28
Dec 15

2016 Reality: Lazy Authentication Still the Norm

My PayPal account was hacked on Christmas Eve. The perpetrator tried to further stir up trouble by sending my PayPal funds to a hacker gang tied to the jihadist militant group ISIS. Although the intruder failed to siphon any funds, the successful takeover of the account speaks volumes about why most organizations — including many financial institutions — remain woefully behind the times in authenticating their customers and staying ahead of identity thieves.

Junaid Hussain's Twitter profile photo.

Junaid Hussain’s Twitter profile photo.

On Christmas Eve morning, I received an email from PayPal stating that an email address had been added to my account. I immediately logged into my account from a pristine computer, changed the password, switched my email address back to to the primary contact address, and deleted the rogue email account.

I then called PayPal and asked how the perpetrator had gotten in, and was there anything else they could do to prevent this from happening again? The customer service person at PayPal said the attacker had simply logged in with my username and password, and that I had done everything I could in response to the attack. The representative assured me they would monitor the account for suspicious activity, and that I should rest easy.

Twenty minutes later I was outside exercising in the unseasonably warm weather when I stopped briefly to check email again: Sure enough, the very same rogue email address had been added back to my account. But by the time I got back home to a computer, my email address had been removed and my password had been changed. So much for PayPal’s supposed “monitoring;” the company couldn’t even spot the same fraudulent email address when it was added a second time.

PayPal locked the account shortly after the assailant allegedly tried to send my money to the email account of the late Junaid Hussain, a 17-year-old member of the hacktivist group Team Poison. Hussain — who used the nickname “TriCk” and is believed to have been a prominent ISIS propagandist online — was reportedly killed in a U.S.-led drone strike earlier this year in Raqqa, Syria. No doubt, the attempted transfer was a bid to further complicate matters for me by associating my account with known terrorists.

In my second call to PayPal, I insisted on speaking with a supervisor. That person was able to tell me that, as I suspected, my (very long and complex) password was never really compromised. The attacker had merely called in to PayPal’s customer support, pretended to be me and was able to reset my password by providing nothing more than the last four digits of my Social Security number and the last four numbers of an old credit card account.

Let’s leave aside for a moment the reality that all of this static information about Brian Krebs has been posted online by various miscreants over the years (and probably remains online): Any company that authenticates customers with nothing more than static identifiers — address, SSN, DOB, phone number, credit card number, etc. — is vulnerable to these takeover attempts.

This almost certainly includes all of the companies that supply utilities to your residence, your bank or credit union, and a host of other companies. They’re vulnerable because those static identifiers about you are no longer secret and are available for sale in the underground.

I asked the PayPal supervisor why the company couldn’t simply verify my identity by sending a text message to my phone, or a special signal to a PayPal mobile app? After all, PayPal has had the same mobile number of mine on file for years (the attacker also deleted that number from my profile as well). The supervisor explained that the company didn’t have any mobile authentication technologies, and that in order to regain access to the funds in my account I had to send the company a photocopied or scanned copy of my driver’s license.

Nevermind that it was PayPal’s lack of any modern authentication methods that led to this mess. Also, let’s forget for the moment that there are a half-dozen services online that let customers create fake but realistic looking scans of all types of documents, including utility bills, passports, driver’s licenses, bank statements, etc. This is the ultimate and most sophisticated customer authentication system that PayPal has: Send us a copy of your driver’s license.

When I pressed the PayPal representative about whether he had any other ways to validate my identity short of sending a copy of my license, he offered to do so “using public records.” Now, I understand that what he actually meant was that PayPal would work with a major credit bureau to ask me a series of so-called “out of wallet” or “knowledge-based authentication” (KBA) questions — essentially yet more requests for static information that can be gleaned from a variety of sources online. But that didn’t stop me from playfully asking the representative why a security challenge should rely on answers from public records? He responded that someone probably would have to go down to a courthouse somewhere to do that, which made me laugh out loud and wish him a Merry Christmas.

For better or worse, this isn’t the first time I’ve had to deal with weaknesses in PayPal’s anti-fraud systems. Last year, my account was the recipient of a large number of fraudulent donations made through hacked PayPal accounts that all were funded by credit cards instead of bank balances. The problem with fraudulent credit card donations via PayPal is that PayPal assesses the inevitable $20 Visa or MasterCard chargeback fee against the unwitting recipient of the fraudulent donation, effectively taking $20 out of the recipient’s account for each phony donation!

