The Washington Post

A rare security breach at PayPal

A PayPal sign at an office building in San Jose, Calif. (REUTERS/Beck Diefenbach)

It has been a good year for cybercriminals. The year isn’t even half over, and already we’ve had 368 major data breaches exposing more than 10 million records, not to mention Heartbleed, an error in the security software used by most of the Web dubbed the biggest flaw in Internet history. It left millions of people’s passwords and personal information exposed.

And now PayPal.

The online payments company seemed a bulwark against cybercrime untouched by this year’s major security breaches, including one at its parent company, eBay. But researchers at Michigan-based Duo Labs have identified a vulnerability in PayPal’s two-step security mechanism for mobile users — a mechanism similar to those used to protect some bank and e-mail accounts. Breaches of two-factor authentication – after users enter a username and password, a code is sent to the user’s cellphone to confirm their identity – are rare.

“The whole two factor thing was supposed to make you feel all warm and fuzzy if your password is compromised,” Duo Labs senior security researcher Zach Lanier told Threat Post.

Two factor authentication is meant to provide extra layer of security to protect a user in case her username and password are compromised. This commonly happens in phishing attacks when hackers send e-mails to users that can lure them into disclosing their login credentials.

Duo Labs found they could bypass the two-step system on PayPal’s mobile app by entering just the username and password and tricking the app into ignoring the second step of the authentication process. (For a more detailed explanation, check out this video in which Lanier exploits the flaw and shows how hackers can send money from your account.)

Increasingly, people use mobile apps to buy things and transfer money. PayPal’s security vulnerability is kind of like a disabled alarm system at a bank – an invitation for bank robbers to bust open the front door.

Though disconcerting, this isn’t a Heartbleed-sized disaster – not even close. The flaw only affects PayPal users who’ve signed up for two-factor authentication – if you need to enter a code sent via your mobile phone to access your account, then yes, it affects you.

“We want to emphasize that all PayPal accounts remain secure,” PayPal said in a statement. “PayPal does not depend on [two-factor authentication] to keep accounts secure. We have extensive fraud and risk detection models and dedicated security teams that work to help keep our customers’ accounts secure from fraudulent transactions, everyday.”

So far, there’s no evidence hackers have exploited the vulnerability. As of Wednesday, PayPal had a workaround in place to minimize potential fallout.

But a permanent fix could take weeks. In the meantime, they’ve blocked customers who signed up for two-factor authentication from logging in to their PayPal account through the PayPal mobile app and certain other mobile apps until the flaw is fixed.

With 148 million active users, PayPal has never suffered a major data breach.

Gail Sullivan covers business for the Morning Mix blog.



Success! Check your inbox for details. You might also like:

Please enter a valid email address

See all newsletters

Show Comments

Sign up for email updates from the "Confronting the Caliphate" series.

You have signed up for the "Confronting the Caliphate" series.

Thank you for signing up
You'll receive e-mail when new stories are published in this series.
Most Read



Success! Check your inbox for details.

See all newsletters

Your Three. Videos curated for you.
Play Videos
From clubfoot to climbing: Double amputee lives life of adventure
Learn to make traditional soup dumplings
Deaf banjo player teaches thousands
Play Videos
Unconventional warfare with a side of ale
The rise and fall of baseball cards
How to keep your child safe in the water
Play Videos
'Did you fall from heaven?': D.C.'s pick-up lines
5 ways to raise girls to be leaders
How much can one woman eat?
Play Videos
How to get organized for back to school
How to buy a car via e-mail
The signature drink of New Orleans
Next Story
Lindsey Bever · June 26, 2014

To keep reading, please enter your email address.

You’ll also receive from The Washington Post:
  • A free 6-week digital subscription
  • Our daily newsletter in your inbox

Please enter a valid email address

I have read and agree to the Terms of Service and Privacy Policy.

Please indicate agreement.

Thank you.

Check your inbox. We’ve sent an email explaining how to set up an account and activate your free digital subscription.