The Inquirer-Home

Paypal’s two factor authentication flaw is open to hackers

Presumably that makes it twice as bad
Thu Jun 26 2014, 12:57
Paypal logo

SECURITY COMPANY Duo Security Research has warned that it is possible to bypass two factor, or second factor authentication (2FA) protection on Paypal.

Paypal said that all users will need to access an account is a username and password, but the firm added that it has a workaround in place and a fix is on the way.

"An attacker only needs a victim's Paypal username and password in order to access a two-factor protected account and send money. The protection offered by the two-factor Security Key mechanism can be bypassed and essentially nullified," Duo Security Research said.

"Paypal has put a workaround in place to limit the impact of the vulnerability, and is actively working on a permanent fix. In light of the vulnerability reporting timeline and the trivial discoverability of the vulnerability, we have elected to publicly disclose this issue, so that users can be informed to the risks to their Paypal account security."

The problem exists in the mobile Paypal apps that can be tricked into ignoring 2FA protection on user accounts.

The security firm, which developed a proof of concept exploit for the bug, said, "The protection offered by the two-factor Security Key mechanism can be bypassed and essentially nullified."

It added, "While Paypal's mobile apps do not currently support 2FA-enabled accounts, it is possible to effectively trick the Paypal mobile applications into ignoring the 2FA flag on the account, subsequently allowing the an attacker to log in without requiring secondary authentication."

Paypal has penned a blog post saying that this is all in hand, and that the flaw has been disabled.

"The workaround identified by the researcher is related to an extra layer of security (2FA) some customers have chosen to add to their Paypal account. Customers who do not use the Paypal security key (physical card or SMS codes) as an additional step to log into their accounts are not impacted in any way," Paypal said.

"Even though 2FA is an additional layer of authentication, Paypal does not depend on 2FA to keep accounts secure. We have extensive fraud and risk detection models and dedicated security teams that work to help keep our customers' accounts secure from fraudulent transactions, everyday."

Paypal said that customer accounts were, and have remained secure. Duo Security said that it hopes that "full support of two-factor authentication in the [Paypal] official mobile applications and third-party merchant apps" follows.

Recently Paypal's parent company eBay was the scene of a security scandal that made people question whether it really understands security at all. µ


Share this:

blog comments powered by Disqus
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Existing User
Please fill in the field below to receive your profile link.
Sign-up for the INQBot weekly newsletter
Click here
INQ Poll

Microsoft Windows 10 poll

Which feature of Windows 10 are you most excited about?