Roman Dereka Head of Sales Department
Pull

Reseacher says about weakness of PayPal's two-factor authentication

0 shares
0 0 0 0 0 0

Security researcher from Australia has found that PayPal's security features can be easily circumvented. Users can receive passcode via text message in order to access their accounts.

Feature like two-factor authentication used by online services like Google and many others financial services websites.

Joshua Rogers, 17-year-old found a way to get access to a PayPal account that has enabled two-factor authentication.

He published details of the attack on his blog.

By going public with the information, Rogers will forfeit a reward usually paid by PayPal to security researchers. Reward might be around $3000.

The fault lies in a page on eBay that allows users to link their eBay account with PayPal, which eBay owns. Linking the accounts creates a cookie that makes the PayPal application think the person is logged in, even if a six-digit code has not been entered, Rogers wrote on his blog.

Rogers wrote that the problem lies specifically in the “=_integrated-registration” function. Also he posted a video of the attack on YouTube.

Two-factor authentication of payment system could be defeated in other ways. For example, if a user doesn’t have a way to receive the six-digit code, PayPal allows to skip it and answer two security questions.

Those questions, which include “What’s the name of your first school?” and “What’s the name of the hospital in which you were born?” aren’t difficult ones for a hacker who has been profiling a victim to answer.

But as with many online defenses, companies are often forced to make trade-offs between convenience and security, attempting to strike the right balance between safety and not alienating users locked out of their accounts.

Rogers get a caution from police rather than face charges for discovering a vulnerability in the website of one of the country’s public transport authorities late last year.

A database flaw within the website of Public Transport Victoria (PTV), which runs the state’s transport system, allowed Rogers to gain access to some 600,000 records, including partial credit card numbers, addresses, emails, passwords, birth dates, phone numbers and senior citizen card numbers. Rogers notified the agency of the problem and did not try to profit from the information, but the incident was still referred to police.

Source: PCWorld.

Never miss out

Be aware of contemporary trends. Do not miss the discussion of professionals

Join over 10 subscribers!
Most popular
Programming

Top 10 sites built with Django Framework

3879
1
2
12 Key features for your great mobile app
1604
3
Pros and Cons of ReactJS Web App Development
1418
4
Django vs Flask: Which Is Better for Your Web App?
1410
5
Top 7 software development methodologies with Pros and Cons
1282
6
How to create Online Learning Management System from scratch?
1221
7
Hotel Property Management Systems: their core functionality and characteristics
931
Our Technologies
PHP
Python
iOS
Android
HTML5
django
symfony
AngularJS
ReactJS
MySQL
jQuery
Laravel

Most popular in Programming

Top 10 sites built with Django Framework
3879
12 Key features for your great mobile app
1604
Pros and Cons of ReactJS Web App Development
1418
Django vs Flask: Which Is Better for Your Web App?
1410
Top 7 software development methodologies with Pros and Cons
1282
How to create Online Learning Management System from scratch?
1221
Hotel Property Management Systems: their core functionality and characteristics
931