In an ideal security world (an oxymoron, admittedly), vendors do not confirm or even acknowledge security holes until they have been fixed. Why encourage the bad guys any more than is necessary? Indeed, the hole that exists after a bug has been discovered and publicized and before it has been patched is the most dangerous possible timeframe for an intrusion, where cyberthieves globally are trying to use that hole before it’s been closed.
Therefore, PayPay must either see the now-widely-publicized two-factor authentication hole as especially dangerous or something that will take a very long time to fix—or both. Alternatively, it might see the bug as generating such intense fear that diluting that fear—and the resultant drop in transactions—is worth the security fix. This all comes from the fact that PayPal has now conceded the bug’s existence publicly.
“We are aware of a two-factor authentication (2FA) issue that is limited to a small amount of integrations with Adaptive Payments,” PayPal said in a statement.
The company’s argument is that two-factor authentication is an attractive additional security layer, but it’s not essential, as the core password system is still intact. The 2FA hole that was released is predicated on the attacker somehow already having the username and password. Although there are several ways that an attacker could possess such data, PayPal makes a legitimate point that the need for those credentials is a non-trivial break-in impediment.
“2FA is an extra layer of security some customers have chosen to add to their PayPal accounts. We are working to get the issue addressed as quickly as possible,” the statement said. “It is important to clarify that 2FA provides extra assurance to keep accounts secure, however usernames and passwords are still required to gain access to all PayPal accounts.”
PayPal then makes an interesting—albeit non-intuitive—argument that if you don’t use two-factor, you’re fine. Although that’s certainly true, it’s an odd security defense, akin to a deadbolt lock company addressing concerns that it’s pick-proof lock can in fact be easily picked by saying, “If you don’t lock your doors at night, this problem won’t impact you. So you’re fine.”
From the PayPal statement: “Customers who do not use the PayPal security key (physical card or SMS codes) as an additional step to log into their accounts are not impacted in any way. If you have chosen to add 2FA to your PayPal account, your account will continue to operate as usual on the vast majority of
PayPal product experiences. We have extensive fraud and risk detection models and dedicated security teams who work to help keep our customers’ accounts secure from fraudulent transactions, everyday. We apologize for any inconvenience caused to affected customers who use our 2FA process and we will continue to work hard to address this issue.”
PayPal does deserve brownie points for an impressively creative security breach response, but until they fully fix this issue, that will be of little comfort to shoppers who get burned.