The security feature, known as two-factor authentication (2FA), is an option on many online services such as Google and mandatory on many financial services websites for certain kinds of high-risk transactions. Since the code is sent offline or generated by a mobile application, it is much more difficult for hackers to intercept although by no means impossible.
The attack requires a hacker to know a persons eBay and PayPal login credentials, but malicious software programs have long been able to harvest those details from compromised computers.
The fault lies in a page on eBay that allows users to link their eBay account with PayPal, which eBay owns. Linking the accounts creates a cookie that makes the PayPal application think the person is logged in, even if a six-digit code has not been entered.
The payment processors two-factor authentication could potentially be defeated in other ways. For example, if a user does not have a way to receive the six-digit code, PayPal allows them to skip it and instead answer two security questions.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now
We welcome comments that add value to the discussion. We attempt to block comments that use offensive language or appear to be spam, and our editors frequently review the comments to ensure they are appropriate. If you see a comment that you believe is inappropriate to the discussion, you can bring it to our attention by using the report abuse links. As the comments are written and submitted by visitors of the The Paypers website, they in no way represent the opinion of The Paypers.