Windows users would be unable to extract their keys. Plus, this script only works on OS X, so Linux and While this token extractor would have almost fit my needs, I reallyĭidn't want to have to rely on Symantec's proprietary client in order to Learned that Symantec had released VIP Access applications for OS X and I still thought that VIP Access used a proprietary algorithm to generate oneĮarlier this month, I found this script, in which I learned that VIPĪccess didn't use a proprietary algorithm to generate the tokens. Despite this newfound knowledge, I was still unable toĭeobfuscate many of the important portions of the application. That application was strikingly similar to the kind I found the VIP AccessĪndroid app using. Interestingly enough, the obfuscation used in Someone reversed their bank's obfuscated Android 2FA application in order toĬreate a hardware token for it. That "rainy day" came earlier this year when I saw this post, in which I eventually got tired of that project and set Was partially due to the fact I was attempting to de-obfuscate a heavily Worked on it on and off for a few months, but I never made much progress. I originally started working on this project around this time last year. Since it appeared as though no one else had done so, I decided to reverseĮngineer Symantec's VIP client myself. I would prefer to have all of my tokens generated with one.The VIP Access app for iOS is pretty ugly (in my opinion).Having multiple apps that do essentially the same thing seemed inefficient.Other accounts, I need to use the VIP Access app for PayPal only. My problem with this is that, while I can use Authy for all of my Of managing a database of user tokens, so they went with Symantec's managed Symantec Validation and ID Protection Service (formerly Verisign Identity Scan with any one of a number of applications ( Authy, Duo Mobile,įreeOTP, Google Authenticator, etc.). When you use 2FA, the service provider presents a barcode to you that you can To protect the security of my account, I use 2FA. Why did I do this? Well, like many people in the world, I use PayPal to sendĪnd receive money. Proprietary 2FA token solution with the goal of creating a free software This weekend, I reverse engineered Symantec's Popular 2FA algorithms are available in both free software and proprietary Significantly increasing the hassle of logging in. It can significantly increase the security of your online accounts without It recommends switching to a TOTP app or SMS, and includes instructions to do so.Two factor authentication (2FA) is an amazing invention. Update (2021 May 10): I received an email recently from PayPal explaining that they are dropping support for Symantec VIP on June 25. For most people, though, TOTP is the right in 2020. One interesting option is if someone wanted to use a physical token, they could buy a Symantec Authenticator, which is still available on Amazon, and apparently stills work on PayPal. However, with some quick Googling I found a link to the Activate your PayPal security key page from my previous article, and it still works (and looks) like it did in the past! This raises the question, why bother with this? In the past several years, many websites have implemented 2FA using TOTP apps, so I think most people are probably better off using it instead of Symantec VIP. This is a feature PayPal apparently added in 2019. Unsurprisingly, the instructions I wrote in 2013 to set up the Symantec VIP app on PayPal no longer work… or do they? On the current PayPal website, someone who navigates to Settings, Security, 2-step verification, and clicks Add a device, will only have the choice to set up a TOTP app such as Google Authenticator or Authy. But it’s March December 2020 and it’s time to take another look at the state of 2FA on PayPal. I later switched to a free soft token, specifically the Symantec VIP app, which I wrote about back in 2013. I’ve been using 2FA on PayPal since 2007, when they introduced the feature with a modestly priced physical token.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |