Welcome to WebmasterWorld Guest from 35.153.135.60

Forum Moderators: phranque

Message Too Old, No Replies

How secure is Paypal?

     
5:32 pm on Apr 17, 2009 (gmt 0)

Junior Member

10+ Year Member

joined:Apr 18, 2007
posts:133
votes: 0


I was trying to retrieve a password for my paypal account just for fun when I realized something really odd. Paypal offers you three options to retrieve your password

Email
Address
Phone number

The 'email' part is perfectly fine. In this case the password reset link is sent to your registered email.

The issue starts with the address and phone number part. With the address part paypal asks you to input your street number or po box number. With the phone number part paypal asks you to enter your phone number after showing you the last three digits of the number!

Now how stupid is that? Anybody with some brains would know that a phone number and the street number can be retrieved from anywhere by any body. People can check the site's whois (site used in the email), All my friends and office colleagues know my ph nos.

Isn't this really insecure? I mean paypal does not warn you about these things even in their 'how to protect yourself from identity theft' article. What is the point of setting a strong password when paypal makes it so easy for the hackers?

Anycase, if you have a paypal account, remove the PO box number or street number if you have any from your paypal address. Plus also make use of a bogus phone number as your primary phone.

If there is a paypal employee reading this, please remove the 'Phone' and 'Address' options or at-least make a mention of this in your documentation.

5:59 pm on Apr 17, 2009 (gmt 0)

Moderator from US 

WebmasterWorld Administrator lifeinasia is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Dec 10, 2005
posts:5842
votes: 187


Are you saying they reveal your password if you enter the correct phone number? If so, that's really stupid! I would have thought that they would call that phone number and reveal the phone number that way.

Where are you seeing this? I went and the only option I saw was for e-mail. (If you forgot your e-mail, you can have them look it up by entering your address, phone number, etc.)

7:43 pm on Apr 17, 2009 (gmt 0)

Junior Member

10+ Year Member

joined:Apr 18, 2007
posts:133
votes: 0


Yes, they allow you to reset the password then and there upon entering the phone number or PO Box number.. I am still not able to believe this is happening..

I clicked on 'forgot your password' link on their homepage, below the sign-in

9:32 pm on Apr 17, 2009 (gmt 0)

Moderator from US 

WebmasterWorld Administrator lifeinasia is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Dec 10, 2005
posts:5842
votes: 187


That's what I clicked too- only got the option to enter e-mail address to reset.

Then it asked for e-mail/address/phone.

Then it asked for other security questions.

Only after jumping through all those hoops would it let me reset my password.

5:16 am on Apr 18, 2009 (gmt 0)

Junior Member

10+ Year Member

joined:Apr 18, 2007
posts:133
votes: 0


Exactly.. the first option is to enter the email address, the 2nd one is the email/address/phone option. When I enter a PO Box number or Phone Number I get the password reset box.. I was never asked a security question even though I have set both questions in my account. Kind of strange..
6:50 am on Apr 18, 2009 (gmt 0)

Junior Member

10+ Year Member

joined:Apr 18, 2007
posts:133
votes: 0


Anyone else experiencing this or is it just me? I tried this on different paypal Ids and I get the same result.
3:13 pm on Apr 18, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:June 17, 2002
posts:1189
votes: 6


I hear you. This is a big security issue. One which any rogue / disgruntled customer can exploit.

I just did exactly what you said and was able to change the password without any kind of security test, and using information which can be found quite easily.

A customer could easily find out your paypal address as you may have used that to receive payments!

A customer could easily find out your phone no. because that is the numnber you use for customer contact!

A customer could easily find out your address because it is stated on your website!

A customer could easily find out your bank account number if you also take online bank payments or issued them with a cheque!

Knowing some of that information allows a random person to reset the password of an account they should not have access to.

This is incredible.

3:29 pm on Apr 18, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:June 17, 2002
posts:1189
votes: 6


Here's another flaw.

One of the security questions asked for my home number ending in XX.

Note this was not a prompt for something like XX 55 if my number was 555-5555 etc. but the exact prompt: Enter the number ending in XX.

Now what do you think happens if I just enter XX.

