Roman Dereka Head of Sales Department
Pull

Reseacher says about weakness of PayPal's two-factor authentication

0 shares
0 0 0 0 0 0

Security researcher from Australia has found that PayPal's security features can be easily circumvented. Users can receive passcode via text message in order to access their accounts.

Feature like two-factor authentication used by online services like Google and many others financial services websites.

Joshua Rogers, 17-year-old found a way to get access to a PayPal account that has enabled two-factor authentication.

He published details of the attack on his blog.

By going public with the information, Rogers will forfeit a reward usually paid by PayPal to security researchers. Reward might be around $3000.

The fault lies in a page on eBay that allows users to link their eBay account with PayPal, which eBay owns. Linking the accounts creates a cookie that makes the PayPal application think the person is logged in, even if a six-digit code has not been entered, Rogers wrote on his blog.

Rogers wrote that the problem lies specifically in the “=_integrated-registration” function. Also he posted a video of the attack on YouTube.

Two-factor authentication of payment system could be defeated in other ways. For example, if a user doesn’t have a way to receive the six-digit code, PayPal allows to skip it and answer two security questions.

Those questions, which include “What’s the name of your first school?” and “What’s the name of the hospital in which you were born?” aren’t difficult ones for a hacker who has been profiling a victim to answer.

But as with many online defenses, companies are often forced to make trade-offs between convenience and security, attempting to strike the right balance between safety and not alienating users locked out of their accounts.

Rogers get a caution from police rather than face charges for discovering a vulnerability in the website of one of the country’s public transport authorities late last year.

A database flaw within the website of Public Transport Victoria (PTV), which runs the state’s transport system, allowed Rogers to gain access to some 600,000 records, including partial credit card numbers, addresses, emails, passwords, birth dates, phone numbers and senior citizen card numbers. Rogers notified the agency of the problem and did not try to profit from the information, but the incident was still referred to police.

Source: PCWorld.

Never miss out

Be aware of contemporary trends. Do not miss the discussion of professionals

Join over 10 subscribers!
Most popular
Programming

Top 10 sites built with Django Framework

1576
1
2
Django vs Flask: Which Is Better for Your Web App?
665
3
Pros and Cons of ReactJS Web App Development
612
4
12 Key features for your great mobile app
553
5
How to create Online Learning Management System from scratch?
494
6
Top 7 software development methodologies with Pros and Cons
492
7
Hotel Property Management Systems: their core functionality and characteristics
483
Our Technologies
PHP
Python
iOS
Android
HTML5
django
symfony
AngularJS
ReactJS
MySQL
jQuery
Laravel

Most popular in Programming

Top 10 sites built with Django Framework
1576
Django vs Flask: Which Is Better for Your Web App?
665
Pros and Cons of ReactJS Web App Development
612
12 Key features for your great mobile app
553
How to create Online Learning Management System from scratch?
494
Top 7 software development methodologies with Pros and Cons
492
Hotel Property Management Systems: their core functionality and characteristics
483