Sunday, January 30, 2011

An Open Letter to the PayPal folks responsible for API security and that kind of thing

Warning: This is a technically oriented rant. It has nothing to do with the money side of PayPal. It is simply about things that shouldn't happen the way they currently do.

Dear Geeks That Work for PayPal:

I don't know if you people are lazy, or stupid, or simply use cost benefit analysis before you fix the stupidest dumbest fucking things that plague your platform. Somebody came up with an amazing idea: let's add two-factor authentication, and the sonofabitch works just right. I have used your two-factor mechanism with SMS on no less than two carriers, and the VIP token application in iPhone, Blackberry and Android and they all do the job perfectly.

The problem is that you have external apps that rely on authenticating with PayPal, and these apps can't handle the two-factor authentication.

The first this happened it was with the older version of Blackberry App Word. I assumed that this was the BBAW programmers not implementing the mechanism correctly. It is so fucking stupid that you are expected to open the login window from BBAW, type your password, then switch to the VIP app to get a token, then switch back, append that to the end of the password, and manage to send the login request before the token expires (tokens last 30 seconds).

Good luck with that. Eventually some kind soul at RIM decided to allow other payment methods, which meant I was able to purchase my first BBAW app many months after I had owned a Blackberry device. Dumbasses.

That was a long time ago. But tonight it happened to me again, the same exact fucking thing, and this time it happened with an app PROVIDED BY PAYPAL. How the fuck am I expected to believe that PayPal can't have proper two-factor authentication on their own Android app without resorting to appending the fucking token to the end of the fucking password? Are we expected to believe that the people that built this Android app were not given access to the people that write and maintain the API that handles these requests? What the fuck happened here?

Worse, can't the fucking PayPal app for Android detect that VIP is installed and read the fucking token from it? How hard can this be? I imagine there's no reason that this can't work in iPhone and Blackberry devices too.

I have been using an Android phone for a little over 24 hours, and I already noticed that apps can easily trigger dependency downloads if not present. When I installed Barcode Scanner it told me I needed Google Shopper. One click and  I was presented with the install page for Google Shopper. Two clicks and I was done. I didn't even need to restart the application, it KNEW that the dependency had been met. If something as mundane as a barcode scanner can figure out this kind of thing, how come a huge company like PayPal can't do something similar?

Hell, PayPal allows automated messaging. If your phone is registered it will take commands. Can't this app trigger an SMS request to send a token if the phone is authorized?