It turns out on my account I had some blank entries for some department. The paypal security system was dumb enough to ask me to enter the last digits of a blank phone number.

This is even more incredible...

[edited by: Frank_Rizzo at 3:31 pm (utc) on April 18, 2009]

4:07 pm on Apr 18, 2009 (gmt 0)

Junior Member

10+ Year Member

joined:Apr 18, 2007
posts:133
votes: 0


Wow.. number ending in xx? now that is insane...

It's good to know that I am not alone here.. any paypal employee here following this thread?

4:24 pm on Apr 18, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:June 17, 2002
posts:1189
votes: 6


I have mailed them with my concerns. I do hope the mail doesn't end up with an automated 'click here to reset your password', or a head in the sand reply.

This is clearly a very weak password reset system. Anyone with a little knowledge could be able to gather the Verification info from a site. Even if that site is not displaying the info it will be very easy to fish.

This concerns me a lot as in the past I have allowed customers to pay by online bank transfer. Anyone of those customers now has the information required to reset my password. This is totally unacceptable and NO fault of mine.

I emphasise the no there as I am sure there will be some people who say 'you shouldn't give out your bank account no.'.

Sometimes you have no choice but to give out your bank account no. Write a cheque and it is there in black and white.

---

And yes that phone number option was pretty dumb.

1. How can a programmer allow the inputting of XX as a valid reply to a phone number.

2. How can the security app allow you to continue if the phone number is blank

3. How can the profile app allow you to create blank phone numbers in the first place!

[edited by: Frank_Rizzo at 4:27 pm (utc) on April 18, 2009]

4:54 pm on Apr 18, 2009 (gmt 0)

Junior Member

10+ Year Member

joined:Apr 18, 2007
posts:133
votes: 0


It's good to know at-least someone here is taking this seriously.. But I am surprised the response is so less!

I have mailed paypal myself; hope they get the message and change this dumb system immediately..

1:28 am on Apr 19, 2009 (gmt 0)

Preferred Member from US 

10+ Year Member

joined:May 6, 2004
posts: 650
votes: 0


This is amazing. I suppose for now it would pay to check your account once a day to make sure that your original password is still working.

This is how Sarah Palin's email account got compromised. Some kid did some googling and one of the security questions was 'where did you meet your sweetheart'. He took a guess that it was at one of the schools she attended and nailed the account. He got caught and is looking at spending significant time incarcerated in a federal prison.

I just went ballistic with one of my credit card companies. The security question was my mother's maiden name.. Come on folks... With geneology on the web, this is a ridiculous 'password'. Heck, why don't they just make the password MY last name...?

It is frightening that a major company can screw up this much (although I think Palin's email was a Yahoo account- another main account)

Slightly OT - I took a family member in for an operation. While in the waiting room, I got the details of the health of about a half dozen people because the doctors were discussing the details of their cases in normal speaking voices in a room full of people.

I hope the folks at Paypal fix this YESTERDAY!

9:42 am on Apr 19, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:June 17, 2002
posts:1189
votes: 6


This is a big concern for online retailers for the reasons I gave above:

the building no and phone no are very likely to be display on the site; the bank account no. is easily obtainable.

Here are a couple more examples of how weak the paypal password reset function is:

Your friend / partner / relative makes a payment to you via paypal. They obviously know your house no and phone no and could also easily know your bank account no.

A few months later you argue with that person and they are not your friend / disown you. That person can now reset your paypal password and clean out your account, or do something like pay all your funds to a charity.

How about a rogue buyer?

You sell an item on an online auction site and have a buyer. The buyer:

asks for your paypal email so he can make the payment
asks for your home address so he can check you are genuine
asks for your phone no. so he can phone you / incase of problems

The buyer then says his paypal account is out of funds so can he make an online payment via your bank account.

If you agree to that the instant you give him your bank account number he's logging into paypal, reseting your password and cleaning out your account.

---

I have not had a reply from paypal yet. I think they need to address this immediately. I am also surprised this has gone on for so long.

10:35 am on Apr 19, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:June 17, 2002
posts:1189
votes: 6


There are a few sites / blogs which have already spotted this problem.

The recommendations are to not give out your paypal email, or nos. In that case you are not going to be able to use paypal to trade!

