PayPal patches bone-headed two factor authentication bypass Paypal has patched a boneheaded two factor authentication breach that allowed attackers to switch off the critical account control in minutes by changing a zero to a one. British MWR InfoSecurity consultant Henry Hoggart (@_mobisek) discovered and quietly reported the flaw to the payment giant. Attackers with username and …
Agreed, they demand you use a text message when everyone else will offer a call, email, or even just give you the info you need to set up an authenticator app. Really frustrating.
Mind you, it's only in the last few months they let you log in on a mobile browser with 2FA enabled - prior to that you got booted out, and asked to use the desktop site.
A lot of UK banks use your debit/credit card and a "card reader" gadget that allow them to send you a code (on web page) and you then answer with a hashed version that provides a means of checking its you and the amount you wish to transfer, etc. I'm guessing the code they send and the maths involving the amount makes it hard to MITM modify enough to easily abuse your account even if your PC is hopelessly compromised.
Also you used to get the RSA key fobs for email (and sometimes banking) where you get a random 6 digit number every minute and that sequence can be checked at the server end to see if its likely to be you attempting a login, etc. But then RSA got compromised (pretty bad for a security company) and as they kept the master keys to keep businesses paying, all of their customers were also compromised. Had each end customer managed their own keys, etc, the damage would have been much lower.
A lot of UK banks use your debit/credit card and a "card reader" gadget that allow them to send you a code (on web page) and you then answer with a hashed version that provides a means of checking its you and the amount you wish to transfer, etc
Ah yes, PinSentry.
Due to the wonders of chip and pin, this device is bloody handy, as it authenticates any chip and pin card, so next time you rob someone, you can be sure they gave you the right PIN without your attempts alerting authorities.
You can get a Paypal Security Key, which is a hardware VIP device to generate access codes, but these don't seem to be available in the UK.
Someone has created a free alternative, which means you can use any OTP app: "python-vipaccess is a free and open source software (FOSS) implementation of Symantec's VIP Access client. It is able to generate OATH URIs and their corresponding QR codes so any TOTP-generating application can be used as a VIP OTP token." You can find it on Github.
I'm in the UK and I had a paypal 2fa card, credit card sized with a button on it an a little lcd to show the OTP.
I used it for about 5 years before I ditched it - the paypal iphone app didn't support it and I mainly used paypal for ebay on my phone so it became a pain in the arse switching to a PC to finish the ebay checkout.
I would be happy using something like Google Authenticator if that was an option.
Authlogics (Authlogics.com) provides 1.5FA, where the challenge grid that is used to generate the PIN is presented on the login screen, so you don't need a phone. It also supports 2FA and 3FA as well as, uniquely, allowing 2-way authentication so a call centre can verify that they are who they say they are (e.g. a bank)
Assuming the device you're accessing the site from has a USB port Yubikey is one potential alternative. A unique physical device you have, and Yubico are part of the Universal 2FA programme, so if the industry really wants to it could make things more secure quite cheaply by supporting u2FA. They do an NFC version now too.
The key doesn't authenticate you to itself so your not protected if the device is physically stolen along with your credentials, however that's probably a tiny percentage of breaches.
"I don't really understand this - there are very few people left who don't have a mobile phone already (the only one I can think of out of everyone I know/meet is my mother-in-law) so why would you need to buy another?"
I was not entirely truthful, but rather using a literary shortcut. I do actually have several cell phones in my parts pile. The problem is that, like a surprising number of places outside of cities, there is no coverage here. The point is that a 2fa implementation needs to be available to everybody and not just people who live in cities. As we see from the responses above, there are ways to accomplish this and it is just a matter of services adopting them.
An alternative to SMS is to have the server make a voice call to the user, and accept a PIN from the user's keypad. DUO Security offers a system like this and given a suitable modem I think it wouldn't be difficult to do oneself. This also overcomes the objection that a phone number can be stolen (redirected to another phone) without stealing the physical phone, by social engineering the wireless company. Without the PIN, just receiving the call wouldn't authorize access.
Google 2FA offers a selection of methods - I tend to use the app that generates the 6-digit code, but they will send SMS, possibly a voice call(?) and even let you generaate a set of one-time codes to keep somewhere safe. Of course if you're away from home you may not have access to the pre-allocated codes which are sitting in your desk drawer!
I have TOTP PayPal authentication switched on but it has always been useless because the login screen has a link saying "Don't have a key handy? Try another way" and then lets you login without the TOTP. Sounds like the guy messing with the URL has just found a different way to do that.
why am I still seeing hand-rolled implementations of password authentication, 2FA, phone number validation, postcode validation ?
Surely there should have been a series of RFCs (like what I worked on) laying out some minimum standards ?
There are more regulations over office air exchange in the UK than the entire history of computer security.
Hopefully they fixed this by now but I gave up on the 2FA for PayPal as it wouldn't work on their mobile site. Given it works by sending a text you'd think they would ensure it worked properly on a mobile browser! I contacted them to ask if they planned to implement it for their mobile and got a long winded reply that basically said "no idea, maybe".
I obtained one of PayPal's useless 2FA key fobs years ago. Then, at one point about a year ago, it suddenly stopped being needed. For no apparent reason, I was able to log in without it.
I told PayPal, and of course nothing came of it.
Just like everyone else, PayPal doesn't give a flying turd about security.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
