Re: PayPal Plans Payments Via Text Message?

["Fergie" <fergdawg () netzero net>]

Come one, now -- you obviously know that 99% of people choose
familiar numbers for their PINs (e.g. last 4 digits of SSN, street
address, etc.).

What makes you think this will be any different? Methinks it
will be only a _very_ short time before problems surface in this
regard.

This is not to necessarily poo-poo PayPal for doing it, at least
any more than the blame is to be made with stupid users for picking
easily guaessable PINs. ;-)

- ferg

ps. w.r.t. keyloggers and/or malware on cellphones, that is certainly
possible -- never underestimate the ingenuity of tech-crooks when there
is money involved. And I'll bet you nickels-to-donuts that bluetooth
will somehow exacerbate the problem. ;-)


-- "Mark P. Fister" <mark () fister org> wrote:

On Thu, Mar 23, 2006 at 02:22:25AM +0000, Fergie wrote:
> Despite the frustrating lack of details here, the article goes on
> to say that "Users will first have to register their mobile devices
> with PayPal?s Web site and select a code to protect them against
> unauthorized users."
>
> Wow. Does this sound like a potential avenue for abuse, or what? ;-)

The potential you're probably thinking of is this:

1. Cell phone is stolen.
2. Thief finds out you have sent payments with this phone before (payment
   initiation messages may be in your Outbox if not deleted).
3. Thief tries to send money to his/her own mobile device in order to drain
   the PayPal account of the owner of the stolen mobile phone.

There are two problems with the above attack vector:

1. PIN-guess-attacks are the only type of abuse possible if the attacker does
   not know the PIN, because of the way PayPal implemented the callback
   technology for payment verification.  In other words, I could initiate
   a peyment, but I'd have to guess the PIN in order to confirm the payment when
   PayPal's automated system calls me back.

2. You have to know that PayPal's anti-theft algorithms would detect
   many wrong PIN guesses in a row, and would therefore automatically
   disable the cell phone's use for sending payments.

3. The owner may login to PayPal and disable the mobile device once it is
   stolen.

Therefore, unless I'm missing something obvious, sending payments via phone
should be secure.*

-- 
Mark P. Fister
http://www.fister.org
Skype: callme://FisterDotOrg

* Notwithstanding things like:

  a) Someone seeing you entering your PIN when confirming a payment.
  b) A hacker having technology that can record your audible key presses and
     then guess the PIN either by the tone emitted by the phone or the tactile
     sound of the buttons being pushed.
  c) A hacker having somehow installed a keylogger on your phone, where the
     keystrokes are messaged out to the hacker's phone (perhaps this was done
     after stealing your phone but before giving it back to you or by mobile
     worm/trojan/etc.).  I'm not really sure how this is different than
     a hacker installing a keylogger on your PC and watching you access
     www.paypal.com, but this is the only "avenue for abuse" that I can think
     of.  Does anyone know how fruitful this could be?

--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg () netzero net or fergdawg () sbcglobal net
 ferg's tech blog: http://fergdawg.blogspot.com/


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.