back to article PayPal patches bone-headed two factor authentication bypass

Paypal has patched a boneheaded two factor authentication breach that allowed attackers to switch off the critical account control in minutes by changing a zero to a one. British MWR InfoSecurity consultant Henry Hoggart (@_mobisek) discovered and quietly reported the flaw to the payment giant. Attackers with username and …

  1. Ole Juul Silver badge

    2fa choices

    I'd still like to see see 2fa that I could use without having to buy a cell phone that I don't have any other use for.

    1. Chris 125

      Re: 2fa choices

      Agreed, they demand you use a text message when everyone else will offer a call, email, or even just give you the info you need to set up an authenticator app. Really frustrating.

      Mind you, it's only in the last few months they let you log in on a mobile browser with 2FA enabled - prior to that you got booted out, and asked to use the desktop site.

    2. Paul Crawford Silver badge

      Re: 2fa choices

      A lot of UK banks use your debit/credit card and a "card reader" gadget that allow them to send you a code (on web page) and you then answer with a hashed version that provides a means of checking its you and the amount you wish to transfer, etc. I'm guessing the code they send and the maths involving the amount makes it hard to MITM modify enough to easily abuse your account even if your PC is hopelessly compromised.

      Also you used to get the RSA key fobs for email (and sometimes banking) where you get a random 6 digit number every minute and that sequence can be checked at the server end to see if its likely to be you attempting a login, etc. But then RSA got compromised (pretty bad for a security company) and as they kept the master keys to keep businesses paying, all of their customers were also compromised. Had each end customer managed their own keys, etc, the damage would have been much lower.

      1. Jamie Jones Silver badge
        Facepalm

        Re: 2fa choices

        A lot of UK banks use your debit/credit card and a "card reader" gadget that allow them to send you a code (on web page) and you then answer with a hashed version that provides a means of checking its you and the amount you wish to transfer, etc

        Ah yes, PinSentry.

        Due to the wonders of chip and pin, this device is bloody handy, as it authenticates any chip and pin card, so next time you rob someone, you can be sure they gave you the right PIN without your attempts alerting authorities.

        https://en.wikipedia.org/wiki/Chip_Authentication_Program

    3. jay_bea

      Re: 2fa choices

      You can get a Paypal Security Key, which is a hardware VIP device to generate access codes, but these don't seem to be available in the UK.

      Someone has created a free alternative, which means you can use any OTP app: "python-vipaccess is a free and open source software (FOSS) implementation of Symantec's VIP Access client. It is able to generate OATH URIs and their corresponding QR codes so any TOTP-generating application can be used as a VIP OTP token." You can find it on Github.

      1. my farts clear the room
        Meh

        Re: 2fa choices

        I'm in the UK and I had a paypal 2fa card, credit card sized with a button on it an a little lcd to show the OTP.

        I used it for about 5 years before I ditched it - the paypal iphone app didn't support it and I mainly used paypal for ebay on my phone so it became a pain in the arse switching to a PC to finish the ebay checkout.

        I would be happy using something like Google Authenticator if that was an option.

    4. Lamont Cranston

      Re: 2fa choices

      £10 for a cheap PAYG mobile that'll act as your 2fa device for all online services, is probably preferable to accumulating various keyfobs and such.

      1. david 12 Bronze badge

        Re: 2fa choices

        --But useless when you go to China, and find that PayPal (and serveral of your other suppliers) is unable to contact you for authorization.

    5. Donnelb

      Re: 2fa choices

      Authlogics (Authlogics.com) provides 1.5FA, where the challenge grid that is used to generate the PIN is presented on the login screen, so you don't need a phone. It also supports 2FA and 3FA as well as, uniquely, allowing 2-way authentication so a call centre can verify that they are who they say they are (e.g. a bank)

    6. Velv Silver badge
      Boffin

      Re: 2fa choices

      Assuming the device you're accessing the site from has a USB port Yubikey is one potential alternative. A unique physical device you have, and Yubico are part of the Universal 2FA programme, so if the industry really wants to it could make things more secure quite cheaply by supporting u2FA. They do an NFC version now too.

      The key doesn't authenticate you to itself so your not protected if the device is physically stolen along with your credentials, however that's probably a tiny percentage of breaches.

    7. Robert Carnegie Silver badge

      Re: 2fa choices

      I think you can get text messages sent to your household phone. Does that help?

      1. Goopy

        Re: 2fa choices

        Not available everywhere

    8. mdava

      Re: 2fa choices

      I don't really understand this - there are very few people left who don't have a mobile phone already (the only one I can think of out of everyone I know/meet is my mother-in-law) so why would you need to buy another?

