Now it's PayPal's turn: two factor authentication is hackable

Joshua Rogers teenage hacker find PayPal vulnerability

An Australian researcher has found a way to get around a security feature that is offered by PayPal to prevent hackers doing just that.

PayPal has a two factor authentication system that it offers users who can choose to have a six digit code texted to them to give them access to their accounts. The number is then used after the username and password have been entered. The objective of two factor authentication is make it difficult for hackers to intercept access passwords and codes by circumventing online access by issuing a code offline, ie, a text message (yes, that is considered offline in this instance).

However, a 17 year old in Melbourne, Australia, Joshua Rogers, has found a way around a two factor authenticated PayPal account. Usually, Rogers would have been eligible for a $3,000 reward that PayPal gives to security researchers who identify vulnerabilities and keep it a secret until it is fixed. However, Rogers chose to go public with his findings saying that PayPal was told on June 5 about the flaw and failed to fix it.

The hack that Rogers discovered does require a hacker to have someone's EBay and PayPal logins, which are relatively easy to harvest from compromised computers.

According to Rogers, eBay provides a service that links your eBay account to your PayPal account so that when you sell something on eBay it can deposit the fee automatically in your PayPal account.

The problem is that the process allows you to be logged in to both eBay and PayPal and does not require you to have two factor authentication of your PayPal account, despite you being logged into PayPal. 

A cookie that is unique to this combo set-up on eBay's pages means that you are logged into PayPal devoid of any further security hinderance and all it takes is for you to jump from eBay to your PayPal page and you will see that fact verified.

Rogers is well known in Australia for his exploits. He has, in the past, had to be cautioned by the police to avoid a hacking charge.  He had discovered a vulnerability in the website of Public Transport Victoria (PTV) which runs the state's transport system and Rogers had gained access to 600,000 accounts on there. 

Rogers did inform the agency and did nothing else. They reported him to the police, naturally. Kids! Stay off our damn website, I guess.

Joe Jejune

I am a gadget freak and love everything about technology. In my day job I work at a startup and help build applications for the healthcare industry. 


3 Critical Things To Do If You Are Letting (You Are) IoT Into Your Home

I had an email exchange with Timur Kovalev, CTO of Untangle , on IoT and the focus was what 3 things are critical to anyone building a Smarthome. Since I have a Smartphone, which doesn’t always work as it should, to me the subject was topical. So let’s get to it. Figure out what’s connected and what’s calling home : Timur wrote “If you don't know which devices are connecting to your network, you can't properly secure them. Consider putting a firewall with application-level visibility at the gateway to prevent malicious access attempts while giving you a deeper view into what requests your...

Xiaomi MiBand 2 Hands On and Price

Xiaomi has finally introduced the Mi Band 2 and I am impressed.

S Korea Issues Warrant Against Volkswagen Exec in Emissions Probe

4,400 Korean consumers have filed a lawsuit against Volkswagen demanding compensation over false emissions claims.