funsec mailing list archives
Re: PayPal Plans Payments Via Text Message?
From: "Fergie" <fergdawg () netzero net>
Date: Thu, 23 Mar 2006 14:05:07 GMT
Come one, now -- you obviously know that 99% of people choose familiar numbers for their PINs (e.g. last 4 digits of SSN, street address, etc.). What makes you think this will be any different? Methinks it will be only a _very_ short time before problems surface in this regard. This is not to necessarily poo-poo PayPal for doing it, at least any more than the blame is to be made with stupid users for picking easily guaessable PINs. ;-) - ferg ps. w.r.t. keyloggers and/or malware on cellphones, that is certainly possible -- never underestimate the ingenuity of tech-crooks when there is money involved. And I'll bet you nickels-to-donuts that bluetooth will somehow exacerbate the problem. ;-) -- "Mark P. Fister" <mark () fister org> wrote: On Thu, Mar 23, 2006 at 02:22:25AM +0000, Fergie wrote:
Despite the frustrating lack of details here, the article goes on to say that "Users will first have to register their mobile devices with PayPal?s Web site and select a code to protect them against unauthorized users." Wow. Does this sound like a potential avenue for abuse, or what? ;-)
The potential you're probably thinking of is this: 1. Cell phone is stolen. 2. Thief finds out you have sent payments with this phone before (payment initiation messages may be in your Outbox if not deleted). 3. Thief tries to send money to his/her own mobile device in order to drain the PayPal account of the owner of the stolen mobile phone. There are two problems with the above attack vector: 1. PIN-guess-attacks are the only type of abuse possible if the attacker does not know the PIN, because of the way PayPal implemented the callback technology for payment verification. In other words, I could initiate a peyment, but I'd have to guess the PIN in order to confirm the payment when PayPal's automated system calls me back. 2. You have to know that PayPal's anti-theft algorithms would detect many wrong PIN guesses in a row, and would therefore automatically disable the cell phone's use for sending payments. 3. The owner may login to PayPal and disable the mobile device once it is stolen. Therefore, unless I'm missing something obvious, sending payments via phone should be secure.* -- Mark P. Fister http://www.fister.org Skype: callme://FisterDotOrg * Notwithstanding things like: a) Someone seeing you entering your PIN when confirming a payment. b) A hacker having technology that can record your audible key presses and then guess the PIN either by the tone emitted by the phone or the tactile sound of the buttons being pushed. c) A hacker having somehow installed a keylogger on your phone, where the keystrokes are messaged out to the hacker's phone (perhaps this was done after stealing your phone but before giving it back to you or by mobile worm/trojan/etc.). I'm not really sure how this is different than a hacker installing a keylogger on your PC and watching you access www.paypal.com, but this is the only "avenue for abuse" that I can think of. Does anyone know how fruitful this could be? -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg () netzero net or fergdawg () sbcglobal net ferg's tech blog: http://fergdawg.blogspot.com/ _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- PayPal Plans Payments Via Text Message? Fergie (Mar 22)
- Re: PayPal Plans Payments Via Text Message? Valdis . Kletnieks (Mar 22)
- Re: PayPal Plans Payments Via Text Message? Mark P. Fister (Mar 23)
- Re: PayPal Plans Payments Via Text Message? security curmudgeon (Mar 23)
- Re: PayPal Plans Payments Via Text Message? Valdis . Kletnieks (Mar 23)
- Re: PayPal Plans Payments Via Text Message? Mark P. Fister (Mar 24)
- Re: PayPal Plans Payments Via Text Message? Mark P. Fister (Mar 23)
- Re: PayPal Plans Payments Via Text Message? Valdis . Kletnieks (Mar 22)
- Re: PayPal Plans Payments Via Text Message? Mark P. Fister (Mar 23)
- <Possible follow-ups>
- Re: PayPal Plans Payments Via Text Message? Fergie (Mar 23)
- Re: PayPal Plans Payments Via Text Message? Mark P. Fister (Mar 24)