Reply
Posts: 4
Kudos: 0

PayPal bypasses security key!

The event that made me wish to post this occurred at cca 06:25CEST 5.April.2010

I ordered three security keys from PayPal.  They are all activated, and I've used all of them in the past to verify they work.  Here I am, abroad, and I go to log in, feeling secure that I have one of my keys with me.  Guess what?  Paypal wishes to verify some of my information first, without my security key being entered.  Well, I play their game and enter my vital information.  You know what else?... PayPal gets me straight into my account without entering in the any of the keys that I thought were helping me be safer, and THE KEYS I PAID FOR!!

 

I feel I'm well within reason for an explanation, an apology, a fix, and a FULL refund of my three security keys.

 

OK, PayPal, give us your best explanation!

0 Kudos
surplusdealdude
surplusdealdude Volunteer Advisor
Volunteer Advisor
Posts: 7602
Kudos: 497

Re: PayPal bypasses security key!

Perhaps you have missed the fact that there is a way to bypass the security key when you answer several securioty questions, but I see it every time I login.

 

I would say the security key function may have been down for occasional repairs at that time and Paypal switched you to the alternative to allow you to access your account.

 

Since the chances of a scammer being able to know the answer to your security questions is about zero, your security was not compromised.

0 Kudos
Posts: 4
Kudos: 0

Re: PayPal bypasses security key!

@surplusdealdude Did you not read my post? I logged in with my username and password. After that, I got the warning and request for further information. It stated that it could not verify my security key, yet I didn't put in any security key at that point. I purged my cache, reloaded the browser, tried another browser -- NOTHING! Yes, I too did see the security key login everytime I logged in, but this time I did not. Brilliant! What a great time for hackers and phishers to get into my account. Ping any account with a security key password requirement until it doesn't show the security key screen, then use the social-engineered data. Here's a great idea. When the security key login is down, the respective accounts should NOT be able to log in whatsoever. Those accounts should receive a screen with an estimated time of when the account will be available. This is normal network maintenance etiquette. The reason I have two-factor one-time password (AKA generally "security key") authentication is because it is indeed safer without compromise. I found your argument of security questions being secure as humorous at best. Personal/security questions are NOT as secure as they are static. Also, I guess you didn't see that I'm now abroad, which means that someone can be playing a man-in-the-middle attack. The only safe thing there is two-factor OTP authentication since it rolls, so it's much more secure, ever-changing. Do you wish to speak with VeriSign about this? Perhaps they can enlighten you if you don't believe me, or perhaps you can read this elsewhere. PayPal has been riddled with security problems in the past. Their initial implementation of OTP failed, yet several other companies I've worked for and consulted have had better than five nines of uptime, and I have notified respective clients and customers of downtime prior to any maintenance. By the way, these systems are so embedded and simple, the only maintenance is nearly always with the front-end pluggable authentication modules. That would be PayPal proprietary and broken. If indeed PayPal was working on the system, I should have known about it in advance, and like I said before, not allowed entry during the planned outage. Hey, PayPal, let's talk after you refund my $15 Presto! [b]NB: I will post my success of receiving a refund after I get it. If I haven't posted in a while, either PayPal has deleted my account because they feel I'm a threat or I haven't received it yet. Anyone that posts here will generate an email to myself, so I'll reply back.[/b]
0 Kudos
unicorn77
unicorn77 Member
Member
Posts: 2
Kudos: 0

Re: PayPal bypasses security key!

I came to this forum as a new user today specifically because of the extra info required before logon. I am very concerned about it's authenticity. When I access paypal via safari I do not get the extra info screen, but I do via firefox. I do not like the look of the wording. It has the feel of being written by someone who is unfamilar with English. I feel it is a scam.

 

Can anyone confirm that paypal does ask for extra info and in what circumstances? Or not?

 

My suspicion is that my firefox installation is infected somehow, but various anti-virus and malware tools I have used have revealed nothing.

0 Kudos
surplusdealdude
surplusdealdude Volunteer Advisor
Volunteer Advisor
Posts: 7602
Kudos: 497

Re: PayPal bypasses security key!

unicorn,

 

As long as the questions appear AFTER you've logged in with your password, you're okay.

 

Paypal does spring these extra levels of security on people from time to time.

 

Safari is one of those brosers that doesn't work well with ebay or Paypal - Firefox works better and your use of Safari may be why you got the extra screen.

0 Kudos
unicorn77
unicorn77 Member
Member
Posts: 2
Kudos: 0

Re: PayPal bypasses security key!

SD,

 

Thanks for the reassurance. Although it was safari that let me through without the extra security, not firefox! I do think I've got a problem with firefox, though.

0 Kudos
surplusdealdude
surplusdealdude Volunteer Advisor
Volunteer Advisor
Posts: 7602
Kudos: 497

Re: PayPal bypasses security key!

It stated that it could not verify my security key, yet I didn't put in any security key at that point

 

Yes - I think the Paypal computer would know that you have a key and re-direct you automatically if the key apparatus was disabled for some reason.


tried another browser -- NOTHING!

 

Not all browsers work well with paypal.

 

When the security key login is down, the respective accounts should NOT be able to log in whatsoever.

 

And if it's down for days?  That's a terrible idea.  It's not like there's no security at all - you still have to enter your password.


If I haven't posted in a while, either PayPal has deleted my account because they feel I'm a threat or I haven't received it yet

 

:smileyvery-happy:

 

I doubt if Paypal would ever consider you a threat - a nuisance maybe, but only if you worked VERY hard.

0 Kudos