Welcome to WebmasterWorld Guest from 126.96.36.199
Forum Moderators: phranque
The 'email' part is perfectly fine. In this case the password reset link is sent to your registered email.
The issue starts with the address and phone number part. With the address part paypal asks you to input your street number or po box number. With the phone number part paypal asks you to enter your phone number after showing you the last three digits of the number!
Now how stupid is that? Anybody with some brains would know that a phone number and the street number can be retrieved from anywhere by any body. People can check the site's whois (site used in the email), All my friends and office colleagues know my ph nos.
Isn't this really insecure? I mean paypal does not warn you about these things even in their 'how to protect yourself from identity theft' article. What is the point of setting a strong password when paypal makes it so easy for the hackers?
Anycase, if you have a paypal account, remove the PO box number or street number if you have any from your paypal address. Plus also make use of a bogus phone number as your primary phone.
If there is a paypal employee reading this, please remove the 'Phone' and 'Address' options or at-least make a mention of this in your documentation.
joined:Dec 10, 2005
Where are you seeing this? I went and the only option I saw was for e-mail. (If you forgot your e-mail, you can have them look it up by entering your address, phone number, etc.)
joined:Dec 10, 2005
Then it asked for e-mail/address/phone.
Then it asked for other security questions.
Only after jumping through all those hoops would it let me reset my password.
I just did exactly what you said and was able to change the password without any kind of security test, and using information which can be found quite easily.
A customer could easily find out your paypal address as you may have used that to receive payments!
A customer could easily find out your phone no. because that is the numnber you use for customer contact!
A customer could easily find out your address because it is stated on your website!
A customer could easily find out your bank account number if you also take online bank payments or issued them with a cheque!
Knowing some of that information allows a random person to reset the password of an account they should not have access to.
This is incredible.
One of the security questions asked for my home number ending in XX.
Note this was not a prompt for something like XX 55 if my number was 555-5555 etc. but the exact prompt: Enter the number ending in XX.
Now what do you think happens if I just enter XX.
It turns out on my account I had some blank entries for some department. The paypal security system was dumb enough to ask me to enter the last digits of a blank phone number.
This is even more incredible...
[edited by: Frank_Rizzo at 3:31 pm (utc) on April 18, 2009]
This is clearly a very weak password reset system. Anyone with a little knowledge could be able to gather the Verification info from a site. Even if that site is not displaying the info it will be very easy to fish.
This concerns me a lot as in the past I have allowed customers to pay by online bank transfer. Anyone of those customers now has the information required to reset my password. This is totally unacceptable and NO fault of mine.
I emphasise the no there as I am sure there will be some people who say 'you shouldn't give out your bank account no.'.
Sometimes you have no choice but to give out your bank account no. Write a cheque and it is there in black and white.
And yes that phone number option was pretty dumb.
1. How can a programmer allow the inputting of XX as a valid reply to a phone number.
2. How can the security app allow you to continue if the phone number is blank
3. How can the profile app allow you to create blank phone numbers in the first place!
[edited by: Frank_Rizzo at 4:27 pm (utc) on April 18, 2009]
This is how Sarah Palin's email account got compromised. Some kid did some googling and one of the security questions was 'where did you meet your sweetheart'. He took a guess that it was at one of the schools she attended and nailed the account. He got caught and is looking at spending significant time incarcerated in a federal prison.
I just went ballistic with one of my credit card companies. The security question was my mother's maiden name.. Come on folks... With geneology on the web, this is a ridiculous 'password'. Heck, why don't they just make the password MY last name...?
It is frightening that a major company can screw up this much (although I think Palin's email was a Yahoo account- another main account)
Slightly OT - I took a family member in for an operation. While in the waiting room, I got the details of the health of about a half dozen people because the doctors were discussing the details of their cases in normal speaking voices in a room full of people.
I hope the folks at Paypal fix this YESTERDAY!
the building no and phone no are very likely to be display on the site; the bank account no. is easily obtainable.
Here are a couple more examples of how weak the paypal password reset function is:
Your friend / partner / relative makes a payment to you via paypal. They obviously know your house no and phone no and could also easily know your bank account no.
A few months later you argue with that person and they are not your friend / disown you. That person can now reset your paypal password and clean out your account, or do something like pay all your funds to a charity.
How about a rogue buyer?
You sell an item on an online auction site and have a buyer. The buyer:
asks for your paypal email so he can make the payment
asks for your home address so he can check you are genuine
asks for your phone no. so he can phone you / incase of problems
The buyer then says his paypal account is out of funds so can he make an online payment via your bank account.
If you agree to that the instant you give him your bank account number he's logging into paypal, reseting your password and cleaning out your account.
I have not had a reply from paypal yet. I think they need to address this immediately. I am also surprised this has gone on for so long.
The recommendations are to not give out your paypal email, or nos. In that case you are not going to be able to use paypal to trade!
