28
Dec 15

2016 Reality: Lazy Authentication Still the Norm

My PayPal account was hacked on Christmas Eve. The perpetrator tried to further stir up trouble by sending my PayPal funds to a hacker gang tied to the jihadist militant group ISIS. Although the intruder failed to siphon any funds, the successful takeover of the account speaks volumes about why most organizations — including many financial institutions — remain woefully behind the times in authenticating their customers and staying ahead of identity thieves.

Junaid Hussain's Twitter profile photo.

Junaid Hussain’s Twitter profile photo.

On Christmas Eve morning, I received an email from PayPal stating that an email address had been added to my account. I immediately logged into my account from a pristine computer, changed the password, switched my email address back to to the primary contact address, and deleted the rogue email account.

I then called PayPal and asked how the perpetrator had gotten in, and was there anything else they could do to prevent this from happening again? The customer service person at PayPal said the attacker had simply logged in with my username and password, and that I had done everything I could in response to the attack. The representative assured me they would monitor the account for suspicious activity, and that I should rest easy.

Twenty minutes later I was outside exercising in the unseasonably warm weather when I stopped briefly to check email again: Sure enough, the very same rogue email address had been added back to my account. But by the time I got back home to a computer, my email address had been removed and my password had been changed. So much for PayPal’s supposed “monitoring;” the company couldn’t even spot the same fraudulent email address when it was added a second time.

PayPal locked the account shortly after the assailant allegedly tried to send my money to the email account of the late Junaid Hussain, a 17-year-old member of the hacktivist group Team Poison. Hussain — who used the nickname “TriCk” and is believed to have been a prominent ISIS propagandist online — was reportedly killed in a U.S.-led drone strike earlier this year in Raqqa, Syria. No doubt, the attempted transfer was a bid to further complicate matters for me by associating my account with known terrorists.

In my second call to PayPal, I insisted on speaking with a supervisor. That person was able to tell me that, as I suspected, my (very long and complex) password was never really compromised. The attacker had merely called in to PayPal’s customer support, pretended to be me and was able to reset my password by providing nothing more than the last four digits of my Social Security number and the last four numbers of an old credit card account.

Let’s leave aside for a moment the reality that all of this static information about Brian Krebs has been posted online by various miscreants over the years (and probably remains online): Any company that authenticates customers with nothing more than static identifiers — address, SSN, DOB, phone number, credit card number, etc. — is vulnerable to these takeover attempts.

This almost certainly includes all of the companies that supply utilities to your residence, your bank or credit union, and a host of other companies. They’re vulnerable because those static identifiers about you are no longer secret and are available for sale in the underground.

I asked the PayPal supervisor why the company couldn’t simply verify my identity by sending a text message to my phone, or a special signal to a PayPal mobile app? After all, PayPal has had the same mobile number of mine on file for years (the attacker also deleted that number from my profile as well). The supervisor explained that the company didn’t have any mobile authentication technologies, and that in order to regain access to the funds in my account I had to send the company a photocopied or scanned copy of my driver’s license.

Nevermind that it was PayPal’s lack of any modern authentication methods that led to this mess. Also, let’s forget for the moment that there are a half-dozen services online that let customers create fake but realistic looking scans of all types of documents, including utility bills, passports, driver’s licenses, bank statements, etc. This is the ultimate and most sophisticated customer authentication system that PayPal has: Send us a copy of your driver’s license.

When I pressed the PayPal representative about whether he had any other ways to validate my identity short of sending a copy of my license, he offered to do so “using public records.” Now, I understand that what he actually meant was that PayPal would work with a major credit bureau to ask me a series of so-called “out of wallet” or “knowledge-based authentication” (KBA) questions — essentially yet more requests for static information that can be gleaned from a variety of sources online. But that didn’t stop me from playfully asking the representative why a security challenge should rely on answers from public records? He responded that someone probably would have to go down to a courthouse somewhere to do that, which made me laugh out loud and wish him a Merry Christmas.

For better or worse, this isn’t the first time I’ve had to deal with weaknesses in PayPal’s anti-fraud systems. Last year, my account was the recipient of a large number of fraudulent donations made through hacked PayPal accounts that all were funded by credit cards instead of bank balances. The problem with fraudulent credit card donations via PayPal is that PayPal assesses the inevitable $20 Visa or MasterCard chargeback fee against the unwitting recipient of the fraudulent donation, effectively taking $20 out of the recipient’s account for each phony donation!

