Forum Moderators: phranque
Email
Address
Phone number
The 'email' part is perfectly fine. In this case the password reset link is sent to your registered email.
The issue starts with the address and phone number part. With the address part paypal asks you to input your street number or po box number. With the phone number part paypal asks you to enter your phone number after showing you the last three digits of the number!
Now how stupid is that? Anybody with some brains would know that a phone number and the street number can be retrieved from anywhere by any body. People can check the site's whois (site used in the email), All my friends and office colleagues know my ph nos.
Isn't this really insecure? I mean paypal does not warn you about these things even in their 'how to protect yourself from identity theft' article. What is the point of setting a strong password when paypal makes it so easy for the hackers?
Anycase, if you have a paypal account, remove the PO box number or street number if you have any from your paypal address. Plus also make use of a bogus phone number as your primary phone.
If there is a paypal employee reading this, please remove the 'Phone' and 'Address' options or at-least make a mention of this in your documentation.
Spiritualseo. I did wonder if they had pulled some strings in the background.
The conversation I had with them did get a bit warm - spending a total of 1hr on a cellphone talking to people with their heads in the sand is not my idea of a friendly chat). I did state to them that if I don't get a satisfactory answer within 24hrs I would get one of my customers to record a video of him resetting my password and post it up. Their reply was on the lines of "Yeh, you do that. See what we care".
I can understand the advantage of having e-insurance for true fraud. But this is not fraud. It is a bug in someones software app. A fault which rather than requiring insurance requires court procedings / compensation if money ever does go missing.
Maybe it is paypal which requires the e-insurance.
[edited by: Frank_Rizzo at 8:32 am (utc) on April 22, 2009]
First off, this exploit ONLY affects personal accounts. Premier and Business accounts are not affected, but it is still an issue.
I checked my ISP EMail for the first time since summer of 2008 (I never use the account). I got the common mothers day EMail on the PayPal account linked to my ISP EMail. You know, the one that says "Use your positive paypal balance for a mothers day present".
That stated, and also stating the PayPal account hasn't been used in at least a year, and likely not from this IP, I logged into it (or attempted to anyway) to see what my positive balance was. It was one cent. I had to do the whole reset password thing, and since it was a personal account, it accepted just my address number, and then prompted me to change the password.
So whoever gave you the answer that "It will track based on IP" is giving you a load of crap. End of.
Now here's an example. If any of you have ever registered domains (seeing what type of forums these are I would safely bet most of you are at least fimilar with the process), you are required to enter in your real name, address, and phone number per ICANN rules. My normal PayPal account is premier, but, if it was Personal (the lowest), it would of been compromised, like that, because any moron or script kiddie wanting access to my $$ would have it.
Now to dig up a bit of dirt, I have attempted to try this procedure on 2 other accounts. My Personal account, and an account of another person I knew which I could easily obtain info needed to crack open a personal account. Did not work on my premier account, and did not work on a business/premier account (it sent a password reset email, the way it should be done in the first place).
Since y'all have seemed to send over concern to PayPal, and since they don't seem to want to actually DO anything about this, I'm tempted to go post this article on Digg. While I don't want to see innocent people get their accounts compromised, I do want to send a Wake-Up-Call to the moron in charge of PayPal Security.
A test I ran on a different PC at the other end of the country did not have the problem. Only PCs I had used previously would show the lack of security.
Paypal have done something now as there is a change in the password reset procedure. If you select a verification method (such as address) and get it wrong 3 times that option is removed and you then have to select one of the other options.
I still think there is a problem here though. If they are using IP, or cookie to detect that 'the PC you have logged on successfully will does not require the extra security level' (my interpretation of paypal security team explanation) then this is really insecure.
Imagine what would happen if you logged in to check your paypal account on a public PC.
What if you share an apartment with a others. You login to paypal and logout. Your colleague waits until you have gone out and could reset your password and do what he wants with the account.
