Thursday, 26 June 2014 06:41

PayPal Flaw Allows 2FA Security to be By-Passed

Written by

Reading time is around minutes.

We talk a lot about security on DecryptedTech and with good reason, there are a ton of threats out there and this list just keeps getting longer. This is why we tend to get annoyed with large corporations when they either skimp on security or botch the job. This is apparently the case in with eBay owned PayPal. For a while PayPal has been highlighting their 2FA (Two Factor Authentication) as a great way to protect your financial data and it is… unless you screw up the implementation.

Now before we dive into the meat of what happened here we need to say that the 2FA for the web site does work as intended. When you attempt to log in the site is going to ask for a second authentication code. The problem lies in the implementation of PayPal’s mobile application. The problem lies in the fact that the mobile application (for both iOS and Android). When using this application there is no true 2FA enforcement.

According to researcher Zack Lanier, Duo Labs Senior Security Researcher, this flaw in the mobile app renders PayPal’s 2FA useless. He was able to create a script that could get around it:  “interfacing with the PayPal API directly and effectively mimicking the PayPal mobile app as though it were accessing a non-2FA account.” Once in a malicious user would have complete access to the account and could drain an account of its funds and even authorize transfers that would draw funds from a user’s bank account.

Sadly this type of flaw undermines confidence in real security measures like 2FA. Although the technology is sound and a very simple way to help stop many threats, when someone screws up the implementation this badly it makes it seem like it is not effective. At the time of this writing PayPal has implemented a work around that prevents direct access to funds, but the actual 2FA flaw is still present in their system. PayPal really needs to step up and fix this, especially with some of the recent username and password dumps that have shown up.

Tell us what you think in our Forum

Read 2338 times Last modified on Thursday, 26 June 2014 06:43

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.