PayPal 2FA flow partially mitigated, accounts are safe
Posted on 26 June 2014.
In the wake of the revelation of a flaw that allows attackers to bypass PayPal's two-factor authentication feature, the e-payment giant has made it temporarily impossible for users who enabled it to log into their PayPal account via the PayPal mobile app and on certain other mobile apps.

These customers will still be able to log in to their PayPal account on a mobile device by visiting the PayPal mobile web site,Ē noted PayPal Senior Director of Global Initiatives Anuj Nayar, and reassured all users that their accounts habe not been impacted by in any way.

"Even though 2FA is an additional layer of authentication, PayPal does not depend on 2FA to keep accounts secure," he explained. "We have extensive fraud and risk detection models and dedicated security teams that work to help keep our customersí accounts secure from fraudulent transactions, everyday."

The company is still working on a permanent fix for the vulnerability.

"The vulnerability lies primarily in the authentication flow for the PayPal API web service (api.paypal.com) ó an API used by PayPalís official mobile applications, as well as numerous third-party merchants and apps ó but also partially in the official mobile apps themselves," says Duo Security's Zach Lanier, who is part of the team that analyzed the flaw, which was first discovered by Dan Saltman of EverydayCarry.com.

"We developed a proof-of-concept exploit to leverage this lack of 2FA enforcement, interfacing with the PayPal API directly and effectively mimicking the PayPal mobile app as though it were accessing a non-2FA account. The exploit communicates with two separate PayPal API services ó one to authenticate (only with primary credentials), and another to transfer money to a destination account."

For extensive technical details about the flaw and PayPal's mitigation efforts implemented in the last few days, check out Lanier's blog post.









Spotlight

Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  
DON'T
MISS

Tue, Feb 9th
    COPYRIGHT 1998-2016 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //