Teenage Researcher: Your PayPal Account Can Be Hacked

Can PayPal account be hacked?

Can your PayPal account be hacked? You may think your PayPal account is secure, but think again.

Even if you’ve signed up for PayPal’s Security Key feature, you still need to ponder the safety of your account.

An Australian researcher — just 17 years old — says it’s easy, for a hacker at least, to get around PayPal’s two-step (or two-factor) authentication precautions. Security Key is PayPal’s add-on that sends you a text message to your phone with a second security key needed to access your account.

In the security section of the official PayPal website, the company explains:

“The PayPal Security Key gives you a second authentication factor when you’re logging in to your account. In addition to your password, you enter a One Time Pin (OTP) that is unique for each login. These two factors give you stronger account security.”

But that’s not so as Joshua Rogers tells PC Magazine. The problem with PayPal’s Security Key feature is connected to eBay. And a hacker only needs a user’s eBay and PayPal login credentials to access the account holding the money. If you authorize eBay to immediately withdraw its fees from your PayPal account when a sale is complete, your PayPal account could be vulnerable.

On his blog, Rogers describes:

“When setting this up, you’re (obviously) asked for your PayPal login. Once you’re actually logged in, a cookie is set with your details, and you’re redirected to a page to confirm the details of the process. And this is where the exploit lays. Now just load http://www.paypal.com/ , and you are logged in, and don’t need to re-enter your login.”

PC Magazine notes that another loophole in this feature occurs when a person who has enabled Security Key doesn’t have a phone. If they can’t receive a text message with that second code, they can opt to answer two security questions. The magazine suggests that sort of information is readily available to hackers, too.

By going public with the flaw in PayPal’s security system, Rogers will miss out on any compensation for his discovery. PayPal actually offers a Bounty Program for researchers who alert the company to security flaws. Rogers tells PC Magazine that he told PayPal of his work in early June but nothing became of his alerts.

Remix of Shutterstock monitor image


Joshua Sophy - Assistant Editor

Joshua Sophy Joshua Sophy is the Assistant Editor for Small Business Trends and the Head of Content Partnerships. A journalist with 17 years of experience in traditional and online media, Joshua got his start in the newspaper business in Pennsylvania. His experience includes being a beat reporter covering daily news. He eventually founded his own local newspaper, the Pottsville Free Press, covering his hometown. Joshua supervises the day-to-day operations of Small Business Trends' busy editorial department including the editorial calendar and outgoing assignments.

4 Reactions

  1. Thanks for this information.

    Getting hacked is not fun-it happened to one of my websites 3 times in the past couple of weeks.

    And, if PayPal is vulnerable….

    Sounds to me Paypal needs to go one step further.

    They make enough money to do this right.

    The Franchise King®

  2. I’ve known for a while that PayPal accounts can get hacked into, because I’ve read about it unfortunately happening to some people. Whether PayPal plans to/will do anything about the above vulnerability remains to be seen. They’ve had two months already.

  3. Aww, I don’t believe it. I just saw a commercial from them stating that they have security that is like your money being stored in a titanium safe protected by ninjas 🙂

  4. My account was recently hacked. Someone bought a phone from Russia. They froze my account but not before the transaction was processed.

    PayPal quickly reversed the charges and gave me a 10$ credit. They are currently investigating the theft.

Leave a Reply

Your email address will not be published. Required fields are marked *


Free e-Book: 8 Insights You Need to Know Before Choosing HR Software for Your Small Business

Learn how to navigate the HR software market, avoid getting oversold on unnecessary features and choose the right tools for your small business's unique needs.

No, Thank You