When I noticed an unauthorized payment done with my PayPal account in 2008, I immediately ordered a VeriSign Identity Protection device to add a second layer of protection to the login process on the site. Basically, instead of signing in to PayPal with the email address and password, I'm now asked to enter a security code generated by the device on top of that. The code that is generated by the device is valid for 30 seconds at most, after which it is automatically invalidated.
That's in theory enough to protect the account from keyloggers, trojans and even someone looking over your shoulder while you are logging in to PayPal. There are two issues here that need to be addressed. First, what happens when you lose access the protection device? How can you log in to PayPal then? Second, what happens if you forget your password?
A new article on Naked Security - great blog by the way - highlights a potential flaw in the system. When you forget your PayPal password, you can recover the account by entering two secondary passwords that you have selected during sign up. With the help of this two passwords, you can log in to your PayPal account and do everything that you can normally do, without having to supply a security token first.
You could say now that this is not really an issue, since you have to enter two passwords to log in. The problem here however is that entering the two password to log in to PayPal provides attackers, through the use of a keylogger for instance, with all the information needed to access the full account.
PayPal asks for the account email address first, with options to recover that as well by typing in potential candidates if you have forgotten which email you use on PayPal. You get a link in that email that takes you to a recovery page. Depending on your account settings, you may have multiple options here. I for instance got the option to enter a credit card number associated with the account, or to answer the security questions.
Those security questions are made up of the usual "your mother's birth name, childhood friend or hospital you were born in" questions. Please note that it is highly recommended not to answer the questions correctly during setup, as it is otherwise possible to guess or social engineer those answers to gain account access.
The process bypasses the protection device completely, which is not really clear why that is happening. If you only have forgotten your password, you should still have access to the device, so that you can still generate a code as part of the login process.
The option to recover the password without having to go through a lengthy verification process over phone or by sending in documents to PayPal to verify your identity is certainly convenient, but security should be more important than that.
What's your take on the findings?
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.