PayPal Discovers And Patches Potential Security Threat

PayPal has discovered a flaw in its two-factor authentication (2FA) system that would allow a motivated hacker to by-pass the system merely by switching the device’s internet connectivity on and off.

PayPal explained the system flaw on its blog yesterday, as well as the measures they are taking to correct it.

“The workaround identified by the researcher is related to an extra layer of security (2FA) some customers have chosen to add to their PayPal account. Customers who do not use the PayPal security key (physical card or SMS codes) as an additional step to log into their accounts are not impacted in any way.”

The researcher is Zach Lanier, senior researcher at Duo, who discovered the full size of the bug after tech entrepreneur Daniel Blake Saltman turned it over to him in late March, reports The Guardian.

Lanier discovered that accounts with 2FA operating briefly login to PayPal between the first step of entering their username and password information and their secondary code issues by PayPal. By switching off the internet—on a phone by putting it into airplane mode and on a desktop by essentially programming to emulate airplane mode—and then switching it back on, someone could essentially bypass 2FA by tricking the computer into thinking it isn’t installed.

Making use of this breach, however, would require a cybercriminal to already have one’s username and password.

“What’s Hot” is aggregated content. PYMNTS.com claims no responsibility for the accuracy of the content published by the original source.