A flaw in PayPal’s two-factor authentication could allow attackers to gain access to up to 143 million PayPal accounts, according to researchers at Duo Security, a two-factor security company in Michigan, according to The Register's report.

The online payments giant has rushed to reassure users that it is not at risk, issuing a statement via its official site.

Is PayPal 2FA really secure?

The vulnerability affected users logging into PayPal via an app on their Android or iOS device, according to the Financial Times’ report - and attackers would also need to know their target’s username and password. The victim would also need to have enabled the optional 2FA system, and attempted to log in via the apps, which do not support 2FA.

“It is a security feature designed to reduce the risk if the password did get compromised for any reason. It isn’t really living up to its promise as it is not particularly secure,” said Zach Lanier of Duo Security, who pointed out that PayPal users were increasingly targets of phishing attacks.

"Why do you rob a bank?"

“They kind of act like a bank at this point with funds sitting inside of PayPal and you can use it to send someone money directly from a bank account,” Lanier said. “Why do you rob a bank? Because that is where all the money is.”

The Register reports that the apps could be tricked into ignoring 2FA protection on user accounts. Normally, the apps would simply prevent users from logging in, but Lanier's proof-of-concept Python script allowed a hypothetical attacker to bypass this. There is no evidence of this having occurred in the wild.

“An attacker only needs a victim’s PayPal username and password in order to access a two-factor protected account and send money,” Lanier wrote.

“The protection offered by the two-factor Security Key mechanism can be bypassed and essentially nullified.”

PayPal's 2FA disabled

PayPal has since stepped in to reassure users that the bug only affected those who had chosen to use the (currently optional) 2FA system, and attempted to log in via iPhone or Android apps (neither of which support 2FA). PayPal has since disabled login for 2FA users via the mobile apps, with a full patch to roll out later.
“If you have chosen to add 2FA to your PayPal account, your account also remains secure and 2FA will continue to operate as usual on the vast majority of PayPal product experiences ,” the site said via its blog. “Even though 2FA is an additional layer of authentication, PayPal does not depend on 2FA to keep accounts secure. We have extensive fraud and risk detection models and dedicated security teams that work to help keep our customers’ accounts secure from fraudulent transactions, everyday.”