PayPal 2FA bug: what you need to know

A flaw in PayPal’s two-factor authentication could allow attackers to gain access to up to 143 million PayPal accounts, according to researchers at Duo Security, a two-factor security company in Michigan, according to The Register’s report.

The online payments giant has rushed to reassure users that it is not at risk, issuing a statement via its official site.

Is PayPal 2FA really secure?

The vulnerability affected users logging into PayPal via an app on their Android or iOS device, according to the Financial Times’ report – and attackers would also need to know their target’s username and password. The victim would also need to have enabled the optional 2FA system, and attempted to log in via the apps, which do not support 2FA.

“It is a security feature designed to reduce the risk if the password did get compromised for any reason. It isn’t really living up to its promise as it is not particularly secure,” said Zach Lanier of Duo Security, who pointed out that PayPal users were increasingly targets of phishing attacks.

“Why do you rob a bank?”

“They kind of act like a bank at this point with funds sitting inside of PayPal and you can use it to send someone money directly from a bank account,” Lanier said. “Why do you rob a bank? Because that is where all the money is.”

The Register reports that the apps could be tricked into ignoring 2FA protection on user accounts. Normally, the apps would simply prevent users from logging in, but Lanier’s proof-of-concept Python script allowed a hypothetical attacker to bypass this. There is no evidence of this having occurred in the wild.

“An attacker only needs a victim’s PayPal username and password in order to access a two-factor protected account and send money,” Lanier wrote.

“The protection offered by the two-factor Security Key mechanism can be bypassed and essentially nullified.”

PayPal’s 2FA disabled

PayPal has since stepped in to reassure users that the bug only affected those who had chosen to use the (currently optional) 2FA system, and attempted to log in via iPhone or Android apps (neither of which support 2FA). PayPal has since disabled login for 2FA users via the mobile apps, with a full patch to roll out later.
“If you have chosen to add 2FA to your PayPal account, your account also remains secure and 2FA will continue to operate as usual on the vast majority of PayPal product experiences ,” the site said via its blog. “Even though 2FA is an additional layer of authentication, PayPal does not depend on 2FA to keep accounts secure. We have extensive fraud and risk detection models and dedicated security teams that work to help keep our customers’ accounts secure from fraudulent transactions, everyday.”

Author , We Live Security

  • Vicki T

    Several years ago my PayPal account was compromised and someone tried to buy a $2,800 US computer through my checking account. PayPal notified me by email about the breech, but when I called them (I waited 45 minutes for someone there to answer the phone) they did nothing to stop the transactions from going through my bank. They just blew me off. So, needless to say, I closed my PayPal account and have never looked back. My bank would only honor the NSF refund on one of the three transactions. If I had just had my paycheck automatically deposited into my account the transaction would have gone through and I would have been left holding an empty bag. I have hated PayPal ever since and refuse to do business with them. I always hated their forcing users to put their banking info in their accounts. I wanted to just stick with a credit card, but PayPal wanted us to do our transactions via banking. It was such a nightmare I couldn’t believe how haughty PayPal customer service was. Thank you for the great article. Vicki T

Follow us

Copyright © 2017 ESET, All Rights Reserved.