PayPal error shows how NOT to use two-factor authentication

A PayPal error made it possible to bypass two-factor authentication on a user account, demonstrating what can go wrong in deploying a tricky security mechanism.

PayPal has deployed a temporary fix for the problem that was the result of what could have been a design flaw in the authentication flow between the payment service’s mobile app and server.

[Raising awareness quickly: The eBay data breach]

“There’s certainly a lesson to be learned for people doing two-factor authentication now or planning to in the future,” said Zach Lanier, senior researcher for Duo Security, which assisted the outside researcher, Dan Saltman, who discovered the vulnerability.

PayPal’s mobile app does not support two-factor authentication (2FA) while its website does. If an accountholder who opted in for the extra security used the mobile app, then the server would notify the app, which would halt the log in process and notify the user.

The researchers found a way to take advantage of this clunky set up by building an app that would trick the mobile app into thinking it was dealing with an account that did not have 2FA enabled.

The researchers’ app talked to two separate application-programming interfaces (APIs) on PayPal’s server. One handled the authentication while the other was for money transfers.

When the app tried to access a 2FA-enabled account, the app would change the “2fa_enabled” value in the server’s response to “false.” This was enough to have the mobile app ignore the 2FA feature and send the user right to the PayPal account.

Duo Security, which sells 2FA technology, has provided details of the bypass on its blog.

For cybercriminals to exploit the flaw, they would need to first obtain an accountholder’s username and password through a phishing attack or other scheme.

PayPay has deployed a temporary fix that neutralizes the researchers’ app. The mobile app no longer works with 2FA-enabed accounts, and those accountholders will have to continue using the PayPal mobile website.

PayPal declined comment, pointing instead to its Wednesday blog that played down the mobile app’s lack of 2FA support.

“We have extensive fraud and risk detection models and dedicated security teams that work to help keep our customers’ accounts secure from fraudulent transactions, everyday,” the company said.

PayPal is expected to release at then of July a permanent fix that will add 2FA support to the mobile app, Lanier said.

[Financial firms and social media remain top phishing targets]

“When two-factor authentication is done right and consistently (across services) it provides really great value,” Lanier said. “But if you have one weak link in the chain, like we’ve seen here – perhaps a design oversight – that makes this all for naught.”