Now it’s PayPal’s turn: two factor authentication is hackable

An Australian researcher has found a way to get around a security feature that is offered by PayPal to prevent hackers doing just that.

PayPal has a two factor authentication system that it offers users who can choose to have a six digit code texted to them to give them access to their accounts. The number is then used after the username and password have been entered. The objective of two factor authentication is make it difficult for hackers to intercept access passwords and codes by circumventing online access by issuing a code offline, ie, a text message (yes, that is considered offline in this instance).

However, a 17 year old in Melbourne, Australia, Joshua Rogers, has found a way around a two factor authenticated PayPal account. Usually, Rogers would have been eligible for a $3,000 reward that PayPal gives to security researchers who identify vulnerabilities and keep it a secret until it is fixed. However, Rogers chose to go public with his findings saying that PayPal was told on June 5 about the flaw and failed to fix it.

The hack that Rogers discovered does require a hacker to have someone’s EBay and PayPal logins, which are relatively easy to harvest from compromised computers.

According to Rogers, eBay provides a service that links your eBay account to your PayPal account so that when you sell something on eBay it can deposit the fee automatically in your PayPal account.

The problem is that the process allows you to be logged in to both eBay and PayPal and does not require you to have two factor authentication of your PayPal account, despite you being logged into PayPal. 

A cookie that is unique to this combo set-up on eBay’s pages means that you are logged into PayPal devoid of any further security hinderance and all it takes is for you to jump from eBay to your PayPal page and you will see that fact verified.

Rogers is well known in Australia for his exploits. He has, in the past, had to be cautioned by the police to avoid a hacking charge.  He had discovered a vulnerability in the website of Public Transport Victoria (PTV) which runs the state’s transport system and Rogers had gained access to 600,000 accounts on there. 

Rogers did inform the agency and did nothing else. They reported him to the police, naturally. Kids! Stay off our damn website, I guess.