18 June, 2011 § 2 Comments
PayPal has had a tough week in the news. Earlier this week, a user claimed to find a way to reset an arbitrary account’s password through the Forgot Password workflow. From his description, it seemed like a low-sophistication attack (aka something he accidentally stumbled upon).
Much of the reaction on Hacker News was to quickly remove your bank account from your PayPal so an attacker wouldn’t be able to steal your money.
As I saw the news, I quickly logged in to PayPal to remove my bank account. I had about $25 sitting in my PayPal account, so I decided to transfer the remaining funds to my bank account before disassociating it. Except it turns out when you do this you lock the association of your bank account for up to 3 to 4 days.
In the meantime, I decided to update the primary email address on the account to one that I check more often. I typed in my newer email address, they sent me a confirmation to the new email address, and I was done. Wait… I was done? It was that easy?
They never gave my older email address an opportunity to cancel this new primary email address. I logged in to my older email account and saw an email from PayPal saying that my primary email address had been changed and if this was a problem to call them. Huh?
So not only can someone claim a way to get access to any PayPal account, they can also change the primary email address of the account without giving the owner any opportunity to stop it before it’s too late?
PayPal needs to make a lot of changes
There is no way that I can cover all of the things that PayPal should do to protect their customers, but I can try a few.
First, they need to give account owners an opportunity to guard themselves against people changing crucial account information. It shouldn’t be so easy to add/remove an email address from the account.
Second, they need to advertise their Security Key feature (aka two-step authentication) more prominently. I didn’t know that they had one until I started writing this blog post.
Third, they should set up a secret passphrase that is included in all emails from them. The bank that I use does this, and it is a very low-tech but successful way to know if an email is from a phishing scam.
Fourth, it turned out that the security vulnerability the original user claimed wasn’t the security vulnerability that had been found. PayPal doesn’t require you to confirm your email address before you can continue with creating your account. Some user signed up with this guys email address and that is how he got access. None of this would be news if they required you to confirm your email address.
Last, PayPal needs to do a better job responding to these allegations. At least let people know that you are looking in to the issue.