PayPal error shows how NOT to use two-factor authentication

A PayPal error made it possible to bypass two-factor authentication on a user account, demonstrating what can go wrong in deploying a tricky security mechanism.

PayPal has deployed a temporary fix for the problem that was the result of what could have been a design flaw in the authentication flow between the payment service's mobile app and server.

[Raising awareness quickly: The eBay data breach]

"There's certainly a lesson to be learned for people doing two-factor authentication now or planning to in the future," said Zach Lanier, senior researcher for Duo Security, which assisted the outside researcher, Dan Saltman, who discovered the vulnerability.

PayPal's mobile app does not support two-factor authentication (2FA) while its website does. If an accountholder who opted in for the extra security used the mobile app, then the server would notify the app, which would halt the log in process and notify the user.

The researchers found a way to take advantage of this clunky set up by building an app that would trick the mobile app into thinking it was dealing with an account that did not have 2FA enabled.

The researchers' app talked to two separate application-programming interfaces (APIs) on PayPal's server. One handled the authentication while the other was for money transfers.

When the app tried to access a 2FA-enabled account, the app would change the "2fa_enabled" value in the server's response to "false." This was enough to have the mobile app ignore the 2FA feature and send the user right to the PayPal account.

Duo Security, which sells 2FA technology, has provided details of the bypass on its blog.

For cybercriminals to exploit the flaw, they would need to first obtain an accountholder's username and password through a phishing attack or other scheme.

PayPay has deployed a temporary fix that neutralizes the researchers' app. The mobile app no longer works with 2FA-enabed accounts, and those accountholders will have to continue using the PayPal mobile website.

PayPal declined comment, pointing instead to its Wednesday blog that played down the mobile app's lack of 2FA support.

"We have extensive fraud and risk detection models and dedicated security teams that work to help keep our customers' accounts secure from fraudulent transactions, everyday," the company said.

PayPal is expected to release at then of July a permanent fix that will add 2FA support to the mobile app, Lanier said.

[Financial firms and social media remain top phishing targets]

"When two-factor authentication is done right and consistently (across services) it provides really great value," Lanier said. "But if you have one weak link in the chain, like we've seen here perhaps a design oversight that makes this all for naught."

Tags VulnerabilitiesDuo Securitytwo-step authenticationidentity managementidentity fraudpaypalIdentity fraud / theftExploits / vulnerabilitiesIdentity & AccessPaypal attackmobile application securitylogin securitysecurityAccess control and authenticationebaylogin verificationmobile app security


Comments are now closed

CSO Corporate Partners
  • f5
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Enterprise Virtualisation Security

Deep Security provides a comprehensive Server Security Platform giving organisations advanced protection for Physical, Virtual, and Cloud Servers.

Security Awareness Tip
Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.