I called my contact at PayPal who’d helped work out a stopgap solution to the phony credit card payments, and that person said PayPal would lock my account so that no further account changes would be allowed. I’m grateful that they were able to do this (so far) but it probably goes without saying that most PayPal users will not have that line of contact or influence at the company.

PayPal's security token isn't much use if the company lets thieves reset your password over the phone using your Social Security number.

PayPal’s security token isn’t much use if the company lets thieves reset your password over the phone using your Social Security number.

PayPal does offer additional security protections — including a PayPal Security Key fob that periodically generates a new one-time password which needs to be entered at login in addition to a username and password. I’ve used this solution since shortly after the company began offering it almost a decade ago, but a fat lot of good it does if PayPal is going to continue letting users reset their passwords by regurgitating static data that is trivial to purchase from the cybercrime underground.

Many companies will offer customers more account security options, but only if asked. Most often, when companies are asked for non-standard security precautions it is because the account holder has stated that he or she was previously the target of cyber stalking or concerted harassment or threats online. I can recall doing this with most of the utilities we use — including our ISP — after having ne’er-do-wells try to shut off our power, phone and water service by calling in with those static identifiers. None of those companies offered more advanced authentication options — such as mobile device authentication — but most would let me place a flag on my account that no changes were to be made unless I showed up at the utility’s offices in person and presented a photo ID and my username and password.

Although this is effectively the same solution that PayPal offered after it froze my account and available funds, having to visit an office and present my ID to close or make changes to my account is significantly less onerous and aggravating than trying to work that out after the fact while having no electricity, water or Internet.

Longer term, PayPal should review which of its users have already provided mobile phone information, and then seek to validate those contact numbers. Once that process is done, PayPal can start upgrading its authentication systems — and hopefully become less reliant on static (read: already-compromised) identifiers to validate customers. This would help cut down on account takeovers and reduce the threat of costly, fraudulent credit card donations via hacked accounts.

Until then, PayPal will continue to expose its users unnecessarily to security and privacy threats (bear in mind that a crook who gains access to your PayPal account can see all of your transactions and financial data from associated bank accounts).

Many KrebsOnSecurity readers have been quite generous in supporting my efforts this year, and to those folks (and to anyone else who’s read this far) I offer a hearty and heartfelt THANK YOU!

Tags: , , ,

236 comments

  1. I imagine the call from the intruder to Paypal went thus:

    Customer Support (CS): Thank you for calling Paypal, how may I help you today?

    Caller: Greetings my good friend. I am the Brian Krebs of much Internet fame and after unfortunate series of forgetfulness, I cannot access my password. Please to reset my username thank you.

    CS: I understand you’ve misplaced the password to your account. For verification and security purposes could you please provide your full last name, Mr. Krebs?

    Caller: I already told you that I am Brian, of much Internet fame!

    CS: Thank you for verifying that important security information. Here at Paypal, we take security very seriously, and do everything possible to make sure your account is safe at all times from hackers.

    Caller: I am not hacker.

    CS: Certainly sir. There we go, Mr. Krebs, I’ve reset your password to “password” also for your security, you will be required to change your password the next time you log in. Is there anything else you need? Do you remember your account username?

  2. PayPal seen to have switched off 2FA for mobile, or at least they have stopped prompting me when I tried to complete a cellphone transaction – possibly because I complained that their 2FA was retarded and broken (it was).

    I really find it ugly how little they care for financial security

  3. Fraud vs insult rate.

    Always has been, always will be. Tradeoffs everywhere.

  4. Why do you even have a PP account ? If you must have one, surely setting one up ‘clean’ with a newly bought domain is easier than that faff ?

  5. Reading this makes me concerned about the underlying security for PayPals other payment services. I’ve worked with merchant clients that use PayPal’s Payment Gateway and PayFlow Pro because it reduces the scope of their PCI DSS compliance. Credit card data for card not present transactions with these services doesn’t reach reach the clients’ web portals but goes straight via PayPal to the client’s acquiring bank. But could the manager account for this be as easily compromised as was Brian Krebs’ own PayPal account?

