I'm glad this was found independently and reported. While I was at PayPal I had started email threads about it but nothing was done. I am sure I was not the only one there who "discovered" this. For instance, even if you have 2FA you can add PayPal to Uber as if you never had 2FA.
The other big issue with their 2FA authentication is that it really isn't two factor. You can say you don't have the token and instead can answer security questions. Two factor is supposed to be something you know plus something you have. "Falling back" to security questions is basically just relying on things you know.
I would think that, if you have a big fraud-detection engine like Paypal's in place, 2FA isn't so much an enforced requirement for login, as it is a big fraud-signal when the user chooses to circumnavigate it.
Like any other fraud-signal, though, it can be countered with enough evidence that you are who you say you are--with security questions at a weak level (maybe enough to counter a 2FA token that was only set up a few days ago), or with demands for scanned photo ID at a higher level (if you use 2FA all the time.)
If there is no legitimate reason to circumnavigate 2FA, i.e. the S/N of detecting fraud by detecting circumnavigation is 1.0, why not just automate the anti-fraud enforcement and make the circumnavigation impossible?
Yes, I've contacted PayPal before and asked them for a user setting to be able to disable the 2FA fallbacks, but they don't really seem to care that much for security. I hope someone from PayPal Security team reads this and considers implementing this change.
I was also thinking that the community should start calling this type of implementation 2FAil, to give the companies a little extra 'shame peer pressure'... Anyone up for making a logo, heartbleed-style? :)
Based on this timeline, I don't understand why Duo didn't go public on 2014-04-28 when PayPal began being weasely about their bug bounty program. This probably would be better for users for two reasons: one, in the past 2 months, this bug may have been exploited in the wild, and two, it would make it easier for users to make informed decisions about which payments providers to use in the future (as well as which 2fa providers are technically competent).
The disclosure process is always fraught with peril (and pain) and its a safe bet that no matter what a discloser does, there will be some person or group who thinks they should have handled it differently.
In a case like this, when reasonable time is given, and the world gets to benefit from a great deal of work (effectively done for free), i tend to simply say thanks, and make notes..
I was wondering the same. I think paypal was very unresponsive and the could have for sure done a better job. That said when they asked for 3 days more I think Duo could have complied and would have made everyone more happy.
A bigger problem for me is that two-factor authentication for PayPal is available only in few countries (US, UK and Germany I think). I tried to get a token but no chance; not even software with mobile app. When contacting support I was considered as a freak probably - they completely didn't what is the problem without 2FA. I really don't get it, why being global they limit 2FA to a few countries.
Actually I use PayPal more often since they provide 2FA. They are stupid because this could be a win-win for them and tech aware consumers like us. I also wished they used Google Authenticator instead of this SMS... they (SMS) sometimes take ages before delivered.
They also support VeriSign VIP (https://idprotect.verisign.com/mainmenu.v), which you could take mobile app - should be better than waiting for SMS. At least in theory as I cannot validate it, because 2FA is not available in Poland.
Unfortunately, there is no open source implementation of the VIP number generator. On the other hand, Google Authenticator is based on TOTP, and has several open source implementations. I don't want to run a separate, proprietary 2FA app for every single service, when they can all just use the standard set out in IETF rfc6238.
Glad it worked. And this is what I don't get. I understand they may not want to distribute hardware tokens in some countries, support SMS, as it is a burden. But why don't they just allow me to activate an existing token?!
You never trust the client; this is amateur hour shit TBH. How could a company like PayPal let something like this through? SURELY there were employees raising hell before it ever hit the app stores?
It's interesting to watch corporations expose one another's vulnerabilities in a public way. It seems like this was done pretty fairly, giving PayPal ample time to address the bug-- so I guess that's neat.
I also do not like the two factor authentification from PayPal. Sometimes the SMS takes ages before it arrives (I waited more than 10 minutes here in Germany). And it is absolutely not possible to pay in eBay with Paypal and 2FA when using mobile browser or eBay Android app. I wished they use solutions like Google Authenticator for their 2FA.
I don't know if this is common knowledge but PayPal lets you log in with your CC number instead of the auth token sent via text message. I know because the text messages often do not arrive at all for me, even after repeated requests.
It "only" works one time though, the second time you're asked the dreaded "security question"
It's not suprising that Duo Security is interested in exposing this flaw in their 2FA flow, since their product is a somewhat better 2FA solution. I've evaluated their solution for my project, but ultimately settled with MePIN which offered similar security at lower price.
The other big issue with their 2FA authentication is that it really isn't two factor. You can say you don't have the token and instead can answer security questions. Two factor is supposed to be something you know plus something you have. "Falling back" to security questions is basically just relying on things you know.