Published June 25, 2014
A computer-security firm found a flaw in a system payment-processing giant PayPal uses in adding extra security to customer accounts.
The eBay (EBAY) unit offers a feature called “PayPal Security Key” that enables users to either use a credit-card sized device or mobile phone to generate unique security keys. The user then uses the temporary key in conjunction with his password to login to his PayPal account.
The two-step authentication method means a would-be hacker would have to have not only access to the user’s password, but also physical access. Computer security experts highly recommend this type of technology that is offered by an increasingly wide range of companies, from Google (GOOGL) to JPMorgan Chase (JPM).
A team at Duo Security, a firm that sells a two-step authentication product, found a hole in PayPal’s Security Key. Duo senior security research Zach Lanier told FOX Business it’s possible to trick the company’s mobile app into ignoring a flag that forces two-step authentication.
PayPal initially set up its API interface that enables apps to communicate with the service in such a way that if the user uses two-step verification, the server flags it, and tells the app, Lanier explained. It was then up to the app to restrict the user from logging in, since PayPal hadn't built a system to let users with two-factor authentication login on mobile services.
However, Duo realized the two-factor setup was only verified at the client level. With that knowledge, they developed a workaround that actually let them transfer money on a two-step account with only a password.
"Because [two-step authentication] wasn’t enforced server side, we could trick the app to ignore the two-factor flag that came from the server," Lanier said.
That means customers who thought they were receiving this extra level of security weren't completely protected.
While the vulnerability won’t work at the desktop browser level, Duo said the distinction is “purely academic” since hackers can cleverly design their own apps using PayPal’s API.
PayPal Crafts Temporary Patch
PayPal representatives pointed to a blog post published Wednesday, saying users are not at a security risk due to the issue.
“Even though [two-factor authentication] is an additional layer of authentication, PayPal does not depend on 2FA to keep accounts secure,” the post said. “We have extensive fraud and risk detection models and dedicated security teams that work to help keep our customers’ accounts secure from fraudulent transactions, everyday.”
PayPal said it has temporarily disabled the ability for customers who use the type of verification to login on mobile accounts.
Duo's Lanier confirmed there is a patch in place. He said the workaround essentially solves the problem by blocking users' access to services, although it's not technically fixed.
The issue represents the second high-profile security problem this year at a firm generally known for its tight security. EBay said in May hackers breached its corporate network and stole customer information, including encrypted passwords. The company said at the time PayPal was not affected by the attack.
EBay shares climbed 19 cents, or 0.39%, to $49.04 in recent trading. They have fallen 10.6% since the beginning of 2014.