Now before we dive into the meat of what happened here we need to say that the 2FA for the web site does work as intended. When you attempt to log in the site is going to ask for a second authentication code. The problem lies in the implementation of PayPal’s mobile application. The problem lies in the fact that the mobile application (for both iOS and Android). When using this application there is no true 2FA enforcement.
According to researcher Zack Lanier, Duo Labs Senior Security Researcher, this flaw in the mobile app renders PayPal’s 2FA useless. He was able to create a script that could get around it: “interfacing with the PayPal API directly and effectively mimicking the PayPal mobile app as though it were accessing a non-2FA account.” Once in a malicious user would have complete access to the account and could drain an account of its funds and even authorize transfers that would draw funds from a user’s bank account.
Sadly this type of flaw undermines confidence in real security measures like 2FA. Although the technology is sound and a very simple way to help stop many threats, when someone screws up the implementation this badly it makes it seem like it is not effective. At the time of this writing PayPal has implemented a work around that prevents direct access to funds, but the actual 2FA flaw is still present in their system. PayPal really needs to step up and fix this, especially with some of the recent username and password dumps that have shown up.
Tell us what you think in our Forum