I'm glad this was found independently and reported. While I was at PayPal I had started email threads about it but nothing was done. I am sure I was not the only one there who "discovered" this. For instance, even if you have 2FA you can add PayPal to Uber as if you never had 2FA.
The other big issue with their 2FA authentication is that it really isn't two factor. You can say you don't have the token and instead can answer security questions. Two factor is supposed to be something you know plus something you have. "Falling back" to security questions is basically just relying on things you know.
I would think that, if you have a big fraud-detection engine like Paypal's in place, 2FA isn't so much an enforced requirement for login, as it is a big fraud-signal when the user chooses to circumnavigate it.
Like any other fraud-signal, though, it can be countered with enough evidence that you are who you say you are--with security questions at a weak level (maybe enough to counter a 2FA token that was only set up a few days ago), or with demands for scanned photo ID at a higher level (if you use 2FA all the time.)
Yes, I've contacted PayPal before and asked them for a user setting to be able to disable the 2FA fallbacks, but they don't really seem to care that much for security. I hope someone from PayPal Security team reads this and considers implementing this change.
Based on this timeline, I don't understand why Duo didn't go public on 2014-04-28 when PayPal began being weasely about their bug bounty program. This probably would be better for users for two reasons: one, in the past 2 months, this bug may have been exploited in the wild, and two, it would make it easier for users to make informed decisions about which payments providers to use in the future (as well as which 2fa providers are technically competent).
The disclosure process is always fraught with peril (and pain) and its a safe bet that no matter what a discloser does, there will be some person or group who thinks they should have handled it differently.
In a case like this, when reasonable time is given, and the world gets to benefit from a great deal of work (effectively done for free), i tend to simply say thanks, and make notes..
I was wondering the same. I think paypal was very unresponsive and the could have for sure done a better job. That said when they asked for 3 days more I think Duo could have complied and would have made everyone more happy.
A bigger problem for me is that two-factor authentication for PayPal is available only in few countries (US, UK and Germany I think). I tried to get a token but no chance; not even software with mobile app. When contacting support I was considered as a freak probably - they completely didn't what is the problem without 2FA. I really don't get it, why being global they limit 2FA to a few countries.
Actually I use PayPal more often since they provide 2FA. They are stupid because this could be a win-win for them and tech aware consumers like us. I also wished they used Google Authenticator instead of this SMS... they (SMS) sometimes take ages before delivered.
You never trust the client; this is amateur hour shit TBH. How could a company like PayPal let something like this through? SURELY there were employees raising hell before it ever hit the app stores?
It's interesting to watch corporations expose one another's vulnerabilities in a public way. It seems like this was done pretty fairly, giving PayPal ample time to address the bug-- so I guess that's neat.
I also do not like the two factor authentification from PayPal. Sometimes the SMS takes ages before it arrives (I waited more than 10 minutes here in Germany). And it is absolutely not possible to pay in eBay with Paypal and 2FA when using mobile browser or eBay Android app. I wished they use solutions like Google Authenticator for their 2FA.
I don't know if this is common knowledge but PayPal lets you log in with your CC number instead of the auth token sent via text message. I know because the text messages often do not arrive at all for me, even after repeated requests.
It "only" works one time though, the second time you're asked the dreaded "security question"
It's not suprising that Duo Security is interested in exposing this flaw in their 2FA flow, since their product is a somewhat better 2FA solution. I've evaluated their solution for my project, but ultimately settled with MePIN which offered similar security at lower price.
[+] [-] ashishgandhi|11 years ago|reply
The other big issue with their 2FA authentication is that it really isn't two factor. You can say you don't have the token and instead can answer security questions. Two factor is supposed to be something you know plus something you have. "Falling back" to security questions is basically just relying on things you know.
[+] [-] derefr|11 years ago|reply
Like any other fraud-signal, though, it can be countered with enough evidence that you are who you say you are--with security questions at a weak level (maybe enough to counter a 2FA token that was only set up a few days ago), or with demands for scanned photo ID at a higher level (if you use 2FA all the time.)
[+] [-] Serow225|11 years ago|reply
[+] [-] RachelF|11 years ago|reply
It is more security theatre, giving PayPal's users a feeling of security.
[+] [-] rdl|11 years ago|reply
[+] [-] mh_|11 years ago|reply
[+] [-] duiker101|11 years ago|reply
[+] [-] anujnayar|11 years ago|reply
[+] [-] prohor|11 years ago|reply
[+] [-] therealmarv|11 years ago|reply
[+] [-] Rapzid|11 years ago|reply
[+] [-] rlly|11 years ago|reply
[+] [-] electronous|11 years ago|reply
[+] [-] nooron|11 years ago|reply
[+] [-] ilyanep|11 years ago|reply
[+] [-] therealmarv|11 years ago|reply
[+] [-] VMG|11 years ago|reply
It "only" works one time though, the second time you're asked the dreaded "security question"
[+] [-] driverdan|11 years ago|reply
And people wonder why I'm constantly telling them to stop using PayPal.
[+] [-] M4v3R|11 years ago|reply
[+] [-] kylequest|11 years ago|reply