Sophos Cloud Optix
Troy Cunningham – a friend, colleague and office neighbour of mine whom you have already met – came steaming over to my desk yesterday.
“It can’t be right,” he said, “that Paypal makes it so easy to bypass my two-factor authentication. I paid them for a security token and now I’ve found out I can authorise transactions without it. That can’t be right!”
Let me explain.
Two-factor authentication (2FA) means you need a second piece of digital identity, as well as your regular password, when you login or carry out a transaction.
One form of 2FA offered by PayPal is an authentication token. Your second piece of digital identity is the ever-changing and unguessable number on the token. This boosts security in two main ways:
- The token code changes every 30 seconds. An attacker who finds out your token code today, for example by using a keylogger or looking over your shoulder, can’t use it again tomorrow. It’s a one-time password.
- The token is a tamper-proof unit that operates independently. It can’t be affected by spyware or keylogging malware that might infect your computer.
Token-based 2FA can’t eliminate cybercrime, but it makes things much tougher for the crooks.
You can read more about the hows and whys in my VB2006 conference paper, which remains relevant despite its age: Can Strong Authentication Sort Out Phishing and Fraud?
(No download registration required.)
By purchasing a PayPal token, Troy imagined that he would be able to configure his account to require the token code to be used every time.
Why have a token, if not to improve security? Why improve security, but only some of the time?
But that’s not how it works. Troy forgot his regular password, and needed to reset it.
When he did so, PayPal sent a one-time weblink to his email address, asked him for two secondary passwords – PayPal calls them security questions, but they’re effectively just passwords by another name – and then let him log in without asking for his token code.
At first he assumed that this would be some sort of limited login related to password reset only, but it wasn’t.
He was able to pay out money without using his token at all.
Now you could, if you were so inclined, argue that PayPal’s password reset process maintains 2FA.
Indeed, you could stretch the facts a little and say that there are three factors here: one private email and two special-purpose passwords.
But no token code is needed – even though one of the token’s main purposes is to shield you from keylogging, just the sort of attack that would enable a crook to harvest your email account credentials and your PayPal secondary passwords.
Indeed, a crook who already “owned” your computer by means of spyware could easily trick you into performing a password reset, for example by adding bogus characters into the PayPal password field as you logged in, making you think you had misremembered it.
Then he’d grab your email password plus your PayPal secondaries as you chose a new password. That information would be enough for him to reset your password again later, and to bypass your token at the same time.
And that’s why Troy started this article by saying, “That can’t be right!”
Do you agree? Tell us what you think by voting in our poll:
Well, when you goto those forms guess what? You'll leave behind your IP# and if things were done without- your authorization doesn't PayPal offer a dispute mechanism?
True, but it would be better to avoid the dispute stage altogether.
As I mentioned, one major reason for a 2FA token is to insulate against malware on your computer. Without the token, even a crook who has full remote control over your computer by means of a malware infection shouldn't be able to log in as you.
He can run your browser, connect from your IP number, type in keystrokes and click mouse buttons as though he were seated right in your own chair in front of your own computer; he can behave, from an internet point of view (and from the point of view of the dispute committee :-), indistinguishably from you…
…but he can't get the token out of your pocket (or your handbag, rucksack, etc.) and read the magic code off it.
I voted "No 2FA should be required" on the premise that, what better a mechanism to use validate the legitimacy of a password reset request *than* the 2nd Fact Auth mechanism?
If I had 2FA *and* my password is being reset I *would* expect to need to use my 2FA to complete the reset process. Surely it increases the probability that the reset is legitimate v. someone trying to hack into my account.
Great minds think alike.
The irony is, as far as I can see, that PayPal seems to have a separate procedure (what I think is called a "workflow" these days) for dealing with the case that you've lost your token. In other words, PayPal seems to assume that if you have forgotten your password, you still have your 2FA token handy.
As you say, what better mechanism…
In other words, PayPal seems to be saying that buying the token to improve your security is just a waste of money.
Well…it improves your security most of the time – it's only at times when it would be most useful that it doesn't 🙂
(Ooops! I think I just gave away the right answer to the poll.)
I don't think I accept the formulation that it "increases your security most of the time." Your PayPal account is only as secure as the most vulnerable access path. If we imagine that instead of the "I forgot my login" link it had a "I don't want to use 2-factor this time" link, no one would argue that they even have 2-factor as it clearly doesn't actually increase security. This is basically a round-about way to do the same thing.
That said, assuming the "security questions" aren't publicly available information (and that's a huge assumption) you could argue that it does marginally increase security since you need to take over an email account and the security questions probably aren't typed as often. Also I can't say I'm particularly surprised by PayPal in this instance. Password reset seems like the weakest and most poorly thought-out part of most web systems these days.
I agree with your point here…my throwaway remark "improves security most of the time" was meant to be cynical. A chain is, indeed, as weak as its weakest link.
FWIW, I agree about the secondary questions "feeling" safer since you type them in only rarely so they are much less likely to be exposed to a crook. That's why I mentioned the problem that on an infected computer you can easily be tricked into doing a reset…so a crook who hasn't got lucky with your secret answers yet can pretty much get them out of you anyway.
Not to mention that the questions PayPal allows you to choose from are woeful. You choose two questions; it always asks the same two. Like, "Where was your honeymoon." That's a secret no-one else is likely to know. Apart from all your friends, family, and anyone who has seen your Facebook page. (The irony is that it is by definition a question that at least one other person *must* know the answer to.)
