Paypal Disables Two Factor From Mobile

In the wake of a disclosure, yesterday, that a secure log-in feature was vulnerable to hacking, PayPal has suspended the ability of customers who elect to use the feature to log in to PayPal using the company’s mobile application.

PayPal has disabled two factor authentication from mobile applications after researchers discovered a flaw.
PayPal has disabled two factor authentication from mobile applications after researchers discovered a flaw.

In a blog post on Wednesday, PayPal Director of Global Initiatives Anuj Nayar said that the company took the step of disabling mobile application log ins after the researcher, Zach Lanier of DUO Security, published his findings in a blog post yesterday.

As reported by The Security Ledger, researcher Zach Lanier of DUO Labs discovered that a PayPal mobile API (application program interface) for its Security Key two-factor authentication technology contains a vulnerability that would allow even a non-technical hacker to bypass the second factor when accessing a Paypal customer’s account.

The problem comes up when trying to access a Paypal account protected using two-factor authentication using a PayPal mobile application – for example: on a tablet or smart phone. An attacker only needs a victim’s PayPal username and password in order to access a two-factor protected account and send money. “The protection offered by the two-factor Security Key mechanism can be bypassed and essentially nullified,” the company wrote in a blog post.

Attackers would still need to have obtained a PayPal user’s account log-in and password to access the account – so the bar for attacks is no lower than any attack on a PayPal account. However, customers who took reassurance from the added layer of security that two-factor authentication offers may feel less secure.

PayPal sought to reassure customers that used two-factor authentication that their accounts were secure.

“If you have chosen to add 2FA (two-factor authentication) to your PayPal account, your account also remains secure and 2FA will continue to operate as usual on the vast majority of PayPal product experiences,” Nayar wrote.

Two factor authentication is just one layer of account security, PayPal said. Customers are still protected by the company’s fraud detection features. “Even though 2FA is an additional layer of authentication, PayPal does not depend on 2FA to keep accounts secure. We have extensive fraud and risk detection models and dedicated security teams that work to help keep our customers’ accounts secure from fraudulent transactions, everyday.

While it works on a fix, PayPal is disabling the ability of customers who use the two-factor feature to log in via the company’s mobile application or other mobile applications that made use of the faulty API. Mobile customers can still access their account from PayPal’s mobile web site, however.