      1. Ole Juul Silver badge

        Re: 2fa choices

        "I don't really understand this - there are very few people left who don't have a mobile phone already (the only one I can think of out of everyone I know/meet is my mother-in-law) so why would you need to buy another?"

        I was not entirely truthful, but rather using a literary shortcut. I do actually have several cell phones in my parts pile. The problem is that, like a surprising number of places outside of cities, there is no coverage here. The point is that a 2fa implementation needs to be available to everybody and not just people who live in cities. As we see from the responses above, there are ways to accomplish this and it is just a matter of services adopting them.

      2. Goopy

        Re: 2fa choices

        It doesn't matter if you have a smartphone or not it matters if you can get SMS and all phones get SMS. ownership of the smartphone is not part of the argument presented here at all it's not part of the article why did you bring it up

    9. Daniel Feenberg

      Re: 2fa choices

      An alternative to SMS is to have the server make a voice call to the user, and accept a PIN from the user's keypad. DUO Security offers a system like this and given a suitable modem I think it wouldn't be difficult to do oneself. This also overcomes the objection that a phone number can be stolen (redirected to another phone) without stealing the physical phone, by social engineering the wireless company. Without the PIN, just receiving the call wouldn't authorize access.

      1. Goopy

        Re: 2fa choices

        Voice and data is not possible on all systems certainly not on all Cellular Systems think before you speak

  2. Martin Summers Silver badge

    If their API is anything to judge the standard by then this is hardly surprising.

  3. Mud5hark

    2 factor!

    They probably took the 3 weeks to change it to securityquestionfish and securityquestiondonkey.

    1. Anonymous Coward
      Anonymous Coward

      Re: 2 factor!

      More likely securityquestionarse and securityquestionelbow...

      1. Anonymous Coward
        Anonymous Coward

        Re: 2 factor!

        That would not work 'logically' as they have already demonstrated they cannot tell their A--- from their E----. :) :)

    2. Goopy

      Re: 2 factor!

      Or you can read the article and know that it took 3 days not three weeks to fix

  4. Pen-y-gors Silver badge

    Goggle approach seems quite good

    Google 2FA offers a selection of methods - I tend to use the app that generates the 6-digit code, but they will send SMS, possibly a voice call(?) and even let you generaate a set of one-time codes to keep somewhere safe. Of course if you're away from home you may not have access to the pre-allocated codes which are sitting in your desk drawer!

  5. Justicesays
    Trollface

    Did he try

    putting correctpassword1 in the POST while he was at it?

  6. adam payne Silver badge

    Attackers with username and passwords in hand need only mess with post requests changing securityquestion0 to securityquestion1 for two factor authentication to be bypassed.

    *Shakes head*

  7. Joe Harrison Silver badge

    Always been like this

    I have TOTP PayPal authentication switched on but it has always been useless because the login screen has a link saying "Don't have a key handy? Try another way" and then lets you login without the TOTP. Sounds like the guy messing with the URL has just found a different way to do that.

    1. Lee D Silver badge

      Re: Always been like this

      Question: What would you do if you lost the TOTP?

      However, I can't see TOTP without thinking of a largely-discredited BBC One music show.

  8. Stevie Silver badge

    Bah!

    Paypal has an IT staff?

  9. Anonymous Coward
    Anonymous Coward

    After 30+ years in the industry

    why am I still seeing hand-rolled implementations of password authentication, 2FA, phone number validation, postcode validation ?

    Surely there should have been a series of RFCs (like what I worked on) laying out some minimum standards ?

    There are more regulations over office air exchange in the UK than the entire history of computer security.

  10. BigAndos

    Hopefully they fixed this by now but I gave up on the 2FA for PayPal as it wouldn't work on their mobile site. Given it works by sending a text you'd think they would ensure it worked properly on a mobile browser! I contacted them to ask if they planned to implement it for their mobile and got a long winded reply that basically said "no idea, maybe".

    1. Goopy

      You didn't read the article either idiots

  11. Lotaresco Silver badge

    Errmmm

    Isn't that Henry Hoggar t d of MWR Labs who discovered a man-in-the-middle attack on Blackberry a couple of years ago?

  12. Anonymous Coward
    Anonymous Coward

    PayPal is run by idiots

    I obtained one of PayPal's useless 2FA key fobs years ago. Then, at one point about a year ago, it suddenly stopped being needed. For no apparent reason, I was able to log in without it.

    I told PayPal, and of course nothing came of it.

    Just like everyone else, PayPal doesn't give a flying turd about security.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019