Researchers Sidestep Paypal Two-Factor Authentication

Researchers at DUO Security claim to have found a way of bypassing a two factor authentication feature that secures logins to Paypal.com, eBay’s online payment service. The vulnerability could allow an attacker who has stolen a Paypal customer’s user name and password to gain access to the account, even though the customer had enabled the more secure two-factor authentication option. DUO described the problem in a blog post early Wednesday. According to researcher Zach Lanier, Paypal has published an API (application program interface) for its Security Key two-factor authentication technology that contains a vulnerability that would allow even a non-technical hacker to bypass the second factor when accessing a Paypal customer’s account. An attacker only needs a victim’s PayPal username and password in order to access a two-factor protected account and send money. “The protection offered by the two-factor Security Key mechanism can be bypassed and essentially nullified,” the company wrote in […]

This Week In Security: Ebay’s School of Hard Knocks

It’s the end of another busy week in the security world. As we’re wont to do at The Security Ledger, we had DUO Security Evangelist Mark Stanislav in to the deluxe Security Ledger Studios to talk about the events of the week. On the agenda this week: the continued fallout from the hack of online auction giant eBay. The company ran into a thicket of criticism this week for the breach and its botched response. Despite knowing about the security breach for weeks, eBay seemed unprepared for the fallout once the news became public. Beyond its statements to the press, the company hadn’t taken steps to streamline the (inevitable) flood of customers who wanted to update their password. In fact, more than a day after the news broke, eBay still hadn’t made mention of it on their home page. What lessons can we learn from the breach at online auction […]

eBay Hacked, Urges Millions To Change Password

The online auction giant eBay said on Wednesday that a compromise of an employee’s account led to the compromise of a database storing passwords and sensitive account data for 145 million customers, worldwide. The company issued a statement on Wednesday saying that it was asking all its users to update their password, following the discovery two weeks ago that an employee’s account had been compromised and used to gain unauthorized access to the database. The hack occurred in late February or March, according to a forensic examination by eBay. eBay conducted what it described as “extensive tests on its networks” and said it did not find evidence of unauthorized activity on eBay user accounts linked to the incident. The online auction firm said it also has no evidence of unauthorized access to financial or credit card information, which is stored separately and in encrypted formats. In the incident, unidentified cyber […]