The (lack of) security at PayPal

18 June, 2011 § 2 Comments

PayPal has had a tough week in the news. Earlier this week, a user claimed to find a way to reset an arbitrary account’s password through the Forgot Password workflow. From his description, it seemed like a low-sophistication attack (aka something he accidentally stumbled upon).

Much of the reaction on Hacker News was to quickly remove your bank account from your PayPal so an attacker wouldn’t be able to steal your money.

As I saw the news, I quickly logged in to PayPal to remove my bank account. I had about $25 sitting in my PayPal account, so I decided to transfer the remaining funds to my bank account before disassociating it. Except it turns out when you do this you lock the association of your bank account for up to 3 to 4 days.

In the meantime, I decided to update the primary email address on the account to one that I check more often. I typed in my newer email address, they sent me a confirmation to the new email address, and I was done. Wait… I was done? It was that easy?

They never gave my older email address an opportunity to cancel this new primary email address. I logged in to my older email account and saw an email from PayPal saying that my primary email address had been changed and if this was a problem to call them. Huh?

So not only can someone claim a way to get access to any PayPal account, they can also change the primary email address of the account without giving the owner any opportunity to stop it before it’s too late?

PayPal needs to make a lot of changes

There is no way that I can cover all of the things that PayPal should do to protect their customers, but I can try a few.

First, they need to give account owners an opportunity to guard themselves against people changing crucial account information. It shouldn’t be so easy to add/remove an email address from the account.

Second, they need to advertise their Security Key feature (aka two-step authentication) more prominently. I didn’t know that they had one until I started writing this blog post.

Third, they should set up a secret passphrase that is included in all emails from them. The bank that I use does this, and it is a very low-tech but successful way to know if an email is from a phishing scam.

Fourth, it turned out that the security vulnerability the original user claimed wasn’t the security vulnerability that had been found. PayPal doesn’t require you to confirm your email address before you can continue with creating your account. Some user signed up with this guys email address and that is how he got access. None of this would be news if they required you to confirm your email address.

Last, PayPal needs to do a better job responding to these allegations. At least let people know that you are looking in to the issue.

Tagged: ,

§ 2 Responses to The (lack of) security at PayPal

  • A.J. says:

    I’m not sure how I feel about PayPal as a company. There were several instances I heard of how they froze people’s accounts! This security stuff is even more to feel uncomfortable about using them!

    • Totally agree.
      I had my account fraudalently used last week, 28th June 2012. I live in the UK, transaction was for Taiwan, no one thought to query this PayPals response… Oh it’s your password that caused it, bearing in mind I hardley use PayPal and the said password is very inusual, I think it very slack. Yes they have all the answers. But I will never use them again.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

What’s this?

You are currently reading The (lack of) security at PayPal at JAWS.


%d bloggers like this: