
Lazy Authentication Still the Norm - ssclafani
http://krebsonsecurity.com/2015/12/2016-reality-lazy-authentication-still-the-norm/
======
robotcookies
I closed my paypal account after reading this. The gist is that the author had
his account compromised and after warning paypal about this, had it
compromised immediately again. It turned out you don't even need a password to
get into accounts.

There's no excuse for a multi billion $ company to be this lax on security
today.

~~~
eximius
That seems excessive. Do you have any enemies you're particularly worried
about attacking you? If not, then this is important but not THAT imminent of a
threat to you.

~~~
robotcookies
I closed it more as an incentive for them to improve their security than
because I feel I'm at risk. I think customers should do this more often
otherwise companies are slow to address these issues. And if it were too
difficult for me to close my account I'd know I am too dependent on them.

~~~
ryanlol
What data do you have on your PayPal account that you're so worried about?

~~~
eximius
I think he sufficiently justified his actions. He is just 'voting with his
dollars'. I agree with him, in principle.

~~~
deegles
I feel like it would be more effective to keep the account open and badger
them every day about the issue. Worst case: they close his account (which he's
already willing to do). Best case: they fix the problem :)

------
steven777400
I agree that banks and other high value targets still assume that attackers
somehow "play by the rules". I got a call not too long (maybe a year ago) from
someone claiming to be with my bank. Their first line was, "To verify your
identity, what's the last 4 of your SSN?" My response, "You called me, how do
I know you're actually with (bank)?" The rep was flabbergasted at the response
and didn't know what to say.

Finally he gave me a number and suggested I call him back at it. Same problem.
He gave me the number. It's a random phone number. I ended up looking up the
number and confirming it was associated with the bank and then calling him
back on it. Not ideal, but the whole security model is completely broken.

~~~
junto
This is a great comment. It is this kind of social engineering attack which is
unbelievably effective, simply because most people don't want to offend the
other person at the other end of the phone.

Banks really need to stop phoning people like this. A simple way to do this
would be to have a TOTP type password that the caller needs to confirm with
the callee, regardless of which direction the call is going on; bank to
customer, or customer to bank. As a customer you should be able to ask the
bank representative for the shared password and if they can't answer the
question then you should call your bank immediately to warn then.

~~~
mcv
And it's particularly effective because some banks apparently do exactly this.
This would be reason to move to a different bank. These banks encourage
behaviour that rewards phishing.

------
fluxquanta
Paypal remains the only online service I've used for real world stuff (as
opposed to throw away e-mail accounts on spam forums) that has been
compromised (to my knowledge).

In 2007 or so $50 was taken from my account and sent to SecondLife (remember
them?), despite me never having played that game. I think even back then the
only way I could prove I was the rightful owner of the account and get my
money back was to send a photo of my drivers license.

I'm glad they've stepped up their security game in the past 8 years.

------
fredfoobar42
PayPal seems to have a lax attitude towards security in general. I had a
similar issue a year ago, that (fortunately) didn't end up in having my
account compromised <[http://www.sanspoint.com/archives/2014/09/11/great-
paypal-em...](http://www.sanspoint.com/archives/2014/09/11/great-paypal-email-
hack-wasnt/>) but my dealings with PayPal support didn't give me much hope for
if and when things do blow up.

In this case, it's likely that phone support is optimized for speed, rather
than security. Good if you're legit, bad if you're a target.

~~~
ryanlol
I fail to see how your story is at all similar to Brians.

------
Pxtl
I don't blame companies for supporting the "20 questions over the phone" last
line of lost passwords, but your account should be secured as part of the
process - take a restore point, dump the credit card info, lock some features
for a week, etc.

~~~
ajmurmann
I do blame them. These questions are always the weak spot and any system is
only as secure as that weakest point. Three answers to those questions are
typically trivial to find out. I find it downright malicious to even suggest
someone protects their data or wealth by asking people what the name of their
high school teacher was. This is a incredibly stupid idea and suggesting this
to your users shows that they are either stupid to the point where they should
be considered unemployable at any company or criminals.

------
kels
It would be nice if there was a good solution that companies could implement
because this isn't just a fault of PayPal, this is most utilities, TV
providers, etc. You can call up and pretend to be the account holder and as
long as you have the address on file and account number you can gain access to
a lot of things.

