Confusing UI design = Recipe for Disaster – Setting up 2FA on our PayPal business account was exactly that. Usually most payment providers make 2FA a mandate in the setup process, or, at least asks its users to set it up during sign up itself, but PayPal doesn't. I have no complaints about PayPal's Infosec standards as they have been running a successful bug bounty program on Hackerone and seem to have a very responsive and active security team.
Update
We did some more research and found out this problem has been there for more than 2 years now yet no action from PayPal's end – https://www.reddit.com/r/paypal/comments/7teop7/twofactor_auth
We haven't received any response from PayPal yet but have gotten in touch with them regarding the same.
2FA and Account Compromise
Setting up 2FA is really critical for account security, and PayPal accounts are no different – naturally, they are a more interesting target for hackers due to the price tag attached to them. Thus, enabling 2FA in the first place would be the most logical step to prevent unauthorized account intrusions and account hacks, as every log in would require a TOTP code from an authenticator app like Google Authenticator or, Authy as part of the 2FA process. However, I found this process really hard due to the confusing documentation on PayPal website.
The process to setup 2FA on PayPal for account security was by far the most difficult, time consuming and confusing process ever but when we get to it... you can realize how simple it could have actually been. Its the most important step to take to prevent getting your PayPal account hacked or, breached or, compromised. In this post, I have explained the full process and why it was so confusing.
PayPal's confusing UI design can become a threat to user account security as it makes it harder for users to setup 2FA for their accounts.
Sh/Could Hardening your PayPal account security be so hard?
But it was, really... I mean REALLY difficult for me to locate their 2FA option. I couldn't spot it anywhere in their UI even after several Google searches about this, nothing showed up – whatever did was either too outdated or, totally useless or, deprecated.
Confused, I got in touch with their Customer Support who pointed me to their the Settings page, and told a Security page was located there. But... what? I couldn't find one. Weird, that's how difficult PayPal makes it to simply add an additional layer of security to your account. This made me wonder, why is it so difficult to enable a simple security feature like 2FA on PayPal? I tried everything, every button and navigation links on their Android and iOS apps too but failed to locate the 2FA setup page.
Utterly disappointed, when I came across this Help Center Article which was disguised in the form of a general FAQ about 2FA but, finally I found that magic link! –
Well, there's a catch.
The Catch
When you are logged out, PayPal would show the following 2FA Setup process instructions in their Documentation/Help Guide –
However, when you are logged in, the instructions asked you to go to profile page and setup 2FA from there – this is the final link that leads to the 2FA setup process. This is how simple it could have been, but confusing documentation on the help pages and equally misleading instructions given by customer support made the process incredibly hard and confusing!
Steps to setup or, add 2FA to your PayPal account (Business account users)
- Click on Update after navigating to Login and Security page from PayPal Profile page navigation
- After clicking on Update, choose your 2FA option. Choose Authenticator which is more secure than mobile phone based 2FA. I prefer Authy. PayPal 2FA should work with most TOTP authenticator apps.
- Scan the code with your Authenticator app or, manually enter the code
- Enter the TOTP code on PayPal website after adding PayPal in the Authenticator app,
- You have succesffully added 2FA to your PayPal account. To make it more secure, you can go ahead and add SMS 2FA layer as extra defence too.
Turns out PayPal might have done some UI revamping which effectively resulted in concealing the Security page's navigation from Account Settings page. The whole thing was pretty troublesome for me. But now that I was able to setup 2FA back again, I have got back my peace of mind back!
How the PayPal CS reacted
However, for me it was even more disappointing was when even their customer support staff too failed to guide me in this regard –
No 2FA Setup available in PayPal Mobile Apps
When I last checked, there was no 2FA setup option in the mobile app UI which is an eye sore. Every major payment provider allows merchants and business users to setup 2FA right from the mobile – but I couldn't find the option in either of the apps – neither Android nor iOS which is bad from a security and accessibility standpoint.
My Opinion
PayPal itself isn't insecure but these are what I call – classic business logic errors. The UI is the first step towards making a better application and give an overall good experience to the average consumer. Secondly, I had to face a not-so knowledgeable customer support staff who explained how to navigate to 2FA setup, but turns out that's not the actual way. I have spent probably tens of thousands of dollars overpaying PayPal fees and this is what I get in terms of value for money or, my ROI, a bad user experience (UX). I'm not blaming anyone – but despite charging so much in fees, PayPal still hasn't been able to provide a proper UI/UX to its clients. There are several pain points in their UI, and nothing much has changed in most critical parts of their web app since the past 10-12 years, only some parts of the UI/UX has been revamped but some areas like 2FA setup are harder because of PayPal's extremely clunky and confusing UI.
If app developers don't design the UI properly, they can unintentionally cause losses on the part of their users – as in this case, a legitimate user couldn't setup 2FA on their account due to a buggy UI. I strongly feel UI and UX form a core part of an Application's security and not just the backend and frontend parts involving code. The UI features should encourage the user to enable more security features in the app, but in this case – it was misleading and confusing.
Harder UI = More Security Issues, effectively
With harder UI in fine grained applications with varying levels of access controls, it becomes increasingly harder for users to manage account restrictions and security policies. As in this example, the Security page was hidden from the view which potentially makes a user account more susceptible to compromise. A better and smooth UI ensures a user is able to setup every security setting to optimal level.
Harder the UI = More the confusion on the part of the user. This can leave organization accounts open to breaches and evidently a lot of hackers are exploiting misconfigurations in application due to user ignorance.
Closing Thoughts
The entire process was far more painstaking and confusing, than how simple it should have been on the contrary. Thus, making a more intuitive and proper UI is very important from user security point of view than a confusing feature-loaded loosely designed product. Also, security features like 2FA should be mandated in applications dealing with payments and high value transactions in general. Due to a UI revamp or, refactor, that missed putting into place the Security link in Navigation, users can miss the 2FA setup and for those using weak credentials can end up getting hand – which is how hundreds of thousands of PayPal accounts and Credit Card data aka Fullz end up getting hacked and sold on darknet marketplaces.
How we can help?
SaveBreach conducts in-depth security research, bug hunting, and security consultancy. Through our years of experience and keen eyes, we noticed the pain points of users and technical security vulnerabilities in applications that neither developers, nor automated software nor security engineers could spot. It would be no different in your case if you give us a chance to analyze the flaws in your product. Say us "Hi" at hi [at] savebreach.com.