    • I should have mentioned that with this PayPal service a unique transaction identifier no. for each credit card transaction is generated and that even after hijacking the PayPal Manager an attacker would only see these numbers and never the actual card data. Still I wonder if anyone has done any threat modeling with these PayPal serices to see if there is a way to do a man in the middle attack to intercept the card transactions.

      • As a PayfloPro admin I can tell you that yes, it is insecure in a variety of ways, but I won’t reveal them here. And those unique identifiers can be used to create what are called reference transactions; essentially, piggybacking a second charge off the first, without the need to supply the cc info a second time. This is used when say, a customer decides to upgrade shipping or adds something to their order.

    • I don’t know anything about that service, but in general, most services in the world are susceptible to account reset attacks. The problem is that they’re used to the “irate customer” who is yelling because they can’t access their account (for which they lost the password). And the service provider doesn’t want to lose the customer long term, and thus will literally bend over backwards to make them happy.

      Unfortunately, it thus becomes pretty easy for an attacker to pretend to be said irate customer.

      For the service you’re describing, assuming the money eventually ends up in a PayPal account, and not directly deposited into a non PayPal bank account, I’d assume someone could attack that account using the same reset system as they used to attack Brian’s account.

      Note: Assuming you could have PayPal directly deposit into a non PayPal bank account, you would still be at risk because the pairing you do w/ PayPal and a bank account would allow someone who took over the PayPal account to request the money be sent bank into the PayPal account, and once done they could transfer it elsewhere.

      For normal people, I don’t encourage actively (i.e. daily) checking accounts, since I believe the act of checking is a risk. For businesses, unfortunately, I think you should be reviewing your last 48-72 hours of transactions daily to ensure there’s nothing amiss. — This means you’re at risk in case something compromises the computer / network you’re using, but, …

      Also, you should find out if there’s a way to freeze account resets.

  6. Did they not require the security token number when resetting the password?

    • Apparently not.

      The problem is that account resets (anywhere) are really unrelated to the normal workflow. They’re an old process that mostly involves a customer support representative listening to an irate customer, and resetting the password.

      Training customer support to review all the security precautions a customer has in place before allowing a reset requires a lot of work and consideration. And I doubt even a handful of companies have done that correctly (or even at all).

  7. I think this really boils down to the (near universal lack of) awareness by website and application designers/developers of the fundamental concept of “elevated privilege”. We are all aware of the distinction between a user account and Administrator or root privilege. And yet almost universally, the credential one uses to access a website is the very same credential used to authorize everything from color schemes to disabling multi-factor authentication.

    There doesn’t seem to be any clue among developers (and from what I’ve seen the recent crops of “DevOps” cloud developers are also similarly clueless by and large) that a user’s actions within an application advertising itself as “secure” MUST be classified into a default normal, non-elevated category, and a separate elevated privilege category, and most importantly, separate credentials for each classification, with an absolute rule that the credential used to authorize a non-privileged action cannot be used to authorize a privileged action.

    If only site/application/cloud developers understood this fundamental security privilege, it would go a long, long way towards protecting everyone’s crown jewels.

    Why Amazon Prime Video access uses the exact same credential that I *must* enter (and store) into my “smart TV” (or worse, a hotel’s “smart TV”) as the one I use to authorize security changes and payment information changes to my account is simply inexcusable.

    And yeah, I’m also looking at you, LastPass. Why my “master password” to all of my credentials stored within this security application is the *exact same one* I *must* use to access my account on the lastpass.com webserver is also inexcusable from a product whose purpose is to remember website passwords.

    • @Michael K

      Are you sure that the LastPass “web” logon isn’t just accessing the hashed/salted/encrypted password stored in the “Local Vault” via the browser interface? Otherwise you’re right, that would be an issue if the browser plugin/extension is bypassed and one is communicating the password directly to the website.

      Also the option exists to logon using previously generated One Time Passwords. https://lastpass.com/otp.php so the master password wouldn’t be involved if the above was true.

  8. Wow – bad, bad! There is a reason I avoid linked bank accounts at Paypal.

  9. We should all tweet this article to PayPal. So hopefully they’ll see how archaic their approach to security is.

    I totally agree with Brian’s assessment. PayPal offers two-factor authentication login via a cell phone, but at the same time also offer a bypass via answers to “secret questions” which clearly defeats the purpose of two-factor authentication.

    The problem w/PayPal is that there’s really no customer support to tell it to.

  10. Wrong.
    Two factor authentication exists for #PayPal accounts either using a standalone key or mobile SMS
    https://www.paypal.com/uk/cgi-bin/webscr?cmd=_register-security-key-mobile

    • if you can turn it off with a phone call, whats the point ?

      • Was 2fa shut off on the reset? Did I miss that in the article because I don’t recall that being mentioned. If it wasn’t but was available in the user’s area, I don’t see how this attack works exactly if 2fa is active.

    • It exists in a very limited number of countries. For everyone else, it’s “what’s your dog’s maiden name?”.

  11. I’ve heard from work associates their amazon accounts were hacked the same way and it recurred there as well. After notification they changed the password and phone back and the hacker called the help desk and got it changed back and locked them out. I wish you had titled the article “Paypal lazy authentication still the norm”. That way, when people google “paypal” it would come up…..you need to spread the word. I hope you sent a copy of your article to their CFO. If you don’t, I will. This is a huge financial risk as well as a security risk.

  12. For now, I’ll still need to use PayPal since a number of websites, including those of my professional organizations, have it as the only epay option. Didn’t know about 2FA for Paypal, so I just activated it, and got the following autoreponse from Paypal:

    Dear So-and-so,

    We’ve received your order for a PayPal Security Key. You’ll now need your mobile phone to log in to your account for additional security.

    If you didn’t activate your mobile phone to use as a PayPal Security Key, please contact PayPal Customer Service.

    Thanks,
    PayPal

    So, it looks like I, or anyone else, could just call them up to have the 2FA removed from my account!

    • Yep!

      That’s Customer Service for you!

      *sigh*

      It does sort of make sense.
      Imagine an attacker takes over your account and adds 2FA.

      You need to be able to recover your account.

      Although, ideally that process doesn’t involve you giving answers to questions that anyone w/ Internet access (or account access…) can give…

  13. Someone got access to my PayPal account even though I had a strong password and used it to launder money or some such. Someone would deposit $3000 and someone else would withdraw it. I never found out how they got in, but I had a devil of a time getting PayPal to straighten it out. It took a couple weeks and half a dozen or more calls.

  14. Brian:

    1) with your résumé and renown, surely you, of all people, can get the attention of Paypal’s management to have these problems addressed, and

    2) it looks like we need the capability to “freeze” our accounts at various financial and other Web sites, not just the credit reporting agencies, and to not allow changes or access other than login without the “unfreeze PIN”. Of course, there will be a nominal charge per account…

  15. Discovercard offered to put a verbal password on my account after someone called in and tried to change my account email address. This would seem to very easy to implement as it takes no new technology just a note in your file. I since found retirement account companies also do this, which is useful for securing accounts of elderly parents so even if they give someone their account info it does no harm.

    • 🙂

      Always good to hear DiscoverCard doing something smart.

      I’ve found the major credit cards (Discover, AmEx) to be pretty good in areas like these. * Visa and MasterCard are networks, the cards you get are really issued by individual banks, and individual banks tend to be fairly incompetent (I need to post a link for an RBC account takeover elsewhere in the comments section).

      But partially, it’s size and attack surface, they’ve been around for a really long time, and people have been attacking them for as long. So, I’m sure they’re used to people pretending to be the card holder and having to figure out if they are. And by “used to”, I mean, having actually thought out and written a very careful set of rules that everyone uses, instead of leaving it purely ad-hoc.

  16. Due to an earlier problem, Etrade is supposed the ask me a for a password whenever I call customer service. So far, I’ve had to ask each doofi if they are supposed to ask me a question.

  17. Is it really necessary to use PayPal? I have only encountered one instance when I had to use PayPal– to pay the membership fee for a professional organization. I paid via a check mailed to them. The following year that organization had direct payment via credit card.

    I have never used PayPal because I don’t like having a third-party payment processor.

    • As someone who imports collectibles from overseas, I’ve found that credit card companies aren’t very good at checking their “customer says to allow transactions to this company” database. Paypal is useful there. Also useful for reselling event tickets to someone directly so you don’t have to meet up to get cash.