I called my contact at PayPal who’d helped work out a stopgap solution to the phony credit card payments, and that person said PayPal would lock my account so that no further account changes would be allowed. I’m grateful that they were able to do this (so far) but it probably goes without saying that most PayPal users will not have that line of contact or influence at the company.

PayPal's security token isn't much use if the company lets thieves reset your password over the phone using your Social Security number.

PayPal’s security token isn’t much use if the company lets thieves reset your password over the phone using your Social Security number.

PayPal does offer additional security protections — including a PayPal Security Key fob that periodically generates a new one-time password which needs to be entered at login in addition to a username and password. I’ve used this solution since shortly after the company began offering it almost a decade ago, but a fat lot of good it does if PayPal is going to continue letting users reset their passwords by regurgitating static data that is trivial to purchase from the cybercrime underground.

Many companies will offer customers more account security options, but only if asked. Most often, when companies are asked for non-standard security precautions it is because the account holder has stated that he or she was previously the target of cyber stalking or concerted harassment or threats online. I can recall doing this with most of the utilities we use — including our ISP — after having ne’er-do-wells try to shut off our power, phone and water service by calling in with those static identifiers. None of those companies offered more advanced authentication options — such as mobile device authentication — but most would let me place a flag on my account that no changes were to be made unless I showed up at the utility’s offices in person and presented a photo ID and my username and password.

Although this is effectively the same solution that PayPal offered after it froze my account and available funds, having to visit an office and present my ID to close or make changes to my account is significantly less onerous and aggravating than trying to work that out after the fact while having no electricity, water or Internet.

Longer term, PayPal should review which of its users have already provided mobile phone information, and then seek to validate those contact numbers. Once that process is done, PayPal can start upgrading its authentication systems — and hopefully become less reliant on static (read: already-compromised) identifiers to validate customers. This would help cut down on account takeovers and reduce the threat of costly, fraudulent credit card donations via hacked accounts.

Until then, PayPal will continue to expose its users unnecessarily to security and privacy threats (bear in mind that a crook who gains access to your PayPal account can see all of your transactions and financial data from associated bank accounts).

Many KrebsOnSecurity readers have been quite generous in supporting my efforts this year, and to those folks (and to anyone else who’s read this far) I offer a hearty and heartfelt THANK YOU!

Tags: , , ,

236 comments

  1. So bad actor can simply give static info to change account information. But THE account holder, they want a copy of a driver’s license? Forget for second that you can fake a drive license. Should it be the other way around?

    Shockingly, my bank does not offer two-factor authentication. Why is it so hard?

    Also, I probably should connect stand alone bank account to my Paypal instead of my primary checking.

    • I dropped PayPal, and any other financial service, that doesn’t offer 2-factor authentication. I want my money protected. My credit cards use 2-factor and if a web site doesn’t accept my credit cards, i don’t do business with the web site.

    • PayPal does offer two-factor authentication via SMS. It is easy: Log in > Settings > Security and add your cell #. You don’t even need a smart phone.
      You are not liable for any fraudulent charges with PayPal any way.

    • The answer is simple: Money.

      Until the financial institutions are more strictly held accountable for fraudulent activity conducted via their services, they have no incentive to implement expensive two-factor authentication solutions.

      It was the same thing with retail. Until the government stood up and said “you are financially liable if you don’t implement chip & signature card readers by X date” they had no intention of spending a dime to protect their customers. But now that they are, look how fast they’re all jumping on board.

  2. A dynamic identifier, such as a temporary code sent via SMS to a user’s mobile phone, isn’t any better if the provider of the mobile service is also vulnerable. I had my bank accounts emptied after Vodafone UK allowed someone to walk in off the street and transfer my phone number to a new Vodafone account in store. Hugely frustrating that they could ever allow this.

  3. Mordechai Schiller

    Is Google Wallet any safer?
    Thanks

    • Yes (probably) but almost no one offers Google Wallet (or Amazon payments). And that’s the real problem, without alternatives PayPal doesn’t have any pressing reason to change its security practices.

      • Mordechai Schiller

        Thanks. I was actually looking for a secure way to transfer money to someone. I guess the best way is to walk to his bank!

        • Walking to a bank would certainly be the most secure way to transfer money. Paypal has more and more competitors, such as Popmoney, but I can’t vouch for their security!

          • Yes you can walk into a bank, however check with the bank first if they will accept your form of deposit. In the US at Chase, you can not deposit cash into someone else’s account – only yours.

