June 26, 2014 3:49 pm

Vulnerability found in PayPal’s two-factor authentication

AP Photo/Paul Sakuma, File

TORONTO – Security researchers say they have discovered a vulnerability in PayPal’s two-factor authentication (2FA) that would allow an attack to bypass the user-added security feature altogether.

Story continues below

According to Duo Security researchers, an attacker with access to a PayPal user’s username and password would be able to bypass the second authentication step and access the account, leaving them with the ability to transfer money.

Two-factor or “two-step” authentication requires the user to set up their account so that a text message containing a secondary login code is sent to their phone every time they log in to their account.

READ MORE: Twitter introduces two-step verification to improve account security

“While PayPal’s mobile apps do not currently support 2FA-enabled accounts, it is possible to effectively trick the PayPal mobile applications into ignoring the 2FA flag on the account, subsequently allowing an attacker to log in without requiring secondary authentication,” read Duo Security’s report.

According to the report, the vulnerability puts 143 million active users at risk.

PayPal, which was made aware of the issue by researchers through its bug reporting program, said in a statement Thursday that all PayPal accounts remain secure, despite the vulnerability.

While customers who do not have two-step authentication enabled on their accounts are not affected by the vulnerability, the company said those that do are protected by additional security measures.

“Even though 2FA is an additional layer of authentication, PayPal does not depend on 2FA to keep accounts secure,” read the statement from PayPal.

“We have extensive fraud and risk detection models and dedicated security teams that work to help keep our customers’ accounts secure from fraudulent transactions, every day.”

As a precaution, users will not be able to log in to their accounts from the PayPal mobile app and other mobile apps until a fix is deployed.

Affected customers will still be able to log in to their account on a mobile device through the PayPal website.

“We know that our customers enjoy paying with PayPal on their mobile device and we regret any inconvenience this may cause. Your security is our top concern and we will work as quickly as possible to resolve this issue for you,” said the company.

Last month eBay – which owns PayPal – suffered a cyberattack which compromised a database containing users’ encrypted passwords.

READ MORE: EBay asks users to change passwords after hack

Though PayPal information was not affected by the breach, eBay encouraged its users to enable two-step authentication for added protection.

Duo Security said the PayPal vulnerability highlights the importance of the need for well-designed security systems.

“While two-factor authentication, when done right, provides great value for protecting users and businesses, design and implementation flaws such as this bypass can negate that value,” said the security firm.

© 2014 Shaw Media

Report an error


Want to discuss? Please read our Commenting Policy first.