      No way I’m giving Paypal my bank account numbers though, despite all of their nagging.

    • You’re thinking about PayPal as a consumer.

      Brian is essentially a Merchant.

      He needs a way for people to be able to donate money to him from anywhere in the world, using almost any currency and payment method.

    • You’re thinking about PayPal as a consumer.

      Brian is essentially a Merchant.

      He needs a way for people to be able to donate money to him from anywhere in the world, using almost any currency and payment method.

      He can’t limit himself to receiving BTC, since many of his readers wouldn’t know how to get one, or wouldn’t want one.

      Donations need to be easy.

  18. Yesterday I made an online, Paypal purchase and had to enter the “2FA” SMS code sent to my phone. Have not tested on other areas (info change) but would seem to me that if they can make me use an SMS code for purchases, they should be able to make it work if I/someone wants to change any account info.

  19. This explains my experience. In early December my PayPal account was breached, the first warning came when my bank unilaterally blocked all accounts associated with the PayPal account. Then I receive warning from PayPal. At the same time I was receiving multiple phishing emails purportedly from PayPal. I didn’t find PayPal much help. I’m considering ditching the service altogether.

  20. The Paypal security fob is also unavailable outside the US (and possibly a few other countries). I applied for one as soon as it came out and after going through the entire lengthy signup process for it was told right at the end that it wasn’t available in my country and there were no plans to make it available.

    (Banks here use phone-based auth for transactions, so whenever there’s a transaction over a set floor limit you get a text telling you about it and including a one-time password to authorise it via your web browser. You can’t actually make a payment/transfer/whatever without 2FA here, while it seems with Paypal you can’t make one with 2FA).

  21. In the last few days I’ve read at least 3 articles complaining about cyber security somewhere and this one is just the latest. So okay. There are hackers out there and dumb ass companies that do online security all wrong. Kvetch, bitch, whine.

    I don’t care. I don’t want to be dragged through the pain of others getting screwed.

    What I want is to learn what companies do things well.

    If PayPal are schmucks, who can we patronize in their stead?

    List the banks across the country that actually have good cyber security protection for their customers who desire online banking.

    Do ANY credit card companies do security right? ANY? If so, who are they?

    I like convenience but to me, convenient is being able to safely conduct financial transactions and know that my money can’t be accessed by someone else.

  22. PayPal allows you to create a Customer Service PIN containing 6 digits of your own choosing. Of course, if a crook simply says “I forgot” and PayPal downgrades to static information, then …

  23. You can change the ‘Customer Service ID’ to confirm your identity when you call customer service, to be a user-selected (6 digit) PIN rather than static information. However, one need to access this using the classic Paypal site. It is located under “More Settings” on the left-hand side, and it is not easily accessible under the settings page of the default Paypal site.

  24. In addition to two-factor authentication and email notifications of any changes to my PayPal (Business Account), I was able to set a PIN for customer service call in:

    “Customer Service ID

    Customer Service PIN
    When you call Customer Service, we’ll ask you to confirm your identity using this account info.”

    Not sure if this option is available for non-business accounts.

    • I didn’t refresh and missed the other two replies above. Apparently non-business accounts can access the PIN option as well.

      • Yes, I am using a personal (non-business) account. I am not sure if the manner in which you access the Customer Service PIN differs between personal and business accounts, but I go to “more settings” under the classic settings site, and the PIN choice is the fifth one from the top.

      • I see “Classic Site”, at the bottom left of the page; but no “more settings” or “Customer Service PIN”.

        “Profile”/”Settings” has a security tab; but nothing related to a Customer Service PIN.

        The Help search at PayPal yields no articles.

        Googling for the term shows historical PayPal articles, that now display “Article is currently unavailable”.

  25. FWIW, Uber pulled the same nonsense by asking me to send a photocopy of my scanned driver’s license before they would reset my account password and/or delete my account. I refused, of course, and moved my business to Lyft. But that’s hardly the point.