Interestingly there is a security review of paypal login / password reset from 2003.

Online password reset: Yes, via email; must answer secret question via email link; if unable to access original email account the new password is sent via snail mail

Back then the password had to be reset via an email link which is good. If you requested a reset only the recipient of the email used for the account can access the screen.

Now of course, anyone can do it online.

Clearly paypal need to restore the reset via email feature. Anyone wishing to reset their password should have to receive an email direct to the email of their account. That email should have a link back to the reset page along with a token.

I really can not believe that this has happened. Who the heck decided to downgrade the security features at paypal?

11:50 am on Apr 19, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:June 17, 2002
posts:1189
votes: 6


Guys. Something strange here.

I just demonstrated this to the wife and showed her how anyone with info could reset her password.

I got passed the stage where you enter the building no. and got this screen:

Verify your email address
You should receive an email at ........ Click the link in the email to continue re-setting your password.

So how come the wifes personal account has this security feature but my business account does not?

3:46 pm on Apr 19, 2009 (gmt 0)

Junior Member

10+ Year Member

joined:Apr 18, 2007
posts:133
votes: 0


That's really odd Frank..

I had this issue with my friend's personal account as well. So I don't think this has anything to do with the type of account.

Could this be a security glitch that has effected only a few paypal accounts?

3:54 pm on Apr 19, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:June 17, 2002
posts:1189
votes: 6


Date the account was created possibly?

Ones which have had higher trading, proper account verification due to going over value threshold?

5:55 pm on Apr 19, 2009 (gmt 0)

Junior Member

10+ Year Member

joined:Apr 18, 2007
posts:133
votes: 0


I checked two account one which was created a few months back and one a couple of years old.. same issue with both..
8:13 pm on Apr 19, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:June 17, 2002
posts:1189
votes: 6


paypal support got in touch with me. They confirm that there should be a 'verify your email address stage' where you can not continue until you receive and respond to an email.

Clearly in our case that option never happens. I hope they sort this asap.

[edited by: Frank_Rizzo at 8:14 pm (utc) on April 19, 2009]

8:26 pm on Apr 19, 2009 (gmt 0)

Junior Member

10+ Year Member

joined:Apr 18, 2007
posts:133
votes: 0


That's great to know.. hope they sort this out for all accounts. I am still waiting for a reply from them.

I think the best way to do this would be to remove the 'address' and 'phone' options altogether. After all they both will still end up with an email verification which what the first option (the email option) is all about.

A better more secure way of-course will be to first confirm the phone number or address and then send password reset information to the email on file.

7:09 pm on Apr 20, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:June 17, 2002
posts:1189
votes: 6


I had a few email conversations with paypal and then they said I had to phone them up just to prove that I was who I was.

29 minutes at 40p a minute (mobile phone charge not paypals) equates to about 5 beers. I wouldn't mind if there was a resolution after that but there wasn't.

I walked through the problem with the call assistant. She agreed that there was a problem in that at no stage was there an email confirmation sent - there should be.

She checked with the next level and they said it was because there were no security questions on my account. There were - two of them. But we walked through changing them.

On the next try the problem was still there so another call to the next level stated that:

"It is to do with your IP address. Paypal remembers your IP and doesn't give you the email / verification screen if you try to reset your password on the same PC as the one you usually administrate your account from."

I was advised to login from another PC and I said I would do that later.

I try a totally different PC on a different ISP. Guess what - there is still no verification.

Where the heck do I go now? My account is not secure. How do you escalate these things? Do I have to take this to one of the big IT news sites and embarrass paypal? I don't want to do that but if there is no resolution here...

(BTW, I have changed my email to a non guessable one. I am suspending receiving payments via email so that no one knows the email and thus can not reset the password).

4:41 am on Apr 21, 2009 (gmt 0)

Junior Member

10+ Year Member

joined:Apr 18, 2007
posts:133
votes: 0


I tried this with a different ISP and after setting the security question and I agree that the issue remains..

The fact that these people take a huge share of everyone's profit and don't take such a major security flaw seriously is disgusting. Even more disgusting is the fact that they allowed this to happen in the first place. They make a profit out of every single transaction so what is holding them back from making their system more secure?