  4. There’s only one possible reaction – I just finished removing all personal data from my paypal account and *then* closing it (removal of the associated mail address is next). Thanks for the heads-up.

    • Robert Heinig: Was the data you “deleted” really gone or did PayPal just remove it from your view?

      Given some 2015 exposures of old data I’m not confident the data is ever removed from their “care”.

      Jonathan @NC3mobi

      • It wasn’t “deleted”, nor should it be. Paypal is a financial institution and they are required to maintain evidentiary matter supporting their transactions. In fact, any business that processes transactions of any type will maintain that transactional data to support their accounting processes and audits regardless of whether or not the underlying account has been “deleted”.

        Closing the account, however, should be an effective way to stop fraudulent activity in that account.

  5. I wonder if its time to [rate] payment agencies on [how much] human invention is possible in accunt resets and recovery procedures.

    It seems to me that human invention is the real vulnerability here, they can’t deal with potential customer loss in a real world feedback way (that is the procedure isn’t tested or does work, or is too ridiculus to use.. so they don’t do something wickedly odd ‘like pay someone to fix it’).

    Instead they make false promises and kick the can down the road, ‘saving money’ by not paying anyone to do anything about it.. hence the incentive to fix anything is removed.

    Maybe its like Netflix and the traditional media companies which don’t have or don’t act on real customer feedback data.. until the customer up and leaves.. the incentive to do something doesn’t darwinian select better startups to replace them.

  6. Finally closing my PayPal account after hearing about this. (Hadn’t used it in years anyhow.) I should have closed it when I heard about this: http://www.businessinsider.com/paypal-violin-destroy-return-refund-2012-1

  7. Hi Brian, Surely in this instance Paypal would be liable for any of your losses?

    From their point of view is it cheaper for them to pay for the amount they are defrauded than pay for a system that stops this? I am probably wrong here, but I would be intereseted to hear your, or fellow readers thoughts on this.

  8. about the security key fob…which I have been using since I signed up for eBay…true, it won’t prevent a clever social engineer from changing your password over the phone, but what good will that do them if they don’t have the fob? they still can’t log in, can they?

    annoying but surely less onerous than if they could log in!

    • The article appears to be misinformed. The fob isn’t being used by PayPal any more. And two-factor authentication has been available from PayPal for quite some time now; I have been using it for a couple of years. It is simple to set up: Log in > Settings > Security. It doesn’t even require a smart phone!

      • The article merely recounts what happened. If PayPal let some punk reset my password just by regurgitating some static identifiers about me that don’t change and failed to require the second factor, would you say that their second factor is useful? Seems pretty useless if that’s the case.

        • unless I am missing something,…

          if you did use paypal SMS service as a second factor, even if the the attacker did reset your personal password(first factor) through social engineering, he wouldn’t be able to login to paypal or perform any transfer without stealing also your cell phone… correct?

          so either you were not using SMS as a second factor, or paypal phone operators got tricked into resetting both your password AND your cell phone number at the same time, which would demonstrate an amazing amount of incompetence and lack of common sense? wouldn’t it?

          • As I stated in the article, I wasn’t using PP’s SMS. I was using their keyfob device.

          • Or option 3 – PayPal’s customer service staff ignore their own security policies and will give anyone access to anything if they can produce static ID information like a social security number, regardless of how many different factors of authentication legitimate users have to provide.

            Putting a billion dollars of locks on the front door is useless if the back door is unlocked.

      • I’m glad you brought that up – I was about to say the same thing. I’ve had their key fob for about a decade, but I noticed last month that I could log in with or without using it. Which surprised me. They have a page to sync your fob to your system, so I went through that, with the same results.

        Took a very long time (felt like hours) talking to various customer support agents, before someone finally informed me that they stopped using those many months previously.

      • I’m a bit confused by your statement. I have the Paypal keyfob, and as of today it works just fine and is still required to log in.

  9. My PayPal security token, same one photographed in the article, stopped working a few months ago. I would log in with my user name and password and that’s it. I rarely keep a balance but after reading the article I gave Paypal a call to find they no longer use it and encourage a 2 factor phone txt message. That’s great but I was never told about this. I had the Paypal football token for years without issue.

  10. Wow, it really blows my mind that Paypal doesn’t use any stronger methods to prevent password resets like this.

    It’s absolutely trivial to write a password reset system if you ‘lose’ your password, and I’m sure there are systems out there where you can connect via an API of some sort to send a message via SMS at a minuscule cost. I’m sure any SMS api service company would love to have Paypal as a customer.

