PayPal's two-factor authentication is easily beaten, researcher says

Joshua Rogers decided to go public with the information after notifying PayPal of the problem on June 5

Joshua Rogers of Melbourne found that PayPal's two-factor authentication security feature could be easily circumvented.

Joshua Rogers of Melbourne found that PayPal's two-factor authentication security feature could be easily circumvented.

A security feature offered by PayPal to help prevent accounts from being taken over by hackers can be easily circumvented, an Australian security researcher has found.

PayPal users can elect to receive a six-digit passcode via text message in order to access their accounts. The number is entered after a username and password is submitted.

The security feature, known as two-factor authentication, is an option on many online services such as Google and mandatory on many financial services websites for certain kinds of high-risk transactions. Since the code is sent offline or generated by a mobile application, it is much more difficult for hackers to intercept although by no means impossible.

Joshua Rogers, a 17-year-old based in Melbourne, found a way to get access to a PayPal account that has enabled two-factor authentication. He published details of the attack on his blog on Monday after he said PayPal failed to fix the flaw despite being notified on June 5.

By going public with the information, Rogers will forfeit a reward usually paid by PayPal to security researchers that requires confidentiality until a software vulnerability is fixed. Rogers estimated the reward might be around US$3,000, although PayPal didn't give him a figure.

"I don't care about the money, no," he said via email. "Money isn't everything in this world."

The attack requires a hacker to know a person's eBay and PayPal login credentials, but malicious software programs have long been able to easily harvest those details from compromised computers.

The fault lies in a page on eBay that allows users to link their eBay account with PayPal, which eBay owns. Linking the accounts creates a cookie that makes the PayPal application think the person is logged in, even if a six-digit code has not been entered, Rogers wrote on his blog.

The problem lies specifically in the "=_integrated-registration" function, Rogers wrote, which does not check to see if the victim has two-factor authentication enabled. An attacker could repeatedly gets access to the PayPal account by linking and de-linking the eBay and PayPal accounts of a person, he wrote. He posted a video of the attack on YouTube.

PayPal officials could not be immediately reached for comment.

The payment processor's two-factor authentication could potentially be defeated in other ways. For example, if a user doesn't have a way to receive the six-digit code, PayPal allows them to skip it and instead answer two security questions.

Those questions, which include "What's the name of your first school?" and "What's the name of the hospital in which you were born?" arguably aren't difficult ones for a hacker who has been profiling a victim to answer.

But as with many online defenses, companies are often forced to make trade-offs between convenience and security, attempting to strike the right balance between safety and not alienating users locked out of their accounts.

Rogers has a record of finding problems in online services. Last month, he accepted a caution from police rather than face charges for discovering a vulnerability in the website of one of the country's public transport authorities late last year.

A database flaw within the website of Public Transport Victoria (PTV), which runs the state's transport system, allowed Rogers to gain access to some 600,000 records, including partial credit card numbers, addresses, emails, passwords, birth dates, phone numbers and senior citizen card numbers. Rogers notified the agency of the problem and did not try to profit from the information, but the incident was still referred to police.

Send news tips and comments to Follow me on Twitter: @jeremy_kirk

Join the CSO newsletter!

Error: Please check your email address.

Tags securityebaypaypal

More about eBayGooglePayPal

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts