How PayPal Account Hacking Works, and How 2FA Fails To Stop It

Motivation

You wake up at 4am to buzzing on your nightstand, still in a haze you rollover and find a text message: "PayPal: Your security code is: 720358. Your code expires in 5 minutes." Confused, you then realize this message was preceded by another one just seconds before that says "VZW Free Msg: Your Verizon Messages account was recently accessed from a new browser or device...".

You're wide awake now, cause you're pretty sure you know what's going on. A quick attempt to check your PayPal account confirms it - your PayPal password no longer works. You quickly go through the reset process and regain control but find that a hacker has already initiated a $3000 transfer from your bank into your PayPal account and claimed that you bought a $3000 purse from them. You have a strong password that is not repeated anywhere else and have 2 factor authentication turned on, how is this possible?

This is a scenario that I saw play out recently, and although the theft was unsuccessful, I decided to research how it was done. The results bothered me, and showed that a under a fairly common scenario, this type of account takeover is rather simple. I also came to another disturbing conclusion: Because of the online SMS reading features offered by some of the biggest cellphone providers, your PayPal account security is intrinsically linked to the security of your cellphone provider account, and that your PayPal account can only be made as secure as your mobile account login. The following are the results of my research on how someone can break into a PayPal account and if you read no further, the one takeaway is this - text messages should NOT be considered a "something you have" for 2 factor authentication, they're just one more account password away from being accessed, and this is something that can't easily be fixed.

The Problem

In the scenario given above, here's what happened. Please note that although I specifically mention Verizon, because that's the attack I encountered and investigated, I believe this technique applies equally to any cell provider that allows you to view your text messages online (Verizon, AT&T). From what I can tell the can possibly come into the attack knowing minimal pieces of information.

  • Victim's email address
  • Victim's Verizon username or cellphone number
  • Victim's Verizon account password or password reset info (for Verizon, this is phone #, billing zip and the secret question answer)

In this case, I believe the the victim's email address was part of a breach somewhere, and the associated stolen password was accidentally reused to protect the Verizon account. The Verizon username was guessed because it was the same as the username in their email address, and I would bet that this applies to a huge amount of people. In my case, this was the single biggest factor that allowed this attack to work.

Since the victim's Verizon account details were available, the attacker started this attack by gaining access to the victim's text messages. On Verizon, this is as simple as logging in and navigating to the Verizon Messages page, or, if it's not already on, turning it on for the account. I called Verizon about blocking this and they told me there's no way to disable it, the only small consolation is that you will receive a text when it is turned on and when someone logs into it. The text message is supposed to include some identifying details, but the attackers clearly took steps to mask their OS and browser because where these are normally displayed, the text from the attack just said "unknown" and a known malicious IP.
Verizon Messages Login

The only option Verizon offers to stop this is fully disabling online account access - something most people aren't willing to deal with. In addition, Verizon does not offer 2 factor authentication, so your account is only as secure as your password OR the details mentioned in the 3rd bullet point above that are required to reset it, disappointing. This leads to the conclusion that if you use Verizon or AT&T, text messages cannot be trusted as a "something you have" factor in 2 factor authentication.

At this point, the attacker can now read the text messages of the victim. The next move is to attempt to log in to their PayPal account. In this scenario, the password was unknown and their attempts would've been rejected, but here's the critical issue: PayPal lets you reset your password with ONLY the knowledge of the account email, and the ability to receive a text to the phone number on the account. No other information is needed, no secret questions, no billing info challenge, nothing. In my opinion, this is way to low of a bar given that text messages to phones cannot be trusted as a "something you have". The attacker proceeds to use the reset password functionality, makes a new password for the victims account using the code sent as a text message to prove their identity, and then logs in with the new password to steal the money.

The Solution

The crux of the problem here is that anyone who can get into your mobile account (on some providers) can bypass 2 factor authentication for any site, and your PayPal account specifically, if you have that number as your verified PayPal account phone number. This leads to an odd semi-fix that I discovered when trying to remove the text message password reset option. It appears that the number you register with PayPal as your "security key" phone number can be different from your account phone number. To fix this for myself, I left my security key number registered to my cell phone, but changed my account phone number to a Google Voice number (a landline could also be used), and never went through the verification process. Now, if I try to reset my password, the only options available are a phone call or an email - both of which are protected behind proper 2 factor authentication on my Google account with Google Authenticator as the token. This fix at least protects from a password reset via SMS attack, but does nothing to address the problem that an attacker who stole my PayPal password could still get my 2 factor codes from breaking into my mobile account, negating the "something you have" requirement. As a result, it's still very important that you harden both accounts as much as possible. The following are the steps I recommend for making your PayPal and mobile account as break-in proof as possible.

Step 1 - Securing Your Mobile Account

You need to make sure no one can guess or password reset their way into your mobile account. This means doing two things:

  • Ensuring that your account has a unique strong password that is not easily guessed.
  • Ensuring an attacker can't easily reset your password.

On Verizon, the information needed to reset a password is the phone number, the billing zip code, and one of the following 3 items:

  1. The ability to receive a text to the phone.
  2. The ability to receive an email to the address registered on the account.
  3. The answer to the account secret question.

Secret question options are shown below, as compared to PayPal (we'll get to those in a minute), some of these are potentially hard to find/guess the answer to and therefore could potentially be used "safely", but I would still suggest making a false answer and recording it elsewhere.
Verizon Secret Question List

In addition, it would help if your mobile account username (which is not your email) does not match the beginning of your email address, however this is hard to change once it's already made.

Step 2 - Securing your PayPal Account

As we've gone over, if someone can take over your text messages, this part is impossible without the use of a 2nd phone number. However, you can make some improvements to stop people if they fail at this part. Here are my recommendations:

  • Ensure that your account has a unique strong password that is not easily guessed. This also applies to your mobile app PIN, if it is set.
  • Ensure your security questions are not Google searchable or not answered with real answers. This can be a pain (or easy if you use a password manager you can take notes in), but is an absolutely necessary precaution because PayPal ALSO lets you bypass 2 factor authentication if you can answer the 2 account security questions! If you enter the right password and don't have your SMS device/online access, you can click "try another way", and use the security questions instead of a code!

Security questions are often pretty terrible and consist of options that could be Google searched for many people, and PayPal is no exception. This makes it even worse since you can bypass the 2nd factor with these. Here's PayPal's list of questions, think about these, how many of these can you honestly say can't be figured out by someone with solid Google-fu? My guess is maybe your pet, the nickname of a child, and your cuddly toy, the rest should be fairly easy given the name and some basic info about a person (also found via Google).
PayPal Security Question List

Things That Don't Work, But Should

Here's some things I tried to secure myself from this attack that I thought would work, but didn't:

  • PayPal Hard Tokens - Although PayPal used to offer hard tokens to it's customers to stop attacks like this, for some unexplained reason, they no longer offer them. I called customer service about this, and that is what they told me.
  • Using an alternative 2FA "something you have" - Offering Google Authenticator compatibility would solve this issue, unfortunately, PayPal does not, it's SMS or nothing.
  • Deleting your cellphone number from your PayPal account - There is no "remove this number" button anywhere that I could find, the only thing I could do is change the number to a different one.

Conclusions

The takeaways here can be distilled down to this:

  • If you used Verizon or AT&T (or others that allow SMS reading online), recognize the inescapable security dependency between your mobile phone account security and any account you have that relies on SMS for 2 factor authentication. You should use Google Authenticator or hard tokens where available instead.
  • For Paypal, you need to either use a 2nd phone number, or a phone provider that does not offer online text reading to escape this problem. Click through to test if you can reset your password via SMS to verify.
  • Setting too low of a bar for password resets is a continuing problem, and to ensure your safety on critical accounts, you should investigate the "I forgot my password" options. Make fake security question answers where possible and block other methods that are too easy where possible.

Not mentioned in this write-up is the phone based reset attack vector. Brian Krebs recently experienced this one and notes that you can additionally reset a PayPal password with the last 4 digits of a SSN and an old credit card number. This is also extremely unfortunate, but if this info about you has leaked, there's really no actions you can take to stop lock down the information, you may just need to close your account.

Overall my recommendation is this: PayPal is obviously difficult and unintuitive to secure. However it is very convenient for passing money to friends, and important to the use of sites like eBay. If you don't absolutely need PayPal, just close your account, but if you do, connect as few banks accounts (zero) and credit cards as possible, and take the steps outlined above. Although it's no guarantee, this will make it as hard as possible for attackers, and if they still succeed, limit the damage that can be done.

Bonus Material

I made an Bruce Schneier style attack tree when researching this post, it's included below if you're interested in how this looks visually. Blue text is for "OR" nodes and red text is for "AND" nodes. Highlighted items point out where the big problems are.

Attack Tree