Interestingly there is a security review of paypal login / password reset from 2003.
Online password reset: Yes, via email; must answer secret question via email link; if unable to access original email account the new password is sent via snail mail
Back then the password had to be reset via an email link which is good. If you requested a reset only the recipient of the email used for the account can access the screen.
Now of course, anyone can do it online.
Clearly paypal need to restore the reset via email feature. Anyone wishing to reset their password should have to receive an email direct to the email of their account. That email should have a link back to the reset page along with a token.
I really can not believe that this has happened. Who the heck decided to downgrade the security features at paypal?
I just demonstrated this to the wife and showed her how anyone with info could reset her password.
I got passed the stage where you enter the building no. and got this screen:
Verify your email address
You should receive an email at ........ Click the link in the email to continue re-setting your password.
So how come the wifes personal account has this security feature but my business account does not?
Clearly in our case that option never happens. I hope they sort this asap.
[edited by: Frank_Rizzo at 8:14 pm (utc) on April 19, 2009]
I think the best way to do this would be to remove the 'address' and 'phone' options altogether. After all they both will still end up with an email verification which what the first option (the email option) is all about.
A better more secure way of-course will be to first confirm the phone number or address and then send password reset information to the email on file.
29 minutes at 40p a minute (mobile phone charge not paypals) equates to about 5 beers. I wouldn't mind if there was a resolution after that but there wasn't.
I walked through the problem with the call assistant. She agreed that there was a problem in that at no stage was there an email confirmation sent - there should be.
She checked with the next level and they said it was because there were no security questions on my account. There were - two of them. But we walked through changing them.
On the next try the problem was still there so another call to the next level stated that:
"It is to do with your IP address. Paypal remembers your IP and doesn't give you the email / verification screen if you try to reset your password on the same PC as the one you usually administrate your account from."
I was advised to login from another PC and I said I would do that later.
I try a totally different PC on a different ISP. Guess what - there is still no verification.
Where the heck do I go now? My account is not secure. How do you escalate these things? Do I have to take this to one of the big IT news sites and embarrass paypal? I don't want to do that but if there is no resolution here...
(BTW, I have changed my email to a non guessable one. I am suspending receiving payments via email so that no one knows the email and thus can not reset the password).
The fact that these people take a huge share of everyone's profit and don't take such a major security flaw seriously is disgusting. Even more disgusting is the fact that they allowed this to happen in the first place. They make a profit out of every single transaction so what is holding them back from making their system more secure?
The bad guys know when to strike to ensure finding cash in those accounts.
Finding the affiliates isn't rocket science either since they congregate on an eBay forum and discuss their websites... many of which have paypal donate buttons.
This has the potential to be a very costly flaw, if it exists as described.
I only discovered my account had the flaw after reading spritualseo's post here. There could be others who have never used the forgotten password feature and thus do not realise that there is a huge open door on their account.
I posted on another site and found someone with the problem.
Via google I also found a blogger from India who had the same problem in May 2008.
I get the impression this is a flaw which the higher levels of Paypal know about but they have no solution. Their response seems to be one of either head in sand or not to admit a problem exists.
I think I have no choice but to close down my paypal account.
Going round in circles here. Assistant not understanding the problem at first, then trying to say that 'it can't happen'. When I walk through the problem and they see the screen I see they realise the problem.
After being put on hold for a further 10 minutes I was advised on the lines that:
"our security team do not wish to discuss this. they are confident that my password can not be reset"
I have to step this up now.
The paypal account is one thing. I usually keep my paypal account near zero. However, it is linked to my corporate bank account which could potentially be a problem.
Surprisingly they got the 'send an email' verification stage.
Now it could be just a coincidence / strings pulled or indeed due to a different IP address. Paypal did say yesterday that they remember the IP used to administer the account and if you try resetting the password on that same IP you won't get the verification.
A couple of issues here. First I am not so sure it is IP based as I did run a test yesterday using my mobile ISP and the problem still existed.
Secondly why would any security app want to let the shields down if you used that PC 'legitimately' prior?
What if you rent an apartment with others. You login to your paypal account, administer, log out and go for a walk.
Your friend goes upto the PC, hits forgot password, enters your paypal email, building no (he lives there too), bank account number (you pay him rent by cheque) and there you go. He's now nicked your money.
Need more investigation on this. There could be an IP / cookie / angle but even so, there should ALWAYS be an email verification stage.
spiritualseo. Can you contact a trusting accomplice and ask them to try accessing the reset screen with your details.
Could it be that the paypal guys have resolved the issue with your account? May be you could check it up with the mobile ISP again..
You are totally onto something! Now I'm afraid to use Paypal! I was going to start a thread asking if you only use Paypal for your internet business, then why do you need e-insurance? Now I guess you've answered that with this fiasco!