By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy

It has been a tough few weeks for online payments giant PayPal. First came the confirmation that an authentication hack would enable an attacker to access an account once credentials had been phished, bypassing the financial firm’s authentication tools. And now another security report claims the entire authentication process can be bypassed, enabling an attacker to gain access to an account with nothing but stolen credentials, available for purchase on the dark web “for as little as $1.50.” The report comes from the research team at CyberNews and includes a complaint that the findings were not taken seriously by PayPal or by the team at HackerOne who field such reports. “When our analysts discovered six vulnerabilities in PayPal,” CyberNews said, “ranging from dangerous exploits that can allow anyone to bypass their two-factor authentication, to being able to send malicious code through their SmartChat system—we were met with non-stop delays, unresponsive staff, and lack of appreciation.” For its part, PayPal told me it always takes such submissions seriously, “and reviews each with an appropriate sense of priority.” I was assured the team had investigated this in detail, but, after review, “found that the submissions did not pose a threat and that the assertions being advanced by CyberNews are inaccurate and misleading.” “We would like PayPal to take this vulnerability more seriously,” CyberNews told me. “At the moment, [PayPal is] writing it off as something ‘out-of-scope’ just because it involves stolen credentials.” The research team went to great lengths to show me the exploit working. While there is no way of knowing the state of the back-end algorithm checking the process, it did appear at face value to bypass the check. To understand the debate between PayPal and CyberNews, it’s critical to understand some of the ways in which PayPal safeguards your account. First, PayPal is in the somewhat unique position of knowing everything about both sides of every transaction, including the behavioral track record, login environment, recent activity, and risk potential that a transaction may be fraudulent. The detail is closely held, but there are numerous data points captured by the company’s systems. That becomes apparent when you log in from a new device or location as identified by the IP address of your connection. PayPal will then seek to ensure it’s you—they have a successful username and password login, but they will run a system check to look for further assurance that it’s you. Once in, the company will then run further checks on each transaction that you attempt, again to determine whether to approve or challenge. Read the full report on OUR FORUM.

 

Translate