

Bypass PayPal's Two-Factor Authentication - seanponeil
https://www.duosecurity.com/blog/duo-security-researchers-uncover-bypass-of-paypal-s-two-factor-authentication

======
ashishgandhi
I'm glad this was found independently and reported. While I was at PayPal I
had started email threads about it but nothing was done. I am sure I was not
the only one there who "discovered" this. For instance, even if you have 2FA
you can add PayPal to Uber as if you never had 2FA.

The other big issue with their 2FA authentication is that it really isn't two
factor. You can say you don't have the token and instead can answer security
questions. Two factor is supposed to be something you know plus something you
have. "Falling back" to security questions is basically just relying on things
you know.

~~~
derefr
I would think that, if you have a big fraud-detection engine like Paypal's in
place, 2FA isn't so much an enforced requirement for login, as it is a big
fraud-signal when the user chooses to circumnavigate it.

Like any other fraud-signal, though, it can be countered with enough evidence
that you are who you say you are--with security questions at a weak level
(maybe enough to counter a 2FA token that was only set up a few days ago), or
with demands for scanned photo ID at a higher level (if you use 2FA all the
time.)

~~~
mseebach
If there is no legitimate reason to circumnavigate 2FA, i.e. the S/N of
detecting fraud by detecting circumnavigation is 1.0, why not just automate
the anti-fraud enforcement and make the circumnavigation impossible?

------
rdl
Based on this timeline, I don't understand why Duo didn't go public on
2014-04-28 when PayPal began being weasely about their bug bounty program.
This probably would be better for users for two reasons: one, in the past 2
months, this bug may have been exploited in the wild, and two, it would make
it easier for users to make informed decisions about which payments providers
to use in the future (as well as which 2fa providers are technically
competent).

~~~
duiker101
I was wondering the same. I think paypal was very unresponsive and the could
have for sure done a better job. That said when they asked for 3 days more I
think Duo could have complied and would have made everyone more happy.

~~~
pilif
> That said when they asked for 3 days

they asked for a month and 3 days. Duo wanted to disclose on June 25th, PayPal
has a fix on July 28th.

------
anujnayar
Hey guys - its Anuj from PayPal. I just published a blog post that explains
what we are doing to address this. [https://www.paypal-
community.com/t5/PayPal-Forward/Working-w...](https://www.paypal-
community.com/t5/PayPal-Forward/Working-with-the-Security-
Community/ba-p/828224)

------
prohor
A bigger problem for me is that two-factor authentication for PayPal is
available only in few countries (US, UK and Germany I think). I tried to get a
token but no chance; not even software with mobile app. When contacting
support I was considered as a freak probably - they completely didn't what is
the problem without 2FA. I really don't get it, why being global they limit
2FA to a few countries.

~~~
therealmarv
Actually I use PayPal more often since they provide 2FA. They are stupid
because this could be a win-win for them and tech aware consumers like us. I
also wished they used Google Authenticator instead of this SMS... they (SMS)
sometimes take ages before delivered.

~~~
prohor
They also support VeriSign VIP
([https://idprotect.verisign.com/mainmenu.v](https://idprotect.verisign.com/mainmenu.v)),
which you could take mobile app - should be better than waiting for SMS. At
least in theory as I cannot validate it, because 2FA is not available in
Poland.

~~~
therealmarv
Thanks alot @prohor ! But it was quite complicated and hidden to activate it
in German Paypal. But now it works. wohoo...

~~~
prohor
Glad it worked. And this is what I don't get. I understand they may not want
to distribute hardware tokens in some countries, support SMS, as it is a
burden. But why don't they just allow me to activate an existing token?!

------
Rapzid
You never trust the client; this is amateur hour shit TBH. How could a company
like PayPal let something like this through? SURELY there were employees
raising hell before it ever hit the app stores?

~~~
electronous
It's shit like this that makes me trust bitcoin. Down with fiat.

~~~
scott_karana
Right, because poorly designed software only gets written when fiat currency
is involved?

I hope you were being sarcastic...

------
nooron
It's interesting to watch corporations expose one another's vulnerabilities in
a public way. It seems like this was done pretty fairly, giving PayPal ample
time to address the bug-- so I guess that's neat.

~~~
ilyanep
Who else to keep companies honest but their competitors?

------
therealmarv
I also do not like the two factor authentification from PayPal. Sometimes the
SMS takes ages before it arrives (I waited more than 10 minutes here in
Germany). And it is absolutely not possible to pay in eBay with Paypal and 2FA
when using mobile browser or eBay Android app. I wished they use solutions
like Google Authenticator for their 2FA.

------
VMG
I don't know if this is common knowledge but PayPal lets you log in with your
CC number instead of the auth token sent via text message. I know because the
text messages often do not arrive at all for me, even after repeated requests.

It "only" works one time though, the second time you're asked the dreaded
"security question"

------
driverdan
Three months??? It took a major global payment processor three months to fix
an issue as big as this?

And people wonder why I'm constantly telling them to stop using PayPal.

------
M4v3R
It's not suprising that Duo Security is interested in exposing this flaw in
their 2FA flow, since their product is a somewhat better 2FA solution. I've
evaluated their solution for my project, but ultimately settled with MePIN
which offered similar security at lower price.

~~~
kylequest
You can end up with the same problem even if you use Duo.

