Flaw found in PayPal two-step security
Researchers have discovered a hole in an extra security measure used by PayPal, the eBay-owned payments company, to protect customers’ online accounts.
Duo Security, a Michigan-based cyber security company, says its researchers have found a way to bypass so-called two-step authentication – where a code is sent to a user’s mobile phone to confirm they are logging in – on the PayPal app. Known breaches of two factor authentication, which is also used to protect online banking, email and social media accounts, are rare.
PayPal has prided itself on its top-notch security but its parent company eBay suffered a cyber attack in May, when encrypted passwords to the e-commerce site were stolen. The company said PayPal was not affected in the breach.
Zach Lanier, Duo Security’s senior security researcher, said it was hard to tell if malicious attackers had been able to exploit this vulnerability.
“It is a security feature designed to reduce the risk if the password did get compromised for any reason. It isn’t really living up to its promise as it is not particularly secure,” he said.
Mr Lanier said cyber criminals were increasingly targeting PayPal by sending phishing emails, which are designed to lure people into giving up their account credentials.
“They kind of act like a bank at this point with funds sitting inside of PayPal and you can use it to send someone money directly from a bank account,” he said. “Why do you rob a bank? Because that is where all the money is.”
PayPal said all accounts remain secure as this was an extra layer of protection. It said it had received a warning from the researchers before the flaw was publicised, as part of its “bug bounty” programme, which rewards people for reporting security vulnerabilities.
“As a precaution we have disabled the ability for customers who have selected two-factor authentication to log in to their PayPal account on the PayPal mobile app and on certain other mobile apps until an identified fix can be implemented in the next few weeks,” it said in a statement. “While we regret any inconvenience this may cause our customers, their security is our top concern.”
The payment company’s security is considered among the industry’s strongest, according to payments industry executives and security researchers. The network, which has 148m active registered accounts, has never been known to have suffered a substantial data breach.
Cyber attacks are on the rise, up 14 per cent last year, according to data from Cisco, as people live more of their lives online, including increasingly using the internet for banking and shopping. Underground markets in the tools needed for cyber crime and the data that criminals have found on computer networks make it easier for people without advanced computer skills to mount attacks or profit from stolen information.
Source: ft
