PayPal customers who want to make sure that their login credentials can’t be swiped by a piece of malware planted on their computers can enable two-factor authentication (2FA) by purchasing special one-time password tokens. However, researchers have found that there’s a way to bypass this security mechanism.
A Sophos researcher, who forgot his PayPal password and was forced to reset it, has noticed that the password reset process actually allows him to gain access to the account and make payments without needing to enter the one-time password provided by the token.
When a password is forgotten and reset, PayPal sends the customer an email with a one-time link and requests him/her to set two secondary passwords, but the security code provided by the token is not required.
“Now you could, if you were so inclined, argue that PayPal's password reset process maintains 2FA. Indeed, you could stretch the facts a little and say that there are three factors here: one private email and two special-purpose passwords,” Sophos’ Paul Ducklin explained.
“But no token code is needed - even though one of the token's main purposes is to shield you from keylogging, just the sort of attack that would enable a crook to harvest your email account credentials and your PayPal secondary passwords,” he added.
Experts say that cybercriminals can easily phish out the valuable information if they have a piece of malware planted on the victim’s computer.
They could force him to reset the password by adding extra characters as he types it on the login page. Then, they can use a keylogger to steal the passwords he types (both for the email account and PayPal).
With all this information at hand, an attacker could easily bypass the token by repeating the password reset process.
Token-based authentication is one of the most efficient security mechanisms these days. However, if the token can be taken out of the picture, the whole equation changes.