11
pxeger
53d

So PayPal are going to require Strong Customer Authentication (SCA) now. That's all well and good, but apparently TOTP 2FA doesn't count!? I have to use fucking SMS!!!!!!????!!1

They sent me an email telling me to confirm my phone number because 2FA would be rolled out immediately, but they're also deprecating TOTP which is and always has been INDUSTRY STANDARD AND HIGHLY AUDITED, unlike hmmm I dunno, SMS FAMOUSLY ISN'T

SMS? I'VE NEVER HEARD OF A MORE RETARDED IDEA FOR A FUCKING FINANCIAL APP! WHY! WHAT IS WRONG WITH THESE REGULATORS WHO INTRODUCED THIS? AND WHY DID PAYPAL USE THAT AS AN EXCUSE TO DEPRECATE PROPER 2FA?

Comments
  • 6
    The devs I've known from PayPal, I'm surprised it's not a pager.
  • 3
    I'm still using a non-smart phone and am happy that SMS is an option.

    Also, the Paypal mail looked like a phishing attack because the link was to some Paypal communications domain and not Paypal directly, so I logged in via actually typing paypal.com in the browser URL field.
  • 3
    @Fast-Nop I was confused by that too, uBlock didn't like paypal-communications.com
  • 3
    PayPal have TOTP?
    I've only ever been able to use sms with them.
  • 0
    @C0D4 same. I've been wanting to see if there was another option but I guess they're removing it anyway.
  • 2
    My guess: SMS will be extended to contain transaction details.
    TOTP is transaction independent, it can be used for everything (e.g. entering the OTP on a phishing site or an malware infected computer will open your account for anything).
    SMS will likely send the transaction details in the future thus you know what you are confirming (and I really want to know as PayPal usually has unlimited access to ones bank account). I'd rather see an new standard but SMS (or a proprietary implementation) seems to be only solution until then.

    If PayPal does not have transaction details in their SMS, it will have no benefit and will lessen security.

    Banks do that for decades decades (at least in Germany), but usually have dedicated hardware devices or custom mobile apps for that as an alternative to SMS.
  • 3
    @sbiewald
    Yes, that's accurate.

    Tl;Dr it has been exhaustively shown that SMS in most localities has next to no security.

    Link dump for those coming into the thread with no prior exposure:

    https://hackaday.com/tag/...
    https://hackaday.com/2013/10/...
    https://auth0.com/blog/amp/...
  • 0
    @SortOfTested That's exaggerated. Yes, if you're a high profile target AND in a known locality, SMS isn't the best bet. However, most people don't have that attack surface.
  • 1
    @Fast-Nop
    It's so trivial, and so much cheaper to put together rolling totp, it's inexcusable to leave the hole at all.
  • 0
    @SortOfTested It is no hole compared to doing nothing at all. Quite the contrary, it raises the effort to the attacker, which means that it will prevent most attacks and slow down the rest.

    Security isn't an absolute, that's security circle jerking. It's a function of the threat model, and if it raises the effort over the threshold where it pays off for the attacker, then it's effective.

    The critical thing is that you can't just remote exploit millions of data sets in a few seconds. You have to physically drive around and put up the GSM fake stations, and coordinate that with the attacks.

    And I'm happy that SMS is there because I hate smartphones and apps. They're pieces of garbage to use.
  • 0
    @Fast-Nop SIM swapping is a much more common method for hijacking SMS, it's thought to be how Twitter got hacked recently
  • 0
    @pxeger Same line of argument - though no driving is required, it's a lot of manual work in each case.
  • 1
    @Fast-Nop
    I did not say do nothing at all. I said implement standard app-based totp.
  • 0
    Also, my credit card company has gone full retard with security shit - the reuslt is that I don't pay via CC anymore. Cash upon delivery costs some EUR, but it works.

    That's another factor that security geeks routinely fail to understand: security is also a trade-off vs. availability. Securing the system so that no attacker can compromise it if harmful if it also means your users quit.

    Even in wartime, military will rather communicate without any encryption than not communicate at all, as history has shown. That shocked the security advisors who were visibly out of touch with reality already decades ago.
  • 0
    @SortOfTested You said SMS doesn't offer any security, and that's just nonsense. Obviously it does because it forces the attacker to manual work.
  • 1
    @Fast-Nop
    "Next to no security." The phrase means "better than nothing, but only just." You spend more time implementing sms-based totp than app based. It's just poor engineering.
  • 0
    @SortOfTested Not all people even want to use apps. SMS on the other hand works also to landlines. I welcome that Paypal doesn't enforce some app shit.
  • 0
    @Fast-Nop how the fuck do you send an SMS to a landline?
  • 1
    @Fast-Nop
    I do all my totp through CLI. single point exchange, my own encryption, I have all the control. Not sure what's better about delegating to something my government has constant monitoring permissions on.
  • -1
    @pxeger Telephone is digital anyway these days. Behind the scenes, there's VoIP, and of course you can transmit any sort of data.
  • 0
    @SortOfTested I certainly don't want to do some CLI crap just because I buy something online, and I guess 99% of the people wouldn't do that either, so that's not a solution.
  • 2
    @Fast-Nop
    You having a bad day buddy? 😋
    Let's get some beers.
  • 1
    @SortOfTested Well no, actually a rather good day, but it's a bit more involved than just "hahaha but there is a way to get in". That was my point.

    If you want to have a good read by an actual pro that deals more in-depth with these intricacies, I can recommend "Engineering Security" by Peter Gutmann. It's available online and for free.

    And no alcohol for me, that could spoil my gainz. ^^
  • 2
    @Fast-Nop
    Nah, I've implemented those challenge mechanism at numerous places that I've had to pwn systems regularly to do my job. I'm pretty well versed in their ins and outs, as well as gsm and hspa+. I live in a country where our cell phone and landline systems are illicitly monitored by the government and the work is entirely outsourced to foreign nationals pulling down < fast food wages. There's no security in those systems.

    Trust is low Bob, trust is low. I'll demand registration-time public/private keyshare or no business for my part. 😋

    We can agree to to disagree though. I'll move to Germany and enjoy better beers. 🍻
Add Comment