PayPal Authentication Still Substandard

Brian Krebs has the story. Bottom line: PayPal has no excuse for this kind of stuff. I hope the public shaming incents them to offer better authentication for their customers.

Posted on December 29, 2015 at 12:25 PM • 24 Comments

Comments

RickDecember 29, 2015 1:24 PM

It really should incentivize, yes. As soon as I saw Brian's post, I forwarded a link to everyone in my company of web site builder people who care the least bit about security (which is most of em), and recommended none of us personally, our company, nor any of our customers use PayPal until they get that kind of thing sorted!

de la BoetieDecember 29, 2015 1:32 PM

It's actually worse than the dismal story that Krebs reports - after all, he already used 2FA with the old OTP dongle that PayPal supported.

But their very long awaited FIDO-based 2FA replacement appears to be UAF oriented rather than U2F - so it looks like they are intending to inflict biometric 2FA on an unsuspecting public.

I hope I don't need to spell out the problems with biometrics in the context of this readership, however, it would sure work well for PayPal when they're trying to avoid responsibility for breaches (even though the case outlined involves their inadequate account recovery protection mechanisms).

Personally, I'm not accepting any online service that wants biometrics as opposed to fob-ownership - even though I'd love more 2FA in financial service access.

.December 29, 2015 3:29 PM

Yeah I've been boycotting PayPal for years since the last hack.
At the end of the day, all they see is numbers.
So if they're losing $X of business a year then they will likely want to look at why that is happening.

If any online merchant only offers PayPal I just won't buy through them.
So far I've only had one case of having to do this.
Most of the time I've been able to use credit card authentication like MasterCard's SecureCode or Visa's Secure with Visa I think it's called.
Not necessarily more secure, but the choice between a known bad (100%) and an unknown state (50-50) is obvious.

I really hope they clean up their act.

cowbertDecember 29, 2015 9:47 PM

Hell, even Amazon support cannot verify my Amazon 2FA texts and I've been unable to escalate issues like account lockouts...

DaveDecember 29, 2015 11:07 PM

@de la Boetie:

>But their very long awaited FIDO-based 2FA replacement appears to
>be UAF oriented rather than U2F

I think we need to CID the TLA or we'll OD on QT and need to BYOG the ATAP and go MIA.

WinterDecember 30, 2015 5:27 AM

Things are changing. It seems Google and Yahoo are going to introduce mobile login:

http://techcrunch.com/2015/12/22/google-begins-testing-password-free-logins/#.p4bgzs:Ou15

Instead, those who have been invited to try this new method of logging in authenticate by responding to a notification sent to their smartphone. The idea is similar to Yahoo’s recently launched “Account Key,” which also offers a password-free means of signing in involving a push notification sent to your phone that then opens an app where you approve the log-in.

So we are going back to the old physical key model.

mike~ackerDecember 30, 2015 7:52 AM

from my read of Brian's essay: the attacker apparently simply called PayPal help desk and asked for access . helpdesk asked for the last 4 digits of Brian's SocSec and the last 4 of a credit card -- all information that is known to be publicly compromised -- all over the 'Net

which brings me to the key :

Secure Computing in a Compromised Environment

authentication has to be based on something other than our PII -- which has now been disseminated all over the 'Net -- resulting in our "Compromised Environment"

the Big Dollar Corporations and governments yell and scream that "PGP is not the answer" -- but I think it is .

but I think it will take a bit more than loading GnuPG into everyone's devices: too many of these "devices" are known to be either compromised or vulnerable . I think a dedicated KEK device of some type will be needed .

the advantage of a dedicated device is that it is practical to control update access -- which has NOT been done on many devices -- which have, as a result, ended up compromised .

people should be able to get their KEK device authenticated at any local Credit Union, County Clerk, Notary Public, DMV -- anyplace that is already responsible for lawful verification of identification .

ravnDecember 30, 2015 8:39 AM

PayPal is not really "safe" for online shopping anyway. If you really need PayPal for online purchases, do not register a bank account with the PayPal account that you use for shopping.

The PayPal account that you use for online shopping should only have a non-PayPal credit card account on it. This allows you to do a a charge-back through the credit card provider in the event that you do not receive the ordered goods.

The reason for this advice is the way PayPal refund policies work when you do not receive your goods, or when you find out that the seller lied in their description. If your only recourse is requesting a refund from PayPal, you will find out that they make their decision based simply on the sellers verbal statements.

MinimeDecember 31, 2015 12:39 AM

If you really need PayPal for online purchases, do not register a bank account with the PayPal account that you use for shopping.

It depends. Outside USA Paypal will not withdraw money directly from your bank account but instead ask you to transfer money from a registered bank account to your Paypal account. So basically a malicious actor will have to hack two accounts and hopefully your bank account offers 2FA already.

PeanutsDecember 31, 2015 1:34 AM

1) PayPal does not have a relevant or effective surety program.