5:30 am on Apr 21, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:July 29, 2007
posts:1975
votes: 192


If Paypal has security issues this severe I'd be willing to bet that we see a massive attack against paypal on or around the 25th of a month. Why? Because Paypal is owned by eBay and eBay makes millions of dollars in payments via paypal to its EPN affiliates.

The bad guys know when to strike to ensure finding cash in those accounts.

Finding the affiliates isn't rocket science either since they congregate on an eBay forum and discuss their websites... many of which have paypal donate buttons.

This has the potential to be a very costly flaw, if it exists as described.

8:00 am on Apr 21, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:June 17, 2002
posts:1189
votes: 6


I am sure there are a lot more out there with this flaw.

I only discovered my account had the flaw after reading spritualseo's post here. There could be others who have never used the forgotten password feature and thus do not realise that there is a huge open door on their account.

I posted on another site and found someone with the problem.

Via google I also found a blogger from India who had the same problem in May 2008.

I get the impression this is a flaw which the higher levels of Paypal know about but they have no solution. Their response seems to be one of either head in sand or not to admit a problem exists.

I think I have no choice but to close down my paypal account.

12:00 pm on Apr 21, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:June 17, 2002
posts:1189
votes: 6


Just spent another half hour on the phone (this time found a non 08707 number).

Going round in circles here. Assistant not understanding the problem at first, then trying to say that 'it can't happen'. When I walk through the problem and they see the screen I see they realise the problem.

After being put on hold for a further 10 minutes I was advised on the lines that:

"our security team do not wish to discuss this. they are confident that my password can not be reset"

I have to step this up now.

7:50 pm on Apr 21, 2009 (gmt 0)

Junior Member

10+ Year Member

joined:Apr 18, 2007
posts:133
votes: 0


Wow.. This is cool.. I can't believe they said that the password cannot be reset even after the demonstration!
8:21 pm on Apr 21, 2009 (gmt 0)

Preferred Member from US 

10+ Year Member

joined:May 6, 2004
posts:650
votes: 0


I just tried the reset for my account and it did do the 'send an email' thing. however, based on what Frank_Rizzo has said, I'm not sure that it wouldn't go through for someone else without doing the send an email routine.

The paypal account is one thing. I usually keep my paypal account near zero. However, it is linked to my corporate bank account which could potentially be a problem.

9:34 pm on Apr 21, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:June 17, 2002
posts:1189
votes: 6


After the call I made another test with a relative at the other end of the country. I got them to try and reset my password.

Surprisingly they got the 'send an email' verification stage.

Now it could be just a coincidence / strings pulled or indeed due to a different IP address. Paypal did say yesterday that they remember the IP used to administer the account and if you try resetting the password on that same IP you won't get the verification.

A couple of issues here. First I am not so sure it is IP based as I did run a test yesterday using my mobile ISP and the problem still existed.

Secondly why would any security app want to let the shields down if you used that PC 'legitimately' prior?

What if you rent an apartment with others. You login to your paypal account, administer, log out and go for a walk.

Your friend goes upto the PC, hits forgot password, enters your paypal email, building no (he lives there too), bank account number (you pay him rent by cheque) and there you go. He's now nicked your money.

Need more investigation on this. There could be an IP / cookie / angle but even so, there should ALWAYS be an email verification stage.

spiritualseo. Can you contact a trusting accomplice and ask them to try accessing the reset screen with your details.

10:18 pm on Apr 21, 2009 (gmt 0)

Junior Member

10+ Year Member

joined:Apr 18, 2007
posts:133
votes: 0


I already did that Frank.. The person was using an entirely different ISP and he was able to reset my pass. I also tried this on two different IPs, one at my home and one at my office and the issue persists.

Could it be that the paypal guys have resolved the issue with your account? May be you could check it up with the mobile ISP again..

Fashiongal

11:08 pm on Apr 21, 2009 (gmt 0)

Inactive Member
Account Expired

 
 


Frank,

You are totally onto something! Now I'm afraid to use Paypal! I was going to start a thread asking if you only use Paypal for your internet business, then why do you need e-insurance? Now I guess you've answered that with this fiasco!

This 34 message thread spans 2 pages: 34