If you think you are already safe online because all your Web-based accounts have two-factor verification in place, think again. Especially if you are using PayPal.
A young security researcher from Australia has found a way to work around the much touted two-factor authentication and gain control of any PayPal account.
The feature, which has seen wide adoption in popular Internet services including Gmail and Facebook, gives a good measure of security for password-protected accounts. It works by requiring a user attempting to gain access to his or another person’s account to submit a second security factor sent via a text message.
In most financial institutions, two-factor authentication is a mandatory implement especially that highly sensitive data are stored in their enclaves.
Users have various options on how they like to receive the second factor security pass code, not just through SMS. Most cases involve sending the code offline to a mobile phone number or users can choose to have a mobile app to generate automatically the code. It is then to be entered into a security field once a user name and password was entered.
But Joshua Rogers from Melbourne was able to hack open a PayPal account with two-factor authentication enabled on it.
Using malware injected into a computer system, hackers will first have to now the eBay and PayPal login credentials from a compromised computer of a targeted victim. It is one of the requisites for the attack to work.
The vulnerability occurs in eBay in which a user’s PayPal and eBay accounts are to be linked. By connecting the two accounts, a cookie takes form and so PayPal’s system accepts a person’s logging in eBay despite the lack of the six-digit code.
According to Rogers, a hacker can then connect and disconnect the target eBay and PayPal accounts. There are also other methods of circumventing the two-factor authentication of PayPal. And even with other security measures such as security questions upon login if a pass code has been forgotten, attackers could still work around it if they have accumulated enough personal information of their victims.
At first, Rogers informed the PayPal team about the vulnerability the he found, but said the company did not immediately fix the flaw. So he decided to disclose his discovery to the public.
Bottom line is, Internet companies should constantly upgrade their security infrastructure for the enterprise and clients especially in an era where the threat landscape is fast evolving.