2) Account changes include changing phone #'s, emails, changing passwords over the phone or unlocking accounts require surety

3) PayPals only and exclusive non gambling option with surety, is to have a relevant surety program or optionally leverage a federated trust for surety workflow validation from a qualified financial Institution E.G a Bank or competent IT organization.

The less surety available options in use by other orgs that have a required procedure which uses a phone or FOB take a risk a little gamble that the human who actually does physically the phone or FOB
The procedure does not validate and assumes 1) Human is a human, 2) no exploitable issue like loosing the seeds has happened 3) when is something hinky going on, putting the kibosh on social engineering is best achieved with good hinkey behavior detection. Everything else is security theater) procedure

Further the gamble is further mitigated by requiring additional complex and user definable (non public) questions and answers.

The weakest link is still and always will be the user.
Users that use a 60 character utterly random and complex jumble of non dictionary words for all answers have substantially more secure accounts

Users that answer using a dictionary word are not doing it right.
Users and authentication success criteria that requires that can remember the answers to reset questions are not doing it right.

How many years does stupid wrong success criteria have to persist before customers and Business analysts are educated.

Stupid is as stupid does. No NSA conspiracy can explain stupid.

some problems can be solved, some problems are stupid, some injected, some bad success criteria, some are just simple stupid choices and you cant, patch stupid as Brian and eBay know too well.

ianfDecember 31, 2015 3:06 AM


@ Peanuts

Before we go on, I await your SECURE SOLUTION for recording/ remembering these your proposed "60 character utterly random and complex jumble of non dictionary words for all answers" for subsequent reentry into form fields, so the security of the entire login-query-answer-chain can be maintained (remember the problem of the weakest link!) Be as loquacious as you want, Bruce doesn't charge extra by the word, even 60-character dittos.

WaelDecember 31, 2015 3:37 AM

@ianf,

60 character utterly random and complex jumble of non dictionary words for all answers...

Select a random 4 digit password, preferably consisting of numbers and special characters. Then sprinkle them in a word such as: rindfleischetikettierungsüberwachungsaufgabenübertragungsgesetz.

Select another 4 or 5 digit number, then sprinkle an additional digit for each question. Question 1, use the first digit and so on...

@Penuts,

Users that use a 60 character utterly random and complex jumble of non dictionary words for all answers have substantially more secure accounts

Naturally! So secure that even they cannot answer the questions!

ianfDecember 31, 2015 4:27 AM


@ ravn […] If you really need PayPal for online purchases, do not register a bank account with the PayPal account that you use for shopping.

The PayPal account that you use for online shopping should only have a non-PayPal credit card account on it.

I don't doubt that your advice is grounded in logick, only such of quite otherworldly kind… spoken by a true child of affluenza: just how many credit cards do you think people generally possess? (I have 2 credit, 1 debit card, but only use one of these).

Perhaps in the USA there are banks etc financial institutions that sprinkle such around on passers-by, burdening them with near-unlimited credit, but not in Europe (where btw there still are countries like Germany where not even payment with credit card in major shops is guaranteed everywhere).

Similarly, people with multiple ordinary/ checking bank accounts must be rare here… why mess up one's life with several monthly statements, keep track of parallel accounts perhaps from different banks, and the need to ensure liquidity in more accounts than the minimum necessary?

Perhaps I'm missing something—that must be it—but I don't get why anyone would ever use PayPal for online shopping (as in "from online seller's website".) I thought the way to use PayPal, how I did it previously, was to send funds from (logged-in) PP account to a specified mail recipient; have an address to receive funds from such senders; and then to transfer those to my PP-registered bank account IN SEPARATE SESSIONS. It was a pain in the neck, which is why I cleared the PP-account of all funds, deleted the bank account there, and let it stay dormant.

Now tell me what else I should have done to prevent being swindled and/or defrauded via this route.


@ Wael - thanks for that lesson in how to deploy a wetware analog random strings generator, I certainly needed one. Now, if only you could come up with a SUREFIRE guaranteed way to FIELD-VALIDATE these so-generated random strings for utter randomness (expressed in probability percentages), I'd be most obliged, and sing the “Paean Phantastic to Waels of This World” (copyright SONY Records Ltd).

WaelDecember 31, 2015 4:43 AM

@ianf,

SUREFIRE guaranteed way to FIELD-VALIDATE these so-generated random strings for utter randomness

I only gave a hint. You'd want to include things like PBKDF2 with some additional AES-CTR operations... Maybe a few rounds of hashing some of the substrings won't hurt either. What you need to do is remember the algorithm and the small passwords you chose. That way you can derive them and not have to write the output on a pistit note.

Suggesting that someone remembers a set of 60-character (or much less) random answers to questions to reset a forgotten password is a fundamentally flawed concept, by the way!

