The online payments company seemed a bulwark against cybercrime untouched by this year’s major security breaches, including one at its parent company, eBay. But researchers at Michigan-based Duo Labs have identified a vulnerability in PayPal’s two-step security mechanism for mobile users — a mechanism similar to those used to protect some bank and e-mail accounts. Breaches of two-factor authentication – after users enter a username and password, a code is sent to the user’s cellphone to confirm their identity – are rare.
“The whole two factor thing was supposed to make you feel all warm and fuzzy if your password is compromised,” Duo Labs senior security researcher Zach Lanier told Threat Post.
Two factor authentication is meant to provide extra layer of security to protect a user in case her username and password are compromised. This commonly happens in phishing attacks when hackers send e-mails to users that can lure them into disclosing their login credentials.
Duo Labs found they could bypass the two-step system on PayPal’s mobile app by entering just the username and password and tricking the app into ignoring the second step of the authentication process. (For a more detailed explanation, check out this video in which Lanier exploits the flaw and shows how hackers can send money from your account.)
Increasingly, people use mobile apps to buy things and transfer money. PayPal’s security vulnerability is kind of like a disabled alarm system at a bank – an invitation for bank robbers to bust open the front door.
Though disconcerting, this isn’t a Heartbleed-sized disaster – not even close. The flaw only affects PayPal users who’ve signed up for two-factor authentication – if you need to enter a code sent via your mobile phone to access your account, then yes, it affects you.
“We want to emphasize that all PayPal accounts remain secure,” PayPal said in a statement. “PayPal does not depend on [two-factor authentication] to keep accounts secure. We have extensive fraud and risk detection models and dedicated security teams that work to help keep our customers’ accounts secure from fraudulent transactions, everyday.”
So far, there’s no evidence hackers have exploited the vulnerability. As of Wednesday, PayPal had a workaround in place to minimize potential fallout.
But a permanent fix could take weeks. In the meantime, they’ve blocked customers who signed up for two-factor authentication from logging in to their PayPal account through the PayPal mobile app and certain other mobile apps until the flaw is fixed.
With 148 million active users, PayPal has never suffered a major data breach.