~~~
allworknoplay
There is, auth your users through google/facebook/whatever. It's really quite
simple.

~~~
drostie
The problem is that then you need to force customers to be on
Google/Facebook/whatever.

There was (Still is!) something very similar in an organization called
CAcert[1], which was a predecessor to the current Let's Encrypt project (free
SSL certificates) that hasn't succeeded dramatically because it hasn't been
able to get its root certificate into browsers.

Basically they host parties, usually alongside a Linux or BSD conference,
where trusted members will look at your legal documents and then affirm on
their website that you are who you say you are. Some amount of "you are who
you say you are" was then needed to get a free SSL certificate.

But imagine that in this context: everyone keeps one secure CAcert account,
and then when you need to reset your password, some sort of OAuth handshake
with CAcert proves it. You have one secure account with CAcert, and all of
your utilities and cell phone stuff and PayPal will only reset your password
with a handshake with the CAcert servers.

[1] [http://www.cacert.org/](http://www.cacert.org/)

~~~
allworknoplay
You and the other responder to my comment both raise a point that is extremely
important and near/dear to me. I talk constantly about the need to establish
tech "utilities" that can offer pure commodity services without being
compromised by things like a profit motive, need to grow, etc. Authentication
is a perfect candidate for this.

However, even given such a pure, charitable utility, OAuth is still the best
way to do this stuff, and that's really what I meant in my comment. Authing
through a universal standard means you're not tied to ANY parties, and you can
always offer the best of the bunch as an option. In fact, any such "utility"
should enforce interoperability/standardization as a primary feature, lest it
leave its users subject to economic/political volatility.

As for forcing customers to be on google/facebook/whatever, I see this as a
sub-optimal practice insofar as it does NOT include such a pure utility, but
not for any other reason. I don't have up to date data on the topic, but
offering both Google and Facebook OAuth surely covers almost everyone, and
even for the occasional user of neither it would still significantly reduce
account proliferation and bad practices if everyone forced people to sign up
for one of a few select accounts vs. the alternative of everyone rolling their
own.

------
Yhippa
What's the business case for PayPal not using 2FA? I've never done an
integration with them but I wonder if there are SLAs in place that require a
maximum amount of steps or an average transaction time or something that
verifying via SMS or a physical token would invalidate. Seems to me that
PayPal accounts would be a major honeypot for seedy activity and that the
customer service impact of dealing with this is high.

Unless this is a very rare thing at PayPal and internally they know it.

~~~
tedmiston
They do offer 2FA, but calling customer service circumvents it. I wish he had
been a little more explicit here, but I think Krebs' point was to raise the
question: Why doesn't customer service use (dynamic) 2FA?

~~~
KirinDave
And the answer is all-too-often:

"We didn't build or train our call center, nor is it actually part of a single
central system. We get contracts and then their support staff plugs into our
backend and we hope the security constraints written on the contract are real
and the training is adhered to."

I'm in the middle of requirement gathering for an unheard-of project: a
custom, in-house support console for a new product I'm working on. We're even
going to source someone to make training and testing materials, and do
auditing independently of the call center (along with their auditing).

Sad part is, while I find it a bit intimidating because I've never undertaken
a project like this before, it's not proven very difficult. It's just the
miserable state of most enterprise IT and how very bolted-on customer support
is to most operations.

