September 30, 2014

Teenage Researcher: Your PayPal Account Can Be Hacked

Can PayPal account be hacked?

Can your PayPal account be hacked? You may think your PayPal account is secure, but think again.

Even if you’ve signed up for PayPal’s Security Key feature, you still need to ponder the safety of your account.

An Australian researcher — just 17 years old — says it’s easy, for a hacker at least, to get around PayPal’s two-step (or two-factor) authentication precautions. Security Key is PayPal’s add-on that sends you a text message to your phone with a second security key needed to access your account.

In the security section of the official PayPal website, the company explains:

“The PayPal Security Key gives you a second authentication factor when you’re logging in to your account. In addition to your password, you enter a One Time Pin (OTP) that is unique for each login. These two factors give you stronger account security.”

But that’s not so as Joshua Rogers tells PC Magazine. The problem with PayPal’s Security Key feature is connected to eBay. And a hacker only needs a user’s eBay and PayPal login credentials to access the account holding the money. If you authorize eBay to immediately withdraw its fees from your PayPal account when a sale is complete, your PayPal account could be vulnerable.

On his blog, Rogers describes:

“When setting this up, you’re (obviously) asked for your PayPal login. Once you’re actually logged in, a cookie is set with your details, and you’re redirected to a page to confirm the details of the process. And this is where the exploit lays. Now just load http://www.paypal.com/ , and you are logged in, and don’t need to re-enter your login.”

PC Magazine notes that another loophole in this feature occurs when a person who has enabled Security Key doesn’t have a phone. If they can’t receive a text message with that second code, they can opt to answer two security questions. The magazine suggests that sort of information is readily available to hackers, too.

By going public with the flaw in PayPal’s security system, Rogers will miss out on any compensation for his discovery. PayPal actually offers a Bounty Program for researchers who alert the company to security flaws. Rogers tells PC Magazine that he told PayPal of his work in early June but nothing became of his alerts.

Remix of Shutterstock monitor image

2 Comments ▼

Joshua Sophy - Staff Writer


Joshua Sophy Joshua Sophy is a staff writer for Small Business Trends, covering technology and business news. He is a journalist and editor with 15 years experience in media. A former newspaper reporter and editor, Joshua also serves as President of the Board of Directors of a curling club and is editor of a regional newsletter focused on the sport of curling in the Eastern U.S.

2 Reactions

  1. Thanks for this information.

    Getting hacked is not fun-it happened to one of my websites 3 times in the past couple of weeks.

    And, if PayPal is vulnerable….

    Sounds to me Paypal needs to go one step further.

    They make enough money to do this right.

    The Franchise King®

  2. I’ve known for a while that PayPal accounts can get hacked into, because I’ve read about it unfortunately happening to some people. Whether PayPal plans to/will do anything about the above vulnerability remains to be seen. They’ve had two months already.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>



Compare your business to the industry - Try our new tool