Security researcher from Australia has found that PayPal's security features can be easily circumvented. Users can receive passcode via text message in order to access their accounts.
Feature like two-factor authentication used by online services like Google and many others financial services websites.
Joshua Rogers, 17-year-old found a way to get access to a PayPal account that has enabled two-factor authentication.
He published details of the attack on his blog.
By going public with the information, Rogers will forfeit a reward usually paid by PayPal to security researchers. Reward might be around $3000.
The fault lies in a page on eBay that allows users to link their eBay account with PayPal, which eBay owns. Linking the accounts creates a cookie that makes the PayPal application think the person is logged in, even if a six-digit code has not been entered, Rogers wrote on his blog.
Rogers wrote that the problem lies specifically in the “=_integrated-registration” function. Also he posted a video of the attack on YouTube.
Two-factor authentication of payment system could be defeated in other ways. For example, if a user doesn’t have a way to receive the six-digit code, PayPal allows to skip it and answer two security questions.
Those questions, which include “What’s the name of your first school?” and “What’s the name of the hospital in which you were born?” aren’t difficult ones for a hacker who has been profiling a victim to answer.
But as with many online defenses, companies are often forced to make trade-offs between convenience and security, attempting to strike the right balance between safety and not alienating users locked out of their accounts.
Rogers get a caution from police rather than face charges for discovering a vulnerability in the website of one of the country’s public transport authorities late last year.
A database flaw within the website of Public Transport Victoria (PTV), which runs the state’s transport system, allowed Rogers to gain access to some 600,000 records, including partial credit card numbers, addresses, emails, passwords, birth dates, phone numbers and senior citizen card numbers. Rogers notified the agency of the problem and did not try to profit from the information, but the incident was still referred to police.