Friday, 27 June 2014

Paypal's 2-Factor-Authentication(2FA): The Good, The Bad, And The Ugly. (Incl. full 2FA bypass without security questions)

Introduction

Paypal, like many other services, offer 2-Factor-Authentication in an attempt to strengthen the security of users' accounts. As noted on Paypal's website, "The security key gives you an extra layer of security when you log in to your PayPal account. It creates random security codes to use along with your regular username and password."

Paypal provides two ways of using this service; through a one-time code sent as an SMS to your mobile phone, or through a physical, creditcard sized code generator.(Or optionally, a VeriSign ID Protection key, which you can set-up on your phone for free here.)

An example of Paypal's security-card

Paypal's implementation of 2FA has been heavily scrutinized[1] again[2] and again[3] due to the lack of apparent security surrounding it. They allow security questions to be used to bypass the blockade of not having access to your 2FA device, and sometimes even when you do have access to your device, the code just doesn't work.


In this article, I'll be detailing "The good, the bad, and the ugly" of Paypal's 2FA programme. This includes what works, how it works, how it doesn't work, and security implications(full disclosure: there is/was a complete bypass for the 2FA without security questions.)


Personally, I use the SMS version of Paypal's 2FA, thus I can only directly comment on that. Nonetheless, I'll reference a few articles in regard to their creditcard sized number generator, and the VeriSign key generator.