    And using static data easily available to ‘verify’ identity? Almost criminal.

  11. I have also had a lot of problem with paypal and once when i had problem logging in from my ipad while trwvelling they were so unhelpful and they just blocked my email. So i had no choice but t delete the account. I was not a havy user anyway so i really dont miss it at all.

  12. This article appears to be partially misinformed. PayPal offers 2-factor authentication via temporary security code sent as SMS. You can turn that on by logging into your account > settings > security and register your smart phone there.

  13. Like many of you, reading this caused a bit of concern. I jumped over to Paypal and was able to specify the information (static or user created ping) they used to validate my when talking to customer service. I was also able to add my phone number as a method of 2FA. I do have a paypal business account so I’m not sure if the settings there are different from a personal account.

    • In reply to Chris Rasco’s comment of “I was also able to add my phone number as a method of 2FA. I do have a paypal business account so I’m not sure if the settings there are different from a personal account.” —
      I just thought I’d add that when I looked into my Paypal “security” settings on my Paypal basic personal account today, I was given the option of adding a phone number to do SMS authentications, so it doesn’t seem to just be for business accounts.
      Regarding two-factor authentication with a cell phone number, I understand the rationale behind it, but I really don’t wish to do that with any sort of account, for several reasons. I don’t want these companies to have my cell phone number on top of everything else they have on me, I don’t always have my cell phone with me, I do change my cell phone/cell phone number every so often, sometimes I am in other countries using a different handset and it’s not likety-split to receive a text message on the US cell phone number, etc. Therefore, I didn’t sign up for Paypal’s two-factor authentication.
      (I won’t repeat myself here, but in a comment a bit further down, I described what I did do today to tighten up the security on my Paypal account.)

  14. EVERYTHING can be hacked. If Mobile phones could allow your account to be changed then someone who broke into your house, and stole your phone could keep taking your PayPal account from you too. Personally I think the thing which make accounts weakest are those questions like “What was your first car?” or “What was the first street you lived on?” Because there’s a lot of Facebook posts that ask people to giveaway information like this easily.

    • my first car: red baboon
      my first job: typewriter

      etc. you don’t have to give the actual answers to those questions, anything will do, so why use publicly available answers? make them up!

  15. You can get a NEW PayPal token but you have to contact Verisign/Symantec.

    https://idprotect.vip.symantec.com/

  16. This article pinged on Down The Security Rabbit Hole, with the add-on that Paypal has a hard coded upper limit of 13 characters on their passwords.

    • I don’t think that is correct as I have somewhere around 20 various characters. But this is not the problem as Brian points out, the real problem is that it is easy to take over an account by simply contact customer center and have them change account/payment details.

  17. Paypal stinks so much that I indeed have no words to define it. It is an abominable company that just causes problems to their legitimate users.

  18. Thnaks for the story Brian, and I agree it’s appallingly poor security technology, processes and procedures.
    It is highly remarkable that such a widely used money transaction service in 2016 still doesn’t support time based token authentication like others have done for years (gmail, dropbox, facebook). If there’s a competing service offering such authentication with the same e-commerce website support I’d be glad if you’d let me know as I’d switch within the blink of an eye.

  19. Oh my, I’ve had a lot of trouble with PayPal as well. Two biggest issues:

    They don’t understand the concept of variable email addresses (one address per online shop, so when one gets hacked you can close it for spam, see that it’s been hacked, etc.). Just one email address per credit card, please. The address doesn’t match? Guess you can’t use your credit card for PayPal anymore.

    A lack of respect for laws in the countries that they operate in. Under data protection laws in certain European countries, you have the right to have your accounts closed and personal information removed from any private company if you send them an official request. I’ve done this several times, talked to supervisors, the whole enchilada. PayPal refuses to respect European law.

    That’s just the big things. Lots of minor issues as well…

  20. A couple of years back, I was forced to close accepting donations on my website due to fraudulent donations via PayPal. I lost hundreds of dollars in chargeback fees. It amazes me that someone was able to use an invalid email address to donate via PayPal without PayPal noticing or verifying the provided email address. When I sent an email to the provided email address, the email bounced.

  21. I use PayPal’s 2FA via SMS. But PayPal has an option that allows you to answer two security questions if you don’t have your phone or can’t get the SMS.

    These questions are ridiculously easy: the name the hospital where you were born, the first street you lived on, etc. So even if you use 2FA, it doesn’t prevent attackers from at least trying to access your account based on other information they can research.