PayPal error shows how NOT to use two-factor authentication

A PayPal error made it possible to bypass two-factor authentication on a user account, demonstrating what can go wrong in deploying a tricky security mechanism.

PayPal has deployed a temporary fix for the problem that was the result of what could have been a design flaw in the authentication flow between the payment service's mobile app and server.

[Raising awareness quickly: The eBay data breach]

"There's certainly a lesson to be learned for people doing two-factor authentication now or planning to in the future," said Zach Lanier, senior researcher for Duo Security, which assisted the outside researcher, Dan Saltman, who discovered the vulnerability.

PayPal's mobile app does not support two-factor authentication (2FA) while its website does. If an accountholder who opted in for the extra security used the mobile app, then the server would notify the app, which would halt the log in process and notify the user.

The researchers found a way to take advantage of this clunky set up by building an app that would trick the mobile app into thinking it was dealing with an account that did not have 2FA enabled.

The researchers' app talked to two separate application-programming interfaces (APIs) on PayPal's server. One handled the authentication while the other was for money transfers.

When the app tried to access a 2FA-enabled account, the app would change the "2fa_enabled" value in the server's response to "false." This was enough to have the mobile app ignore the 2FA feature and send the user right to the PayPal account.

Duo Security, which sells 2FA technology, has provided details of the bypass on its blog.

For cybercriminals to exploit the flaw, they would need to first obtain an accountholder's username and password through a phishing attack or other scheme.

PayPay has deployed a temporary fix that neutralizes the researchers' app. The mobile app no longer works with 2FA-enabed accounts, and those accountholders will have to continue using the PayPal mobile website.

PayPal declined comment, pointing instead to its Wednesday blog that played down the mobile app's lack of 2FA support.

"We have extensive fraud and risk detection models and dedicated security teams that work to help keep our customers' accounts secure from fraudulent transactions, everyday," the company said.

PayPal is expected to release at then of July a permanent fix that will add 2FA support to the mobile app, Lanier said.

[Financial firms and social media remain top phishing targets]

"When two-factor authentication is done right and consistently (across services) it provides really great value," Lanier said. "But if you have one weak link in the chain, like we've seen here perhaps a design oversight that makes this all for naught."

Join the CSO newsletter!

Error: Please check your email address.

Tags Vulnerabilitiesidentity managementtwo-step authenticationDuo Securityidentity fraudpaypalExploits / vulnerabilitiesIdentity fraud / theftmobile application securityPaypal attackIdentity & Accesssecuritylogin securityebayAccess control and authenticationlogin verificationmobile app security

More about eBayLanier AustraliaPayPal

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place