LightRocket via Getty Images
It has been a tough few weeks for online payments giant PayPal. First came the confirmation that an authentication hack would enable an attacker to access an account once credentials had been phished, bypassing the financial firm’s authentication tools. And now another security report claims the entire authentication process can be bypassed, enabling an attacker to gain access to an account with nothing but stolen credentials, available for purchase on the dark web “for as little as $1.50.”
The report comes from the research team at CyberNews, and includes a complaint that the findings were not taken seriously by PayPal or by the team at HackerOne who field such reports. “When our analysts discovered six vulnerabilities in PayPal,” CyberNews said, “ranging from dangerous exploits that can allow anyone to bypass their two-factor authentication, to being able to send malicious code through their SmartChat system—we were met with non-stop delays, unresponsive staff, and lack of appreciation.”
For its part, PayPal told me it always takes such submissions seriously, “and reviews each with an appropriate sense of priority.” I was assured the team had investigated this in detail, but, after review, “found that the submissions did not pose a threat, and that the assertions being advanced by CyberNews are inaccurate and misleading.”
HackerOne did not comment, and deferred instead to PayPal’s statement.
“We would like PayPal to take this vulnerability more seriously,” CyberNews told me. “At the moment, [PayPal is] writing it off as something ‘out-of-scope’ just because it involves stolen credentials.” The research team went to great lengths to show me the exploit working. While there is no way of knowing the state of the back-end algorithm checking the process, it did appear at face value to bypass the check.
To understand the debate between PayPal and CyberNews, it’s critical to understand some of the ways in which PayPal safeguards your account. First, PayPal is in the somewhat unique position of knowing everything about both sides of every transaction, including the behavioral track record, login environment, recent activity and risk potential that a transaction may be fraudulent. The detail is closely held, but there are numerous data points captured by the company’s systems.
That becomes apparent when you login from a new device or location as identified by the IP address of your connection. PayPal will then seek to ensure it’s you—they have a successful username and password login, but they will run a system check to look for further assurance that it’s you. Once in, the company will then run further checks on each transaction that you attempt, again to determine whether to approve or challenge.
CyberNews claims—and the company showed me a demonstration—that it can successfully login to an account using basic credentials on a new computer. Essentially, they claim to have intercepted the backend data from the login process to prevent the backend system challenging the login attempt. This is in itself serious. In essence, it would work with phished credentials just as well as with stolen ones, and it links back to that bypassing of the system checks at the login point of the process.
Unfortunately for CyberNews, they described this as “two-factor authentication,” saying the team “was able to bypass PayPal’s phone or email verification, which for ease of terminology we can call two-factor authentication (2FA). Their 2FA, which is called ‘Authflow’ on PayPal, is normally triggered when a user logs into their account from a new device, location or IP address.”
Two-factor authentication means something very specific these days—it is a secondary identity check at the point of every login or every new login that is intended to be a user controlled identity confirmation over and above a username and password. This is normally an SMS one-time code, but it can be a PIN number that’s separate from your password, or an authenticator app or even an external security key.
There have been plenty of stories of the defeat of 2FA—SIM jacking and the high-profile hacks of celebrity Twitter accounts, for example. And last year the FBI—somewhat controversially—warned that secondary authentication was being spoofed by attackers and only biometrics could be seen as attack-proof.
Paypal does have genuine two-factor authentication—you can see its set-up in the image below. This would prevent any attacker gaining access to an account without the user’s cellphone or authenticator app, rendering a back-end security check bypass useless. CyberNews does not claim to have hacked this 2FA process.
CyberNews accepts that the terminology in its report is confusing, telling me “by 2FA, we really meant the default security measure that PayPal’s algorithm triggers when there’s a suspicious login on an account. Since this security measure requires a separate device beyond the person’s username and password, we used the term 2FA as a reference or similarity. And we think that’s where the confusion stemmed from.”
This wasn’t helped by a quote given to a U.K. newspaper by one of the CyberNews team: “PayPal and other sites such as Amazon and banks use two-factor authentication, so if an important change is made to the account this is double-checked, for instance through a security code being texted to the user’s mobile phone. We alerted [PayPal] last month that this double-check can currently be bypassed, rendering it ineffective to any hacker who gains a person’s email and password.”
Again, CyberNews explained that this had been misunderstood, “this specific quote was a general one, in response to all the six vulnerabilities we discovered. Now that we can agree to your definition of 2FA, we’d phrase it differently.”
And that’s the crux here. Because the vulnerabilities found are clearly important in themselves, the confusion has obfuscated the debate. CyberNews seems to feel very strongly that the issues should be disclosed and patched, and the team seems very frustrated that they haven’t been. “We still want to emphasize,” one of the team told me, “that these ‘double checks’ from PayPal’s side, whether this main security bypass, name change, or phone verification, were easily bypassed.”
CyberNews also questions the extent to which the misunderstanding actually matters, suggesting that not many users have enabled the genuine 2FA, relying instead on the systems checks to look after account security. I asked PayPal for the percentage of users with the genuine 2FA enabled, but that information is not available. “It really does put a huge risk on many people’s accounts that don’t have user-enabled 2FA,” CyberNews told me, “which is most PayPal users. We believe the patch for this issue should be pretty straightforward and we essentially want [PayPal] to take action.”
PayPal didn’t dismiss the issue when I spoke with them, but told me it was a risk they believed was managed by their system. And unless or until we have examples of accounts emptied through the hack, it’s difficult to argue the point. PayPal’s spokesperson also told me that users would be made financially whole for any loss through a bug on their system and security checks. As such, I was told, there’s not really a financial risk of “bank accounts being emptied,” as such.
For the time being, defeating 2FA requires either a hijack of a victim’s mobile device or other authentication medium, or else intercepting one-time codes input by the victim into their system. There is clearly the risk that if an attacker can gain remote access to a target machine, they can steal credentials and then the 2FA code in real time. It’s complex and requires a real-time attack, but it’s not technically complicated.
“We are making these vulnerabilities public to warn [PayPal’s] 305 million account holders and compel PayPal to fix them before hackers exploit these security flaws,” CyberNews told the media on the release of their findings last week. Then, just ahead of publishing, CyberNews told me they thought PayPal might be patching the issue, although they said they could still bypass that backend system check.
The other vulnerabilities raided by CyberNews in its report included intercepting a check on the registering of a new phone to an account as well as bypassing system checks when money is sent from a new device. I didn’t see either of those vulnerabilities demonstrated, albeit they have now been made public and disclosed the PayPal.
So, should you worry. Given the state of stolen credentials available for purchase one defense is to change your PayPal password and keep it unique to that app. Adhering to good password advice also helps. And then Paypal does provide security tools that will ensure this hack cannot impact you. You can set up 2FA using the web portal. To be frank, as inconvenient as that might be for the logo process, in the current climate of credential theft and large scale data breaches, 2FA is always a good move.