I use the system whereby Paypal text me a six digit pass code when I want to log in. Can this be bypassed in the same way as the 'token'?
I'm pretty certain that it can be bypassed in the same way.
yes, I've used it when I'm too lazy to go find my phone o_O
erm why buy a token? I get a code sent via paypal to my phone as a two step security thing. And yes the ease is the issue – even google make me wait a few days if i lose my phone before i can get back into my email that has two step verification
There are some very good reasons to prefer a standalone token over SMS-based "tokens", not least that the physical token is a separate, independent, tamper-proof unit. It is either visibly functional (displaying numbers) or not (blank display) – there's no uncertainty about whether it's going to work or if the code is going to arrive.
SMSes have variable and unguaranteed delivery times, and can be sniffed or spoofed by malware on your phone.
A _really_ good reason to have a token is if you ever use your phone to do your browsing. As soon as you have your browser and the token processing on the same device, you're pretty much back to 1FA, at least from a malware point of view…
Interestingly the phone app that Paypal use (at least on android) doesn't ask for the 2nd verification – just a phone number and password are enough …. inconsistency thy name is Paypal
in other news a friend on twitter was told by his bank that he could only change his registered mobile number with them if he rang from that number. so in the event of his phone being stolen, only the thief could change the account details – security can be too secure!
Or in the event of a crook buying a new brand new phone (top of the range, expensive plan, on someone else's credit card, of course 🙂 and convincing the commission-hungry sales guy to port "his old number" to the new phone.
Bingo. Your phone goes dead because your SIM is no longer associated with your number. But the crook's SIM is. He gets your calls and your SMSes, and your number shows up when he calls anyone.
(This attack – which has been used effectively to bypass 2FA by crooks in Oz – also bypasses the PIN on your SIM and the passcode on your phone, since it renders both your phone and SIM irrelevant.)
In one well-known case in Oz, the crook's first call with the stolen number was to the victim's ISP. The crook cancelled the victim's broadband connection, knowing this would prevent the guy checking his bank account until the next day at the earliest. Actually, it took longer than that since the bloke couldn't easily call his ISP to argue the case 🙁
Dear Lord we are all doomed
2FA should be required at all times, especially when making a payment or requesting a password reset. There are no occasions when 2FA would not be of significant value.
That they render their own system impotent b y their poorly considered process means that PayPal is NOT as secure as they try to claim.
PS: Could not vote as Ghostery has yet again blocked your poll options.
There's a link you can use to visit the poll page directly just above the poll window:
http://polldaddy.com/poll/6614212/
Yes 2FA should increase privacy. But what if you loose it, or somebody steals your token device. Then what?
Then they need your password, too. Getting your token and your password at the same time is a much bigger challenge than just getting your password (which can be stolen without you even realising, by someone who doesn't need to get hold of any physical object).
As the paper referenced in the article explains, 2FA isn't foolproof. But it does make things harder for the bad guys.
Thanks for the article. We all need to be more proactive about our personal account security. I use Two-Factor Authentication across a lot of my accounts. I feel a lot more secure when I can telesign into my account. I’m glad this is an option, but only if it has 2FA ALL of the time for it to be worth the time and effort and have the confidence of knowing that your account won't get hacked and your info is not up for grabs. I would not be happy if I paid for something to find out it does not do what they say is should do.
Why don't you just use windows virtual keyboard for important passwords?
You can make a quick link to it. on your desktop.
Virtual keyboards are just as "keyloggable" as your real keyboard – in fact, one of the system functions commonly used by malware to spy on your keystrokes is SetWindowsHookEx(), which is exactly the same userland function you use to spy on mouse events.
Many years back, when malware targeting banks first started to make it big, the Brazilian banks were hit first, and fastest and hardest. They responded by introducing virtual keyboards with all sorts of cleverness in the them, including moving the keys around, playing with the contrast, and more. Suddenly, logging keystrokes was no longer enough for the crooks – they had to adapt.
It took them days. (Perhaps I am exaggerating. It might have been a couple of weeks.)
The problems are not so much how hard it is to log/capture/steal your passwords, but [a] the fact that they can be logged at all and [b] the fact that they stay the same for weeks, or months, or years. Make a password unloggable *and* one-use-only – exactly what a 2FA token aims to do – and the crooks have a much, much bigger hill to climb…
Interesting. What happens when the physical token expires or the battery runs out?
Those physical tokens don't last forever. With PayPal Physical Tokens, I don't think the normal end-user would know the expired date and probably won't be proactive enough to purchase another token before the other one expires.
My guess, is that once your token expires, you would be able to login with a single password and make payments.
the wm 6.x app Verisign app still works with PayPal & who knows how long the the 7.x app will work @ least that doesn’t really cost anything.
only problem with these tokens is that it seems like you can’t login to the PayPal app or its just an oversight by their WP dev team.
this isn’t a surprise considering there was a class action lawsuit against them a few years ago
Paypal annoy me. Google has solved this correctly by allowing you to use and app as a 2nd token. You can also print out manual codes that you keep in your wallet as a backup.
If implemented correctly the advantages of hardware tokens (principally being fully self-contained devices) do add a good layer of security. The problem in this case is it can be bypassed.