PayPals two-factor authentication could be circumvented

Monday 6 October 2014 11:23 CET | News

A security feature offered by PayPal to help prevent accounts from being taken over by hackers could be circumvented, according to an Australian security researcher.

The security feature, known as two-factor authentication (2FA), is an option on many online services such as Google and mandatory on many financial services websites for certain kinds of high-risk transactions. Since the code is sent offline or generated by a mobile application, it is much more difficult for hackers to intercept although by no means impossible.

The attack requires a hacker to know a persons eBay and PayPal login credentials, but malicious software programs have long been able to harvest those details from compromised computers.

The fault lies in a page on eBay that allows users to link their eBay account with PayPal, which eBay owns. Linking the accounts creates a cookie that makes the PayPal application think the person is logged in, even if a six-digit code has not been entered.

The payment processors two-factor authentication could potentially be defeated in other ways. For example, if a user does not have a way to receive the six-digit code, PayPal allows them to skip it and instead answer two security questions.

Free Headlines in your E-mail

Every day we send out a free e-mail with the most important headlines of the last 24 hours.

Subscribe now

Keywords: PayPal, two-factor authentication, malicious software, credentials, online security, digital identity
Categories: Fraud & Financial Crime
Countries: World
This article is part of category

Fraud & Financial Crime