Clive RobinsonDecember 31, 2015 6:48 AM

@ Wael,

Suggesting that someone remembers a set of 60-character (or much less) random answers...

The human mind is designed to look for patterns, it's also how most of us remember things, and security wise it realy is bad news.

It's known that quite a few people can not remember four random digits over night, unless they sit down and make a rhythm or pattern out of them. Further it's been shown that most people can not remember a ten digit telephone numbers as an entirety. They need to split them up and remember the pieces as a pattern or rhythm, practicing it over and over.

Even after years of practice, many people can not remember how to spell quite a few eight or more charecter words correctly. Which is why we often see phonetic misspellings (yes I hang my head in sham ;-)

However Germans often remember very long word spellings, because of the way they are built up from short word spellings, in a recognisable pattern.

As most parents know with only a little practice from about six most children can remember the entire words of songs and poems, and even Band Names (Dave Dee Dozy Beaky Mick and Tich...) and made up words in songs (Zabadak). I know of singers who can sing songs in French and Spanish, but can speak neither language.

Thus rhythm and pattern is the norm for remembering things, and it's a real problem for the security of pass phrases and the like.

Basically computers can be taught to build up such rhythms and patterns, or just remember the text. The result is that the entropy drops quite a bit after around twenty charecters, even less if the character count is known from counting key clicks etc by eavesdropping or bugs. Arguably the entropy hardly gets above 14bit equivalent when such info is known. And next to nothing if you can get the typing cadence, as we type in words and with the cadence of the song or poem. After all how many well known sentances consist of three three letter, one two letter and two three letter words? [1].

It's why writing a real random password down on a postit you keep with other valuable pieces of paper in your wallet is still reasonable advice. Because with such random passwords there is no cadence that can be correlated to known songs/poems/sayings/prayers etc.

[1] Off the top of my head only one "the cat sat on the mat", though you will probably hunt for a couple or so more just to prove a point :-D but even if you do it's still less than a couple of bits of real entropy...

WaelDecember 31, 2015 11:41 AM

@Clive Robinson,

It's known that quite a few people can not remember four random digits over night,

True. But the concept is flawed because the proposition is to "remember a set of random numbers" that are: (1) Longer, (2) Not used often, thereby easier to forget. If users are expected to forgot a frequently used password, how can we expect them to remember a complex answer that haven't been used in a substantially longer time that may span several months or years. And that's assuming there is only one "account".

After all how many well known sentances consist of three [...] Off the top of my head only one "the cat sat on the mat", though you will probably hunt for a couple or so more just to prove a point :-D

Nope! Hunting for other examples is futile, you were too careful phrasing this statement and had a way out by saying "well known". You closed that door shut for me ;)

Thomas_HDecember 31, 2015 6:02 PM

@Minime:

Actually, with a confirmed Paypal account it is possible to make direct payments from your bank account in Europe (well, some countries at least). Of course, it's easy to pull the authorization for such action by Paypal via your bank (and in some cases have the charges reversed).

@ianf:
AFAIK, credit cards in the USA take the place of debit cards and also bank-to-bank wire transfers in Europe (in the US bank-to-bank wire transfers are often obscenely expensive - the banking system there really is rather backwards in some aspects). In most European countries shops have to pay for accepting debit cards, and pay even more for credit cards, although in the last couple of years most shops will also accept VISA/Mastercard - even if it's not explicitly mentioned on the shop window.

A Nonny BunnyJanuary 2, 2016 3:12 PM

@ianf

Perhaps I'm missing something—that must be it—but I don't get why anyone would ever use PayPal for online shopping (as in "from online seller's website".)
Well, in my case, I didn't have (nor wanted) a credit-card, there weren't other payment options, and the shop was vastly cheaper than those that did offer alternative (and usable) payment options. And it's easy to use (redirect from shop to PayPal, log in, pay, redirect back, done).

@ravn

The reason for this advice is the way PayPal refund policies work when you do not receive your goods, or when you find out that the seller lied in their description. If your only recourse is requesting a refund from PayPal, you will find out that they make their decision based simply on the sellers verbal statements.
That's not my experience; when I had a conflict with an eBay seller, getting a refund via PayPal was surprisingly easy and painless.
I suppose it's possible the seller never contested the claim. But I'd also been advised to use PayPal's conflict resolution (rather than eBay's) precisely because it supposedly favors the buyer.

MarkJanuary 4, 2016 7:45 AM

I boycotted Paypal a long time ago. Ultimately, I can make an online transfer if I *really* need to buy something over the Internet.

They blocked Wikileaks' account = Big Evil Company.
Their T&Cs are longer than Hamlet = Big Evil Company.

They're an American company. As a European, I will try my absolute best not to have any of my data/money handed over to them on principle alone.

It astonishes me that people complain about these companies yet do nothing. You know what? The only thing we can do as consumers is not use them. I hope that Brian learnt his lesson and ended up deleting his account.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.