PayPal's two-factor authentication is easily beaten, researcher says

Joshua Rogers decided to go public with the information after notifying PayPal of the problem on June 5

Joshua Rogers of Melbourne found that PayPal's two-factor authentication security feature could be easily circumvented.

Joshua Rogers of Melbourne found that PayPal's two-factor authentication security feature could be easily circumvented.

A security feature offered by PayPal to help prevent accounts from being taken over by hackers can be easily circumvented, an Australian security researcher has found.

PayPal users can elect to receive a six-digit passcode via text message in order to access their accounts. The number is entered after a username and password is submitted.

The security feature, known as two-factor authentication, is an option on many online services such as Google and mandatory on many financial services websites for certain kinds of high-risk transactions. Since the code is sent offline or generated by a mobile application, it is much more difficult for hackers to intercept although by no means impossible.

Joshua Rogers, a 17-year-old based in Melbourne, found a way to get access to a PayPal account that has enabled two-factor authentication. He published details of the attack on his blog on Monday after he said PayPal failed to fix the flaw despite being notified on June 5.

By going public with the information, Rogers will forfeit a reward usually paid by PayPal to security researchers that requires confidentiality until a software vulnerability is fixed. Rogers estimated the reward might be around US$3,000, although PayPal didn't give him a figure.

"I don't care about the money, no," he said via email. "Money isn't everything in this world."

The attack requires a hacker to know a person's eBay and PayPal login credentials, but malicious software programs have long been able to easily harvest those details from compromised computers.

The fault lies in a page on eBay that allows users to link their eBay account with PayPal, which eBay owns. Linking the accounts creates a cookie that makes the PayPal application think the person is logged in, even if a six-digit code has not been entered, Rogers wrote on his blog.

The problem lies specifically in the "=_integrated-registration" function, Rogers wrote, which does not check to see if the victim has two-factor authentication enabled. An attacker could repeatedly gets access to the PayPal account by linking and de-linking the eBay and PayPal accounts of a person, he wrote. He posted a video of the attack on YouTube.

PayPal officials could not be immediately reached for comment.

The payment processor's two-factor authentication could potentially be defeated in other ways. For example, if a user doesn't have a way to receive the six-digit code, PayPal allows them to skip it and instead answer two security questions.

Those questions, which include "What's the name of your first school?" and "What's the name of the hospital in which you were born?" arguably aren't difficult ones for a hacker who has been profiling a victim to answer.

But as with many online defenses, companies are often forced to make trade-offs between convenience and security, attempting to strike the right balance between safety and not alienating users locked out of their accounts.

Rogers has a record of finding problems in online services. Last month, he accepted a caution from police rather than face charges for discovering a vulnerability in the website of one of the country's public transport authorities late last year.

A database flaw within the website of Public Transport Victoria (PTV), which runs the state's transport system, allowed Rogers to gain access to some 600,000 records, including partial credit card numbers, addresses, emails, passwords, birth dates, phone numbers and senior citizen card numbers. Rogers notified the agency of the problem and did not try to profit from the information, but the incident was still referred to police.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags securityebaypaypal

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?