I was minding my own business when I received an SMS from a random number: “PayPal: xxxxxx is your security code. Don’t share your code”. I receive plenty of scam/spam SMS on a daily basis, so at first glance I assumed this was just another phishing attempt.
However, on closer inspection, the attack vector isn’t clear – there’s no link to follow and no action to take. So I started to think the SMS might be legit. Microsoft, for example, will send a 2FA code before validating the password (whyyy?). Or perhaps my PayPal password is in fact compromised.
After a bit of searching, it turns out the SMS is legit, but for neither of the reasons above.
PayPal contains a lot of PII, is connected to my bank account, and contains detailed transaction history. So I have a complex password and TOPT to protect my account. Forget these, because PayPal’s default method of login is now a one-time code sent via SMS. Yes, the very same medium that is generally considered unsafe for two-factor authentication is used by PayPal as the only factor; bypassing both password and TOPT for what appears to be full access to your account. You cannot disable this method of login, and you cannot remove your phone number from your account.
Incredibly, it gets worse. A bad actor still needs to know your phone number, and PayPal helps them by partially revealing a significant portion of your phone number on the login screen.
Tested in Incognito – as soon as you enter an email address to log into PayPal, an SMS is immediately sent and the phone number is revealed. Remember Mat Honan, who’s digital life was destroyed when his iCloud account was wiped in a targeted attack? In that attack, the hacker used social engineering to obtain a partial credit card number from an Amazon employee which Apple then accepted as verification of identity. With PayPal no such social engineering is required; instead revealing half your phone number to anyone who merely enters your email address on the login screen.
Of course, PayPal also allows users to log in by entering their phone number. Now armed with a partial, a bad actor needs only to enumerate the remaining digits to reveal your full phone number. It’s literally as if PayPal wants their users to get hacked.
It blows my mind that any information about an account is revealed before authentication. My personal opinion is that a login form shouldn’t even reveal the existence of an account until the user is authenticated.
What can you do about all of this? Remove as much PII from PayPal as possible. Remove your credit cards & bank accounts. Create a custom email address just for PayPal. See if you can somehow use a different number for PayPal. However, the absolute best thing to do is close your PayPal account. SMS is a public medium and the recipient is not guaranteed to be the account owner. This is not sufficient to protect what is effectively a bank account.
from Hacker News https://ift.tt/Ne05QtW
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.