PayPal Community

http://bit.ly/2rttol2

A technology that Cell networks use to to enable SMS is SS7, known as CCSS7 in the U.S. and C7 in the U.K.. It is a telecommunications standard that enables a digital signaling network to provide cellular and wired call setup, routing, and control.  Any dedicated hacker can gain access to SS7, spoof the target’s phone number, and receive all texts and voice communication between the target and anyone else.  This includes capturing one time passwords (OTPs) sent to phones used in two-factor authentication.

In 2016, Karsten Nohl of German Security Research Labs demonstrated an SS7 attack on U.S. Congressman Ted Lieu’s phone number.  Also in 2016, Positive Technologies demonstrated how they could bypass use of SMS for authentication on WhatsApp, Telegram, and Facebook.  These are not attacks against the phones.  The phones were not hacked.  These are attacks on SS7 using the target’s spoofed phone number.

Sorry, my mistake, they co-authored the Web API for accessing FIDO 2.0 credentials, and are part of the W3C working group which is producing a new web authentication API https://w3c.github.io/webauthn/

My guess is that they'll wait until this is finalised, and implemented in browsers before reworking their second factor auth.  Which probably means 2 years or more from now.

Which is a shame, since Facebook just added FIDO U2F, and in the meantime 2FA on PayPal is poor/annoying/buggy.

---

@TimSmall wrote:

Paypal engineers co-authored the FIDO U2F standard, so I assume they'll get around to supporting it at some point.  Some sort of public timeline would be nice.

Paypal already supports a (non-open-standard) TOTP password via the "Symantec VIP" app.  You can add these as "security keys" in your paypal account.  I've found this buggy tho (e.g. paying via third party sites just hang when I have my key enabled in my PayPal profile - this has been broken for at least 6 months).

---

Symantec VIP is not secure -- uses the same serial number for all applications

(much like using the same password for all websites).

It's also poorly implemented in PayPal -- doesn't work when paying from eBay

(you have to use poor SMS authentication instead).

As I wrote above, PayPal badly needs to do much more in security.

Sorry for the continual posts on this topic, but I suppose it prompted me to take the time to look into the 2FA login-hanging bug.  I eventually fixed it by:

1. Clearing all trusted devices from Settings (this is just temporary if you use that feature).

2. Deleting all paypal domain cookies from my browser.

I then get prompted correctly for the VIP key when paying via third party sites.

just 5ct: Using the HOTP-Token from Paypal for many years now which is very, very secure, comfortable and works like a charm!

But U2F-support would be very nice, as I have two 🙂

Michael

---

@makki1 wrote:

just 5ct: Using the HOTP-Token from Paypal for many years now which is very, very secure, comfortable and works like a charm!

 

Ebay are discontinuing the use of those tokens (you can currently use them as second factor auth on both sites), since you can no longer buy them from Paypal, I wonder when they'll drop them too?