In yet another case of a security flaw at what was thought to be a safe site, researchers have found that it’s possible for mobile users to bypass PayPal’s two-step authentication process, which sends a code to a user’s cellphone to ensure that the person logging in is who he or she claims to be.
PayPal apps for iOS and Android devices don’t support two-factor, so they are designed to lock out users who use the security codes. Researchers at Duo Labs, a company that sells two-factor authentication products, found that a user can trick the app into ignoring flags that call for a second mode of verifying the user’s identity.
“An attacker only needs a victim’s PayPal username and password in order to access a two-factor protected account and send money. The protection offered by the two-factor Security Key mechanism can be bypassed and essentially nullified,” the researchers wrote in a blog .
PayPal has more than 148 million active users and processed about $27 billion in mobile payments in 2013, up 99% from 2012, according to figures on the company’s website. It wrote in a response blog that “all PayPal accounts remain secure” because the bug researchers found is related to the extra security layer customers can opt into – not the initial layer. The message: If the door is deadbolted, the police lock is just an extra precaution.
“We have extensive fraud and risk detection models and dedicated security teams that work to help keep our customers’ accounts secure from fraudulent transactions, everyday,” the blog says .
PayPal has disabled the ability for people who use two-factor authentication to use the PayPal mobile apps and “certain other mobile apps,” according to the blog.
Duo Labs senior security researcher Zach Lanier says Duo began investigating the PayPal issue after a friend of the Michigan-based security firm’s CEO realized he could bypass the two-factor system on his own account in March. Duo sent more information on the flaw to PayPal, and Lanier says the company dragged its feet.