The security feature, known as two-factor authentication (2FA), is an option on many online services such as Google and mandatory on many financial services websites for certain kinds of high-risk transactions. Since the code is sent offline or generated by a mobile application, it is much more difficult for hackers to intercept although by no means impossible.
The attack requires a hacker to know a persons eBay and PayPal login credentials, but malicious software programs have long been able to harvest those details from compromised computers.
The fault lies in a page on eBay that allows users to link their eBay account with PayPal, which eBay owns. Linking the accounts creates a cookie that makes the PayPal application think the person is logged in, even if a six-digit code has not been entered.
The payment processors two-factor authentication could potentially be defeated in other ways. For example, if a user does not have a way to receive the six-digit code, PayPal allows them to skip it and instead answer two security questions.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now