Saturday, June 28, 2014

PayPal's Two-Factor authentication bypass vulnerability

PayPal was one of the first large online services providers to offer two-factor authentication to its users, but until recently the company's implementation had a loophole that could have allowed attackers to bypass this additional protection. Two-factor authentication (2FA) systems prevent hackers from misusing stolen user names and passwords by requiring an additional randomly generated security code during the authentication process. Depending on implementation, the secret codes can be generated using a special mobile application, can be received via text message or can be generated by a physical hardware device. According to researchers from 2FA provider Duo Security, the PayPal "Security Key" feature -- which is what the payment service provider calls its two-factor authentication system -- could have easily been bypassed until Monday through the company's mobile apps and API (application programming interface). <more>

No comments: