White Collar Handyman
In-Home and In-Office Technology Concierge Services
Lessons & Tutoring • Repair • Troubleshooting • Upgrades & Installation
Fast Response • Reasonable Rates • In Your Home or Office • Same Day Service Available
(781) 989-2373
Hey! We've moved to a new URL to better reflect who we are and what we do! Please visit Rob Falk Technology Concierge Services at http://robfalk.net and update your bookmarks.

Tuesday, August 5, 2014

The Argument for Phony Security Question Answers (Again)

A seventeen year old kid in Australia recently bypassed Paypal's two factor authentication. This should be troubling news to anyone who engages in financial transactions on the Internet. I've written a thing or two about password management and security on line and have been a strong advocate of two-factor authentication, hailing it as "state of the art" consumer level security.

Two-factor authentication is supposed to mean that "even if someone succeeds in hacking your
password, they won't be able to log in to your account from a device that you haven’t already approved. The log in won’t be allowed until after you receive a text message on your cellphone with a code, which must then be entered in addition to the password." But, not so at Paypal, according to our junior jackaroo.

What happened at PayPal?

As many are aware, PayPal is owned by eBay. As a convenience for their users (i.e., to encourage their users to use PayPal for everything) eBay provides their users with a direct link to their PayPal accounts. Here's the fly in that ointment: apparently eBay does not check to see whether two-factor authentication is enabled before allowing anyone who manages to log in to eBay to shoot right into the linked PayPal account with just a username/password combo.

That may not seem like such a big security hole, since it requires the crook to have your username/password combination at two sites, but that's really not that far fetched if a hacker has been able to gain access to the victim's computer.

It gets worse. According to PCWorld, "The payment processor’s two-factor authentication could potentially be defeated in other ways. For example, if a user doesn’t have a way to receive the six-digit code, PayPal allows them to skip it and instead answer two security questions." Given that most security questions involve questions like "Where were you born?" and "Where did you go to high school?" the illusion of two-factor authentication becomes more and more mirage-like.

I've shared the answer before, but it's time to share it again: How about using your random password generator to come up with a short but random string of characters, and saving it in your password management app?

Mother's maiden name? oL-eF-yeph

Posted by Rob Falk at 9:55 AM 0 comments
Labels: , , , ,
Subscribe to: Posts (Atom)