------
prohor
You are lucky enough to be in a country where PayPal offers 2FA at all. For
unknown reason 2FA is available in very few countries, while majority cannot
use it. I talked with their call center, but I was under strong impression
that the lady didn't even understand why I need such thing.

~~~
mikelward
Except the point of the article is that PayPal's 2FA is pointless, since
password reset bypasses that and relies on easily-obtained information.

------
ryanlol
Krebs talks about the supposed problem, but fails to point out a solution.

Without knowledge based auth, what is PayPal supposed to say when someone
calls them and says that they lost their phone and therefore access to their
email and can't remember their password?

Right now, to social engineer someones account (Like Krebs's in this case,
I've personally listened to the call he's talking about here) you need almost
all the information that's on the account already (besides payment history,
which could be a big deal to someone I guess).

A detail worth noting is that stealing someones PayPal account in this manner
doesn't allow you to steal money from them.

~~~
pfg
Improve the UI for things like recovery codes in ways that essentially force
users to print them. One thing I've seen out there is asking the user for a
recovery code during the login process a few days after enabling 2FA (with an
option to skip it a few times, and generate new recovery codes if the user
failed to print them the first time.)

Add a waiting period for affected customers, let's say a week or a month.
During this period, try contacting the user on all known communication
channels (email, SMS, push, robocalls; Coinbase does this quite well for Vault
transactions) to inform them about the impending account change.

It's certainly not the easiest thing to get right, but it's not asking for too
much from a high-profile target like PayPal.

------
mikelward
Reminds me I should try the password reset flow for each service before
trusting it.

Would be awesome if there was a site that documented these, even if it was as
simple as plaintextoffenders.com.

------
tedmiston
> Any company that authenticates customers with nothing more than static
> identifiers — address, SSN, DOB, phone number, credit card number, etc. — is
> vulnerable to these takeover attempts.

Does having two-factor auth even matter if it can be circumvented with social
engineering from static data?

 _I also submitted the same article last night:_

[https://news.ycombinator.com/item?id=10805415](https://news.ycombinator.com/item?id=10805415)

------
CaptSpify
The real problem I see is: A lot of places are _still_ using SSN (and
sometimes address) as a "password". And it's not just PayPal. It's the
"something I know" that was never a good idea in the first place. I never
understood how just your SSN was a good authenticator of who you really were.

------
KirinDave
If you are concerned about this (and you should be) there is very little you
can do about Paypal. But for your banks, all of them allow you to ask to set a
"password" or "security phrase" for customer support.

I strongly recommend you do this. It's actually stronger than the branch
security.

------
Pxtl
If only PayPal had some truly private non-static information about the
customer that's not freely available in hacker databases that they could ask
the customer about. Possibly some piece of info that the customer keeps in
their wallet.

If only. If only.

~~~
coldpie
Sorry, you're being too obtuse for me, and I'm legitimately interested to know
what you're suggesting. Some sort of one-time code that the user prints out to
call into phone support?

~~~
Spooky23
The US Treasury's consumer web portal used to do this for online accounts many
years ago.

They mailed you a plastic card that had a map-like grid. I believe it was
mailed using USPS Certified Mail that you validated online. Once validated,
you were asked to provide the code for "Column A, Row 14", and then were
prompted for a password. IIRC, you could also set it up so that you can login
and view your balances with just a password, but would need to do step-up auth
to buy/sell/transfer securities.

IMO a nice solution from a security POV. Certainly better than online brokers
-- Charles Schwab "protects" my retirement savings with some bullshit 6
character password.

Customers HATED it, and the "I lost my card" process involved having another
card mailed to you. So they replaced it with another solution that is IMO less
secure.

~~~
junto
It's called a TAN:
[https://en.m.wikipedia.org/wiki/Transaction_authentication_n...](https://en.m.wikipedia.org/wiki/Transaction_authentication_number)

------
Spooky23
If you're a high-risk user, it's incumbent on you to take specific measures
against this stuff. Gangs of criminals specifically targeting an individual
aren't the type of risks that most businesses are going to be thinking about.

"Use two factor" isn't a valid response here. If you expect the electric
utility to throughly vet every service request, why would you allow them to
assume that the authorized user actually controlled his phone? (Especially
when people tend to connect/disconnect utility services when they are
buying/selling/renting a house and often doing things like changing phone
numbers.)

Why does Brian Krebs have anything like this in his name? I would think that
someone this high profile would have an anonymized LLC or similar legal
structure to hold these accounts.

