Paypal finally adds Ios/Android Authenticator Apps 2fa!!

[belham2]

I guess maybe some of you already caught this, but in case (if you're like me) and hadn't, Paypal finally bent to the many requests they've had to add a real---and not the flawed, crappy Symantec VIP Access app (which Paypal is discontinuing)---Authenticator Apps where they can be used as the first line defense in a 2fa setup on your paypal accounts. You do not have to have SMS setup at all. SMS still exists, if you want it, but why one would want to still use insecure SMS I do not know.

On IOS, I frequently use Microsoft's excellent authenticator app for 2fa, plus on a few other older IOS phones I still use Google's and also Authy's authentication apps. All apps worked seamlessly with Paypal (worldwide) when I set them up today.

Here's the article from Martin B where I caught up with this news from several weeks ago:


https://www.ghacks.net/2019/04/15/paypa ... on-option/

"PayPal adds authenticator app as 2-step verification option
by Martin Brinkmann on April 15, 2019 in Internet - 28 comments

PayPal; love it, or hate it........Here is how you use an authenticator application to protect PayPal better and switch from SMS:................."

[8Geee]

if even one of those factors is captcha/recaptcha its a total farce.

[belham2]

if even one of those factors is captcha/recaptcha its a total farce.

I am totally lost at this comment.

These are authentication 2fa programs that have nothing to do with Paypal other than providing a time-sensitive, every 20 seconds, generated unique 6-digit number based on your device ID and that particular authentication program that run on either an IOS device and/or an Android device.

A joke?

By miles, authentication programs are above the joke that is SMS that passes for 2fa on most U.S. companies setups. It is also miles above any password & security question scheme you and/or any website could try to come up with.

8Geee, are you possibly misunderstanding something & referring to something else? For authentication setup, accounts (and its not only Paypal) with a secure landline (and not SMS) set as the backup, one cannot even reset the account password without contacting Paypal and faxing in documents like more than 3 documents compromising things like driver's license, passport, bank statements, State residence proof, etc.


What does "captcha/recaptcha" have to do with this? In fact, for Paypal (update: and I also just checked for other a few other sites that use authentication apps backed by landline), captcha/recaptcha has no ability to replace either your regular account login & password and/or the authenticator app 2fa once it is setup. And it certainly cannot once both are setup on the accounts.

[8Geee]

I have been against captcha/recaptcha due to reliance upon SKIA and canvas fingerprinting. If one has a cairo 'back-end' these schemes do not function. Perhaps its Firefox's implementation, but SKIA, IonMonkey, and 'canvassing' have been high on the list of reecent security fixes. These three are also in Android and g-Chrome. Thats substantial placement.
I have called out the former two (SKIA, IonMonkey) as crapware, its already comprommised many, many devices.

Perhaps today, in the latest browser releases, this is patched sufficiently. Taking the upgrade road has left one vunereable for quite a period of time. And I do note that Google plays a large role in the development and coding of both SKIA and IonMonkey.

Regards
8Geee

[belham2]

I have been against captcha/recaptcha due to reliance upon SKIA and canvas fingerprinting. If one has a cairo 'back-end' these schemes do not function. Perhaps its Firefox's implementation, but SKIA, IonMonkey, and 'canvassing' have been high on the list of reecent security fixes. These three are also in Android and g-Chrome. Thats substantial placement.
I have called out the former two (SKIA, IonMonkey) as crapware, its already comprommised many, many devices.

Perhaps today, in the latest browser releases, this is patched sufficiently. Taking the upgrade road has left one vunereable for quite a period of time. And I do note that Google plays a large role in the development and coding of both SKIA and IonMonkey.

Regards
8Geee

Hi 8Geee,

Again, 'captcha/recaptcha' has nothing to do with this thread and the authentication programs on Android/IOS devices. That is why I was asking what in heck you are posting about?

'Captcha/recaptcha' is a totally different beast, used for different things by most online companies. For the rare few that try to use it for anything security-related, I am in unison with you that it is a bunch of baloney (when you read about it).

The singular thing that 'captcha/recaptcha' used to help with (which has fallen by the wayside) is trying to stop autobots posting on websites forums . That's it. for anything else, especially if someone tries to use it for security-purposes, I'd be in front of you running in the other direction.


The real problem, and has been the real problem since the web formed, is the whole system of how websites set up their "forgot your password" system.

Now this "forgot/reset your password" makes me pull my hair out. No matter how secure you set up your account online at various places, sites still have the dumba## policy of letting people "reset" their passwords without requiring substantial documentation & interaction with the company. It's a farce, and the companies know it. Mainly, they don't want to spend the money on customer service for people who constantly forgot or lose their passwords, tedning to them like a herder tends his sheep.

Imho, companies ought to teach these people a hard lesson...if they lose it or keep forgetting/misplacing their password, make them go thru high & hell water to set it up again. Make it so painful that these people will take more care (with backups) next time.

I recently watched a U.S.-based friend "reset" his password for one of the largest (and supposedly most secure online) banks in the world (his U.S.-based bank). When he initially tried online, the popup said "call us". We thought, wow, they are being secure about this compared to others, their systems noticing he was trying to do this from outside the USA. But when he called the bank, you know what they asked him?:


"Sir, what is your account number?"

"What is the full name on the account?"

"Please verify the last four SS of this name"

"Please verify the address on this account"

"And the birthday associated with this name?


...and that was it. That above "verified" him. My God, afterwards, we both looked at each other like "ARE THEY FOR REAL OR KIDDING??!!"

Given the Equifax, U.S. federal gov't, & U.S. state govt's (and other breaches) in North America, all this sort of info is readily available across the dark web. This is true for every person, basically, in the U.S. (at the moment) that was born there.

it just made your stomach curl realizing how easy it would to do this for any person's online account(s).

At least some online companies are requiring heavy documentation like passports, driver's license, etc. Still, for Americans at least, most of those have already been compromised. Thus, the shock one should feel if encountering something like he did calling his U.S. bank to "reset" his password.

I always tell any U.S. citizen that if you want to shock yourself, go onto the dark web, into various "data for sale" forums and boards, and you will find substantial information about yourself for sale.

Malware actors have put together tremendous data bases, have even started cross collating them, and for as little as $5-$10, you can find every piece of information about yourself that has ever existed.

For most U.S. citizens, this ought to spook the hell out of them, and turn them into being paranoid as hell about utilizing as much online security as possible, and practicing safer online habits than they currently do.

A simple huge one they could practice would be for them to have at least one computer, or laptop, where it is isolated/segregated from their home network, it is used online for nothing except the bank/financial/medical stuff, is kept locked away when gone from home, is set up with encryption, etc, etc. Even if they insist on using Windows and/or Apple OS (better if it was any Linux OS, especially all the way to Pups, Fatdogs, DDogs and such) for this device, just this simple action would alleviate most things they can control on their end.

But this behaviour is the exception, the rare exception, and not the norm.


But...all this is a subject for another thread (or many threads). It's just here, in this thread, the 'captcha/recaptcha' doesn't have anything to do with what I was posting about concerning Paypal and them finally allowing Android/IOS authentication programs to provide a 2FA for people using Paypal. And Paypal and several others allow these authentication apps to work with their own apps on the Android/IOS devices, which is much welcomed. They aren't walling their apps off like some are trying to do, on the phones, preventing people from utilizing the 2fa they had setup on their computer (desktop, laptop devices).

[8Geee]

OK, but it is a "i am not a bot" test that is a form of ID, as GooG uses the hidden data collection.

Regards
8Geee

[Packetteer]

When I setup security questions I answer with something that has nothing to do with the question.

For example
What year were you born in? Harry

Also I never use the same answer twice.

Best Regards
John

[8Geee]

Yup, even short random strings. Great tip

[perdido]

Just because hackers don't always compromise code
https://www.anglerphish.com/single-post ... et-Science


.

[belham2]

Just because hackers don't always compromise code
https://www.anglerphish.com/single-post ... et-Science


.

Hey, Perdido, you do know the new 2FA is not SMS-based, right?

That article you linked doesn't apply here. Period.

Doesn't anyone read a thread anymore before they are so quick to post??



The authentication option finally offered to Paypal users worldwide wasn't rolled out until March of this year (2019), even though it has been available by others.

Only way it an be cracked is the hacker has to have personally have your phone, and also personally have your thumbprint (which is now used to additionally lock the Microsoft Authenticator App, in addition to you having to get into your phone via a #-digit code and/or your thumbprint.


You do know the article you linked from anglerphish, quoting from the mythical (and quite fictional, btw, since they hae used this character for over the past few years to try and make a point) only applies to when Paypal (and others) used the only offered authentication available offered: insecure SMS.

Paypal still offers SMS for the sheeple (read: stupid) of its user base, but the majority of knowledgeable & hardcore Paypal have already flipped to the authentication programs---again, only introduced for Paypal users a few months ago.


Again, it's hard to understand the replies in this thread when they don't address what the thread is first talking about.

[perdido]

Just because hackers don't always compromise code
https://www.anglerphish.com/single-post ... et-Science


.

Hey, Perdido, you do know the new 2FA is not SMS-based, right?

That article you linked doesn't apply here. Period.

Doesn't anyone read a thread anymore before they are so quick to post??



The authentication option finally offered to Paypal users worldwide wasn't rolled out until March of this year (2019), even though it has been available by others.

Only way it an be cracked is the hacker has to have personally have your phone, and also personally have your thumbprint (which is now used to additionally lock the Microsoft Authenticator App, in addition to you having to get into your phone via a #-digit code and/or your thumbprint.


You do know the article you linked from anglerphish, quoting from the mythical (and quite fictional, btw, since they hae used this character for over the past few years to try and make a point) only applies to when Paypal (and others) used the only offered authentication available offered: insecure SMS.

Paypal still offers SMS for the sheeple (read: stupid) of its user base, but the majority of knowledgeable & hardcore Paypal have already flipped to the authentication programs---again, only introduced for Paypal users a few months ago.


Again, it's hard to understand the replies in this thread when they don't address what the thread is first talking about.

Did you understand that I was making an argument in favor of what your thread is about?
Nope, guess not, LOL

.

[8Geee]

I do read the posts, and I do check background. Anytime a website is not satisfied with user/pass, it is requiring a second factor to authenticate. I think you got caught up in the newspeak these large companies are promoting. Basicly, all ANY 2nd factor does is (attempt to) prove that the end-user is the end-user en vivo. Since the dark-web can compromise anyone if needed, a robotic means of falsifying ID is clearly the way to advance those bad intentions.

I do claim Captcha/Recaptcha to be a 2nd form of authentication. And some large (and somewhat nefarious) sites use it to prove you are you, and I am me, and not some bot with phished/stolen ID.

In those regards (only) Captcha/Recaptcha actually does work, but the implementation, and resulting data-share is not worthy of trust by any means.

To me its getting rather obvious that each OS/browser needs its own 2nd factor of authentication. Lava lamps by Amazon and Recaptcha by Google illustrate this.

Regards
8Geee