    I was unsuccessful in making the point that unless Uber already had my drivers license in their system as a benchmark, providing them a scanned image after the account was already locked or compromised was pointless. (And frankly, the only way that Uber would ever get a benchmark image of my drivers license on file is (a) because I walked into their offices and handed it to an authorized (whatever that means) employee tasked for such purpose, or (b) after they pried it from my cold dead hand.

    Pretentious security policies that emphasize optics over effectiveness may appeal to the ill informed but are no better than the arcane security authentication methodologies that are rife in the finance industry today.

    Epic failures abound. . .

  26. So 2fa was shut off with that call also?

  27. Good writeup, Brian..

    Glad to know I’m not the only one who feels that Paypal’s means of authentication are rather like that sequence out of The Simpsons where Burns and Smithers head through all the security gates kinda like “Get Smart” meets “Batman” to go to the reactor control room, to find an old, beaten up and quite ajar screen door with direct access to the outside has allowed a dog in.

    https://www.youtube.com/watch?v=eU2Or5rCN_Y

    I had their credit card shaped 2FA OTP token in my wallet for awhile, until I thought I’d lost my wallet, and cancelled it (only to find it again, but couldn’t reactivate it, and they wanted $30 [!?] for a new token), so I enabled SMS “security”.

    Problem is, even with SMS enabled, one can say “I forgot my token” and then they’ll options to answer questions like “complete this account number”…

    Thing is, in Australia, it’s not uncommon to share your banking details (consisting of a six digit Bank State Branch code, and the account number) with folks, so they can do a direct funds transfer (EFT)… and I do some of my banking with a smaller institution (yay for consumer owned banking) so the account numbers ain’t that long. That and one’s BSB and account number is printed on cheques (where people still use them, EFT is much more common here now than cheques).

    … so the details that Paypal are asking for, are out there as you say, and quite trivial to override…

    More widely, I’ve noticed that the smaller of the two banks I use, only offers SMS OTP 2FA or the ability to set up a special, separate “transfer password” for accounts/payees that haven’t already been configured.

    Recently the Australian Government was encouraging people to disable SMS 2FA OTP when they travel:
    http://arstechnica.com/tech-policy/2015/12/australian-government-tells-citizens-to-turn-off-two-factor-authentication/

    SMS does have a problem with needing network connectivity and when one travels, without $$$ global roaming, that just ain’t gonna happen.. I wonder, what’s the problem with allowing folks to use 2FA OTP apps like Google Authenticator?

    Why is it easier for someone to get into my Paypal account than into my Facebook account?

  28. Martin Rubenstein

    It was easy to set up 2FA with Dropbox, Hotmail and Gmail, but with PayPal I’ve tried 3 times and given up. I don’t want an SMS token, I wanted to use a one-time code from an Apple app. Thankfully, for me, having turned 2FA on, I was able to turn it off using only my username and password each time I came to a dead end.

    It seems that even following all the best advice cannot make you secure with PayPal. What’s the alternative? (It’s not a rhetorical question: I’m seeking advice from those far smarter than I.)

  29. What’s with all that PayProxies? We discovered hack in PayU not more than two weeks ago. http://codel10n.com/how-to-hack-payu-buy-10x-more-same-price/

  30. PAYPAL has two-factor authentication, but only when using their website. 2fa is not supported in their mobile application.
    A lot of these hacked accounts usually can be traced back to a compromised FREE email account. Yahoo is a perfect example of another company that does NOTHING to authenticate users. Get control of a Yahoo account then look to see if it’s linked to a Paypal Account. Easier than trying to find the Space Needle in Seattle.

    Has anyone realized yet that when you SUPPOSEDLY contact paypal customer service you’re in fact talking to a third party contractor that has been hired to provide that service?

    Has it also occurred to anyone else that corporations are not concerned with your security, only theirs? They do not want to implement actual security measures that work because it will increase labor costs to deal with people that inadvertently lock themselves out of their own accounts. (In other words there will be less profit for greedy, over demanding share holders.) So the lowest labor cost and lowest common denominator is used to determine what level of security will be afforded to ALL customers. Take for example global Chip-n-Pin card standards call for pin numbers to be at least six digits, but U.S. financial institutions refuse to do that because it will cost too much in customer service labor to deal with people that cannot remember a six digit pin.

    Shareholder profit is far more important than the trivial concern being demonstrated for the security of customer’s identity, money, or data.