PayPal Limits Some Login Options to Combat Security Issue

PayPal has at least temporarily shut off two-factor authentication for the PayPal mobile app after a security researcher found a way to bypass that second factor.

"These [two factor authentication] customers will still be able to log in to their PayPal account on a mobile device by visiting the PayPal mobile website," says Anuj Nayar, senior director of global initiatives for PayPal, in a statement on the company's website. PayPal was made aware of the vulnerability by the PayPal Bug Bounty Program, a venue for people to bring security issues to PayPal's attention. PayPal did not answer questions beyond the statement it posted online.

Two-factor authentication is optional for PayPal users. Two-factor authentication users who log into the mobile app are typically directed to enter their security code as a second factor before accessing the account. Duo Security's research team reports the soft spot is in the authentication flow for PayPal's application programming interface Web service.

This vulnerability makes it possible to avoid the Secure Key mechanism that powers PayPal's two-factor authentication. Consumers use Secure Key by entering a randomly generated security code that's sent to a separate device, or as a text message to a cell phone.

The Duo researchers built a separate app that fools PayPal's mobile app into thinking the user does not have a two-factor enabled account, in effect returning a "false negative" when determining if the user requires a second factor for authentication. This app communicates with two separate application programming interfaces on PayPal's server—one that's used for authentication and one that's used for money transfers—as part of the ruse.

The result is an attacker could use only a consumer's PayPal username and password to access a two-factor protected account because PayPal would not prompt for the security code as a second factor. The attacker would still need access to the target's username and password.

"We want to emphasize that all PayPal accounts remain secure. The workaround identified by the researcher is related to an extra layer of security some customers have chosen to add to their PayPal account," Nayar says on PayPal's site. "Customers who do not use the PayPal security key as an additional step to log into their accounts are not impacted in any way."

Two-factor authentication will continue to operate normally on the majority of PayPal products, Nayar says. "Even though two-factor is an additional layer of authentication, PayPal does not depend on two-factor to keep accounts secure."

PayPal also uses a form of device fingerprinting to protect mobile users, and has long used transaction monitoring as part of its measures to mitigate fraud.

PayPal is developing a fix for the problem that should be ready by the end of July, CSO Online reported, attributing this information to Duo Security. PayPal did not comment on repairs or timetables, and Duo Security did not return a request for comment by deadline.

Security glitches have also hit other mobile payment apps. Starbucks, for example, had to update its password storage system after a security flaw was discovered; and Apple recently paid a fine over its earlier authorization practices for iTunes sales.