would be most useful that it doesn't :-)

      (Ooops! I think I just gave away the right answer to the poll.)

      • Chris · 733 days ago

        I don't think I accept the formulation that it "increases your security most of the time." Your PayPal account is only as secure as the most vulnerable access path. If we imagine that instead of the "I forgot my login" link it had a "I don't want to use 2-factor this time" link, no one would argue that they even have 2-factor as it clearly doesn't actually increase security. This is basically a round-about way to do the same thing.

        That said, assuming the "security questions" aren't publicly available information (and that's a huge assumption) you could argue that it does marginally increase security since you need to take over an email account and the security questions probably aren't typed as often. Also I can't say I'm particularly surprised by PayPal in this instance. Password reset seems like the weakest and most poorly thought-out part of most web systems these days.

        • Paul Ducklin · 733 days ago

          I agree with your point here...my throwaway remark "improves security most of the time" was meant to be cynical. A chain is, indeed, as weak as its weakest link.

          FWIW, I agree about the secondary questions "feeling" safer since you type them in only rarely so they are much less likely to be exposed to a crook. That's why I mentioned the problem that on an infected computer you can easily be tricked into doing a reset...so a crook who hasn't got lucky with your secret answers yet can pretty much get them out of you anyway.

          Not to mention that the questions PayPal allows you to choose from are woeful. You choose two questions; it always asks the same two. Like, "Where was your honeymoon." That's a secret no-one else is likely to know. Apart from all your friends, family, and anyone who has seen your Facebook page. (The irony is that it is by definition a question that at least one other person *must* know the answer to.)

  4. DavidL · 734 days ago

    I use the system whereby Paypal text me a six digit pass code when I want to log in. Can this be bypassed in the same way as the 'token'?

    • Dave · 733 days ago

      I'm pretty certain that it can be bypassed in the same way.

    • Tattooed_Mummy · 733 days ago

      yes, I've used it when I'm too lazy to go find my phone o_O

  5. Tattooed_Mummy · 734 days ago

    erm why buy a token? I get a code sent via paypal to my phone as a two step security thing. And yes the ease is the issue - even google make me wait a few days if i lose my phone before i can get back into my email that has two step verification

    • Paul Ducklin · 733 days ago

      There are some very good reasons to prefer a standalone token over SMS-based "tokens", not least that the physical token is a separate, independent, tamper-proof unit. It is either visibly functional (displaying numbers) or not (blank display) - there's no uncertainty about whether it's going to work or if the code is going to arrive.

      SMSes have variable and unguaranteed delivery times, and can be sniffed or spoofed by malware on your phone.

      A _really_ good reason to have a token is if you ever use your phone to do your browsing. As soon as you have your browser and the token processing on the same device, you're pretty much back to 1FA, at least from a malware point of view...

      • Tattooed_Mummy · 732 days ago

        Interestingly the phone app that Paypal use (at least on android) doesn't ask for the 2nd verification - just a phone number and password are enough .... inconsistency thy name is Paypal

  6. Tattooed_Mummy · 734 days ago

    in other news a friend on twitter was told by his bank that he could only change his registered mobile number with them if he rang from that number. so in the event of his phone being stolen, only the thief could change the account details - security can be too secure!

    • Paul Ducklin · 733 days ago

      Or in the event of a crook buying a new brand new phone (top of the range, expensive plan, on someone else's credit card, of course :-) and convincing the commission-hungry sales guy to port "his old number" to the new phone.

      Bingo. Your phone goes dead because your SIM is no longer associated with your number. But the crook's SIM is. He gets your calls and your SMSes, and your number shows up when he calls anyone.

      (This attack - which has been used effectively to bypass 2FA by crooks in Oz - also bypasses the PIN on your SIM and the passcode on your phone, since it renders both your phone and SIM irrelevant.)

      In one well-known case in Oz, the crook's first call with the stolen number was to the victim's ISP. The crook cancelled the victim's broadband connection, knowing this would prevent the guy checking his bank account until the next day at the earliest. Actually, it took longer than that since the bloke couldn't easily call his ISP to argue the case :-(

  7. MikeP_UK · 733 days ago

    2FA should be required at all times, especially when making a payment or requesting a password reset. There are no occasions when 2FA would not be of significant value.
    That they render their own system impotent b y their poorly considered process means that PayPal is NOT as secure as they try to claim.

    PS: Could not vote as Ghostery has yet again blocked your poll options.

  8. Adrian7 · 733 days ago

    Yes 2FA should increase privacy. But what if you loose it, or somebody steals your token device. Then what?

    • Paul Ducklin · 733 days ago

      Then they need your password, too. Getting your token and your password at the same time is a much bigger challenge than just getting your password (which can be stolen without you even realising, by someone who doesn't need to get hold of any physical object).

      As the paper referenced in the article explains, 2FA isn't foolproof. But it does make things harder for the bad guys.

  9. Jason · 733 days ago

    Thanks for the article. We all need to be more proactive about our personal account security. I use Two-Factor Authentication across a lot of my accounts. I feel a lot more secure when I can telesign into my account. I’m glad this is an option, but only if it has 2FA ALL of the time for it to be worth the time and effort and have the confidence of knowing that your account won't get hacked and your info is not up for grabs. I would not be happy if I paid for something to find out it does not do what they say is should do.

  10. Teagle · 733 days ago

    Why don't you just use windows virtual keyboard for important passwords?
    You can make a quick link to it. on your desktop.

    • Paul Ducklin · 733 days ago

      Virtual keyboards are just as "keyloggable" as your real keyboard - in fact, one of the system functions commonly used by malware to spy on your keystrokes is SetWindowsHookEx(), which is exactly the same userland function you use to spy on mouse events.

      Many years back, when malware targeting banks first started to make it big, the Brazilian banks were hit first, and fastest and hardest. They responded by introducing virtual keyboards with all sorts of cleverness in the them, including moving the keys around, playing with the contrast, and more. Suddenly, logging keystrokes was no longer enough for the crooks - they had to adapt.

      It took them days. (Perhaps I am exaggerating. It might have been a couple of weeks.)

      The problems are not so much how hard it is to log/capture/steal your passwords, but [a] the fact that they can be logged at all and [b] the fact that they stay the same for weeks, or months, or years. Make a password unloggable *and* one-use-only - exactly what a 2FA token aims to do - and the crooks have a much, much bigger hill to climb...

  11. chris · 732 days ago

    Interesting. What happens when the physical token expires or the battery runs out?
    Those physical tokens don't last forever. With PayPal Physical Tokens, I don't think the normal end-user would know the expired date and probably won't be proactive enough to purchase another token before the other one expires.

    My guess, is that once your token expires, you would be able to login with a single password and make payments.

    • 8675309 · 730 days ago

      the wm 6.x app Verisign app still works with PayPal & who knows how long the the 7.x app will work @ least that doesn't really cost anything.

  12. 8675309 · 730 days ago

    only problem with these tokens is that it seems like you can't login to the PayPal app or its just an oversight by their WP dev team.

    this isn't a surprise considering there was a class action lawsuit against them a few years ago

  13. akh · 453 days ago

    Paypal annoy me. Google has solved this correctly by allowing you to use and app as a 2nd token. You can also print out manual codes that you keep in your wallet as a backup.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog