1. Forum
  2. Usenet
  3. COMP.MISC

  • Re: PayPal do not understand security

    From Richard Kettlewell@21:1/5 to Sylvia Else on Thu May 12 13:02:48 2022
    Sylvia Else <sylvia@email.invalid> writes:
    I asked that all methods of resetting my password be disabled, since I
    am not going to forget it, and I view the various reset methods as
    being highly insecure.

    They are not going to change their authentication system for your niche
    use case.

    I'm not aware of any computationally feasible way to get a matching
    password for a salted SHA-256 representation of a reasonably long
    random sequence of characters.

    Depends how many rounds of SHA256 are used.

    But there is plenty of residual risk even after adequately securing the
    backend password storage. An attacker may install a keylogger on the
    victim’s computer (or some other form of compromise). They may fool the
    user into typing into attacker-controlled web page (i.e. by phishing).

    --
    https://www.greenend.org.uk/rjk/

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Sylvia Else@21:1/5 to All on Thu May 12 21:54:53 2022
    I asked that all methods of resetting my password be disabled, since I
    am not going to forget it, and I view the various reset methods as being
    highly insecure.

    Here's their reply:

    ------------------------------------------------

    Hi Miss Sylvia. This is XXXXX. Thank you for contacting us.

    Due to security reason and for the safety of all our PayPal customers,
    the option to disable all methods of password recovery can not be granted.

    There are occasions in which hackers were able to get the passwords of
    the customers. So our customers need to change their passwords to stop
    hackers from accessing their accounts; to prevent their accounts from
    being compromised.

    I know that this may be annoying. But the safety and the security of our
    PayPal customers are our top priority. which is why disabling the
    password recovery method can never be removed (sic).

    It's not the matter of memorising the password indefinitely but the high probability of any stranger in accessing their passwords. No matter how complicated the password is, there are some hackers who used advanced
    methods that enable them to still figure the customer's passwords.

    That's why a number of institutions and individuals change their
    passwords from time-to-time and that kept their PayPal accounts safe and secured for a very long time.

    Hoping for your understanding. Thank you for contacting PayPal. -----------------------------------------------

    So sending a SMS code via a third party they don't control is secure?
    Ditto an email?

    I'm not aware of any computationally feasible way to get a matching
    password for a salted SHA-256 representation of a reasonably long random sequence of characters.

    In any case, if a hacker manages to obtain a password by whatever means,
    they are going to make use of it immediately, so changing passwords is unhelpful.

    Sylvia.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Dan Espen@21:1/5 to Richard Kettlewell on Thu May 12 12:05:02 2022
    Richard Kettlewell <invalid@invalid.invalid> writes:

    Sylvia Else <sylvia@email.invalid> writes:
    I asked that all methods of resetting my password be disabled, since I
    am not going to forget it, and I view the various reset methods as
    being highly insecure.

    They are not going to change their authentication system for your niche
    use case.

    Agree.

    I doubt their software has the ability to create passwords that can't
    change. The whole idea sounds like a mis-feature.


    --
    Dan Espen

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Adrian Caspersz@21:1/5 to Sylvia Else on Thu May 12 17:21:46 2022
    On 12/05/2022 12:54, Sylvia Else wrote:
    I asked that all methods of resetting my password be disabled, since I
    am not going to forget it, and I view the various reset methods as being highly insecure.

    Here's their reply:

    ------------------------------------------------

    Hi Miss Sylvia. This is XXXXX. Thank you for contacting us.

    Due to security reason and for the safety of all our PayPal customers,
    the option to disable all methods of password recovery can not be granted.

    There are occasions in which hackers were able to get the passwords of
    the customers. So our customers need to change their passwords to stop hackers from accessing their accounts; to prevent their accounts from
    being compromised.

    I know that this may be annoying. But the safety and the security of our PayPal customers are our top priority. which is why disabling the
    password recovery method can never be removed (sic). >

    Do you need to use PayPal then?

    When setting up some accounts, for password recovery purposes other
    entities allow you to download a set of codes that can be printed to be securely kept sellotaped under the dog's feeding bowl.

    These _only_ can be used to get back into the account.

    However, print it out. Give it to the dog to eat, and then you'll have
    your secure account.


    --
    Adrian C

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Rich@21:1/5 to Adrian Caspersz on Thu May 12 19:06:08 2022
    Adrian Caspersz <email@here.invalid> wrote:
    On 12/05/2022 17:21, Adrian Caspersz wrote:


    These _only_ can be used to get back into the account.

    However, print it out. Give it to the dog to eat, and then you'll have
    your secure account.


    Ah, I see Paypal are asking for answers for two previously chosen questions.

    Be creative, don't have to be so truthful.

    This is the part that trips many up with the "recovery questions".
    They take the questions too literal.

    Give them the name ya first pet as 'Donald Trump' and ya first school
    as 'School of Life'.

    Or use a long string of random characters in ya answers and give the
    poor sod on the phone a hard time rekeying them.

    I've seen reports (sorry, no longer remember what blog/site for
    citations) that when calling and talking to customer service reps, that attackers can get the service rep to "bypass" the "long string of random characters" by telling the rep something like: "I just banged out a
    bunch of random keys" and the service rep. accepts that as an answer.
    So better to use a random assemblage of words, then at least you might
    be protected from someone sweet-talking their way past a customer
    service rep.

    What I do for those questions, for sites that demand them, is this:

    $ sort --random-sort --random-source=/dev/urandom /usr/dict/words | head -5 | tr $'\n' " " ; echo
    cottonseed suction architect supplants highways

    And then "cottonseed suction architect supplants highways" goes in the
    field, and in the notes box in my password manager for the site's
    entry, so later, if needed, I have a record of what was used. Adjust
    size given to "head" for number of words desired.

    Hopefully someone sweet-talking with "just mashed random keys" won't be
    allowed past by the service rep. And hopefully by being real words,
    the rep. will insist on the attacker repeating the actual words.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Adrian Caspersz@21:1/5 to Adrian Caspersz on Thu May 12 19:55:23 2022
    On 12/05/2022 17:21, Adrian Caspersz wrote:


    These _only_ can be used to get back into the account.

    However, print it out. Give it to the dog to eat, and then you'll have
    your secure account.


    Ah, I see Paypal are asking for answers for two previously chosen questions.

    Be creative, don't have to be so truthful. Give them the name ya first
    pet as 'Donald Trump' and ya first school as 'School of Life'.

    Or use a long string of random characters in ya answers and give the
    poor sod on the phone a hard time rekeying them.

    --
    Adrian C

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Bob Eager@21:1/5 to Rich on Thu May 12 23:14:12 2022
    On Thu, 12 May 2022 19:06:08 +0000, Rich wrote:

    $ sort --random-sort --random-source=/dev/urandom /usr/dict/words | head
    -5 | tr $'\n' " " ; echo cottonseed suction architect supplants highways

    I use dicewords (the improved list) and a set of casino dice.

    --
    Using UNIX since v6 (1975)...

    Use the BIG mirror service in the UK:
    http://www.mirrorservice.org

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)