PayPal is Still Bad at Account Security

A couple of months ago, following the news of PayPal being partially responsible for a person’s identity theft, I activated Two Factor Authentication on my PayPal account. First up, I was fairly unimpressed with their configuration options. In order to use 2FA, my options were to buy a dongle to generate the security codes, or have the codes SMSed to me. Neither of these are particularly good – I don’t want to have to pay for and carry around a dongle everywhere, and SMS isn’t a secure protocol, as SIM cards can be cloned or hacked. If someone really wanted to get into my account, then this wouldn’t present much of a barrier.

Then, there’s the login process. For some reason, PayPal doesn’t automatically send me an SMS, I need to click an extra button for that while logging in. This isn’t so much a security problem as a weird UX. Also, the Android app doesn’t support 2FA, so I can’t use that at all.

The real fun started last night, however. I tried to login to my PayPal account, and was prompted to enter my security code. No problem, I clicked the Send SMS button, and waited. And waited. I clicked it again. Waited. Tried to login again, and repeated the process a few times. No luck.

Okay, so their SMS service was having issues. Apart from the security issues with SMS, it’s also a notoriously unreliable protocol, regularly causing problems exactly like this. While I was pondering this, I noticed there was an option to bypass the 2FA. I clicked the button, and was prompted to answer my two security questions: my favourite author, and my favourite movie. Unfortunately, I’d set these questions 10 years ago when I first created my PayPal account, and never thought about them since. It turns out that 22 year old me had very different taste in film and literature than 32 year old me, and I had no idea what the answers were.┬áDefeated, I went to bed.

This morning, I decided to try again, with the same result. This time, I called their customer support centre, to see if they could at least give me an update on when SMSes would be working again. Unfortunately, it seemed the customer support representative wasn’t familiar with how PayPal’s 2FA worked, so after a bit of back-and-forth explaining the situation, the CSR said they’d “reset my account” (I don’t know what this means), and it should be working again in 15 minutes.

Half an hour later, still not working, so I call back. Fortunately, this CSR was aware of the SMS issues they were having, and was able to fill me in. Unfortunately, it seems PayPal hadn’t really thought about the implications of their policy for this situation, as he immediately offered to disable 2FA on my account for me.

I’ll just let that sink in for a moment. At this point, I’d only loosely identified myself – I had an identity code from the PayPal support site, that I was able to get with just my username and password. The support systems probably showed my current phone number as matching my 2FA phone number, but they shouldn’t be relying on that at all – the source phone number can be easily spoofed, Skype even offers this as a service.

Sadly, it’s clearly evident that PayPal’s 2FA is broken in a bunch of different ways. You can still keep your account secure by choosing a strong password, and making sure you only login to your PayPal account on devices your trust.

Even if PayPal are in no hurry to mend their ways, here are some things for developers to make sure their own 2FA system is secure:

  • Don’t offer SMS as the only option. SMS-based 2FA is okay for guarding against mass account hijacking, but cannot prevent a targeted attack. As we’ve seen, it’s also wildly unreliable.
  • You should be using a standard method for generating your 2FA codes, such as RFC 6238, which is used by a bunch of different websites, like Google and WordPress.com.
  • Make your 2FA system as easy to use as possible – your users should want to use it, because it doesn’t get in their way, but makes their account safe.
  • Teach your support reps the 2FA mantra: “Something you have, and something you know”. In the case of PayPal, they’d already confirmed something I know (my password), so they could’ve easily confirmed something I have, like my ID or my credit card.
  • If you’re going to use security questions, prompt your users to re-enter them occasionally, so they don’t forget.

4 thoughts on “PayPal is Still Bad at Account Security”

  1. The issue appears to be related to whichever SMS provider they are using at the time (and this appears to have changed*) not being able to reliably send SMSs to Optus or any of their resellers. When I was chasing this up with PayPal & TPG I got this reply from TPG:

    “However, it appears that the number +44xx is under an international carrier. Thus, we are not able to guarantee that the SMS will be sent and/or receive if the carrier they are connected to does not have a partnership with Optus.”

    * When the messages arrived from a number in the form +44xxxxxx (varied) they always worked, but when they arrived from +44778620440 (constant) they would either be significantly delayed, or never arrive at all.

    Another issue is that if you opt to bypass the second factor authentication you can’t use a credit card as a funding source (or you sometimes can – but you need to re-enter all the details and the UI doesn’t make it clear why, and half the time doesn’t work anyway).

    I recall ages ago I was chasing up a different issue with them – that the Optus site doesn’t link to the typical PayPal login page, and the page they use doesn’t support logging in with two factor authentication. The support rep just recommended disabling two factor authentication altogether, at which point I said “no, I’ll leave that enabled and suffer the inconvenience – I’m not trying to make my life easier, I’m trying to report a problem with your system so you can fix it”. When I checked a few weeks ago, they still haven’t fixed this.

    I really think customer support areas needs to do a better job of forwarding problems to the technical people who can fix them – in general, not just limited to PayPal.

    I ended up getting one of the Symantec credit card sized OTP tokens, which works fantastically well (though was a bit pricey). The same token also works on ebay (although it was not trivial to find the link to set that up).

  2. Paypal is NOT 2 factor authentication. If a hacker gets your password, he just has to click the button “I don’t have my security key” and then he has to answer a security question, just like when there was no 2 factor. It is a joke.

Leave a Reply