~~~
pfg
The article does specifically mention that he has taken steps to protect
himself from stuff like this (i.e. require in-person confirmation with his
utility providers, etc.). 2FA is certainly a valid response here, and
requiring this even for phone transactions when a customer is using it should
become the norm. It's a bit weird to blame customers for broken security
protocols, and they should be fixed nonetheless. Not every high-profile target
is a security expert.

~~~
Spooky23
It's not about blaming the victim -- My point is extraordinary risk requires
extraordinary response. If your career centers around rattling the cage of
criminal hackers, you've made a choice to expose yourself to extreme risks.

Things you can do about that vary. For example, in New York, if you're a
victim of severe domestic abuse (stalker, etc), you can actually get a special
address provided by the State, who will confidentially keep your real address
and forward mail to you. Maybe a similar approach/service can be used in this
case.

NIST defines the various trust levels that underlie identity solutions and
offer increasing levels of validation from level 1 (no proofing, just
validation that you are the same individual) to level 4 (in-person proofing
with "hard" crypto authentication token). Two-factor auth without proofing
doesn't really change the game -- that's why PayPal MFA is a joke for many use
cases.

The problem with this stuff is that proofing requires a big uplift in cost &
effort. If I were a service provider, in the absence of a mandate to serve Mr.
Krebs or other high-risk targets like him, I would terminate my relationship
with him.

~~~
pfg
It seems to me like 2FA would've certainly affected the outcome in this
particular case, and probably many other scenarios.

------
andrewmcwatters
That's not the biggest concern. The biggest concern is _SSN AND CREDIT CARD
INFO_ being compromised. Priorities, folks. With someone having this info, an
authorized two-step or two-factor authentication process is a joke in
comparison.

What advanced type of stupid makes articles like this seem completely fine to
individuals in the tech sector?

~~~
lambda
SSN and credit card numbers should not be considered secret. Anything that
must be shared with a third party in order to make some kind of transaction
cannot be considered secret; compromises happen, and once compromised, there
is no way to make them secret again.

Brian Krebs, as a high-profile author on security who actively antagonizes
black-market groups on the internet, is a common target. He has had all of his
basic personal information posted on the internet publicly for some time. The
credit cards that were used for this attack were all old, disabled ones, since
he disabled them after the numbers were leaked; but apparently PayPal still
has them listed on the account and so you can use knowledge of them to "prove"
your identity to PayPal.

~~~
andrewmcwatters
> actively antagonizes black-market groups on the internet

Sounds to me like they're both at fault then. It's really nice and idealistic
to have this mentality that you're doing it in the name of infosec, but it's a
position held from an ivory tower.

If he's in software, what did he expect? This isn't a wise approach. This is
the advanced stupid I'm talking about. Someone who thinks it's wise to
antagonize, but then cries and writes an article over it when they're
attacked. It's a joke. Conventional wisdom here is nonexistent.

~~~
wstrange
How is Kreb's at fault? Talk about blaming the victim!

~~~
andrewmcwatters
Lets reduce this first to understand it. First, why would you antagonize
black-market groups on the Internet? Why would you actively make yourself a
possible target? Does that seem wise?

To me, that's a far less complicated question than anything security related
at a technical level. You can literally ask a child this question and they'll
tell you it's not smart.

This is advanced stupid.

~~~
Zikes
Brian Krebs is a security researcher partially responsible for uncovering some
of the biggest credit card leaks in recent history. It's his job to
"antagonize" the credit card black markets.

He's not just some internet troll, he's doing real good that you very well may
have personally benefited from as a result.

~~~
ryanlol
That's not at all true, releasing=/=uncovering.

