Confusing UI design = Recipe for Disaster –  Setting up 2FA on our PayPal business account was exactly that. Usually most payment providers make 2FA a mandate in the setup process, or, at least asks its users to set it up during sign up itself, but PayPal doesn't. I have no complaints about PayPal's Infosec standards as they have been running a successful bug bounty program on Hackerone and seem to have a very responsive and active security team.

Update

We did some more research and found out this problem has been there for more than 2 years now yet no action from PayPal's end – https://www.reddit.com/r/paypal/comments/7teop7/twofactor_auth

We haven't received any response from PayPal yet but have gotten in touch with them regarding the same.

Users complaining about the issue on PayPal

2FA and Account Compromise

Setting up 2FA is really critical for account security, and PayPal accounts are no different – naturally, they are a more interesting target for hackers due to the price tag attached to them. Thus, enabling 2FA in the first place would be the most logical step to prevent unauthorized account intrusions and account hacks, as every log in would require a TOTP code from an authenticator app like Google Authenticator or, Authy as part of the 2FA process. However, I found this process really hard due to the confusing documentation on PayPal website.

The process to setup 2FA on PayPal for account security was by far the most difficult, time consuming and confusing process ever but when we get to it... you can realize how simple it could have actually been. Its the most important step to take to prevent getting your PayPal account hacked or, breached or, compromised. In this post, I have explained the full process and why it was so confusing.

PayPal's confusing UI design can become a threat to user account security  as it makes it harder for users to setup 2FA for their accounts.

Sh/Could Hardening your PayPal account security be so hard?

But it was, really... I mean REALLY difficult for me to locate their 2FA option. I couldn't spot it anywhere in their UI even after several Google searches about this, nothing showed up – whatever did was either too outdated or, totally useless or, deprecated.

Confused, I got in touch with their Customer Support who pointed me to their the Settings page, and told a Security page was located there. But... what? I couldn't find one. Weird, that's how difficult PayPal makes it to simply add an additional layer of security to your account. This made me wonder, why is it so difficult to enable a simple security feature like 2FA on PayPal? I tried everything, every button and navigation links on their Android and iOS apps too but failed to locate the 2FA setup page.

Utterly disappointed, when I came across this Help Center Article which was disguised in the form of a general FAQ about 2FA but, finally I found that magic link! –

what-is-2-step-verification

Well, there's a catch.

The Catch

When you are logged out, PayPal would show the following 2FA Setup process instructions in their Documentation/Help Guide

Logged-out 2FA Setup Guide

However, when you are logged in, the instructions asked you to go to profile page and setup 2FA from there – this is the final link that leads to the 2FA setup process. This is how simple it could have been, but confusing documentation on the help pages and equally misleading instructions given by customer support made the process incredibly hard and confusing!

Logged-in Profile Page for 2FA Setup

Turns out PayPal might have done some UI revamping which effectively resulted in concealing the Security page's navigation from Account Settings page. The whole thing was pretty troublesome for me. But now that I was able to setup 2FA back again, I have got back my peace of mind back!

How the PayPal CS reacted

However, for me it was even more disappointing was when even their customer support staff too failed to guide me in this regard –

PayPal Customer Support's response

No 2FA Setup available in PayPal Mobile Apps

When I last checked, there was no 2FA setup option in the mobile app UI which is an eye sore. Every major payment provider allows merchants and business users to setup 2FA right from the mobile – but I couldn't find the option in either of the apps – neither Android nor iOS which is bad from a security and accessibility standpoint.

My Opinion

PayPal itself isn't insecure but these are what I call – classic business logic errors. The UI is the first step towards making a better application and give an overall good experience to the average consumer. Secondly, I had to face a not-so knowledgeable customer support staff who explained how to navigate to 2FA setup, but turns out that's not the actual way. I have spent probably tens of thousands of dollars overpaying PayPal fees and this is what I get in terms of value for money or, my ROI, a bad user experience (UX). I'm not blaming anyone – but despite charging so much in fees, PayPal still hasn't been able to provide a proper UI/UX to its clients. There are several pain points in their UI, and nothing much has changed in most critical parts of their web app since the past 10-12 years, only some parts of the UI/UX has been revamped but some areas like 2FA setup are harder because of PayPal's extremely clunky and confusing UI.

If app developers don't design the UI properly, they can unintentionally cause losses on the part of their users – as in this case, a legitimate user couldn't setup 2FA on their account due to a buggy UI. I strongly feel UI and UX form a core part of an Application's security and not just the backend and frontend parts involving code. The UI features should encourage the user to enable more security features in the app, but in this case – it was misleading and confusing.

Harder UI = More Security Issues, effectively

With harder UI in fine grained applications with varying levels of access controls, it becomes increasingly harder for users to manage account restrictions and security policies. As in this example, the Security page was hidden from the view which potentially makes a user account more susceptible to compromise. A better and smooth UI ensures a user is able to setup every security setting to optimal level.

Harder the UI = More the confusion on the part of the user. This can leave organization accounts open to breaches and evidently a lot of hackers are exploiting misconfigurations in application due to user ignorance.

Closing Thoughts

The entire process was far more painstaking and confusing, than how simple it should have been on the contrary. Thus, making a more intuitive and proper UI is very important from user security point of view than a confusing feature-loaded loosely designed product. Also, security features like 2FA should be mandated in applications dealing with payments and high value transactions in general. Due to a UI revamp or, refactor, that missed putting into place the Security link in Navigation, users can miss the 2FA setup and for those using weak credentials can end up getting hand – which is how hundreds of thousands of PayPal accounts and Credit Card  data aka Fullz end up getting hacked and sold on darknet marketplaces.

How we can help?
SaveBreach conducts in-depth security research, bug hunting, and security consultancy. Through our years of experience and keen eyes, we noticed the pain points of users and technical security vulnerabilities in applications that neither developers, nor automated software nor security engineers could spot. It would be no different in your case if you give us a chance to analyze the flaws in your product. Say us "Hi" at hi [at] savebreach.com.