Incidents

PayPal Not As Secure As You Had Expected?

Security Key bug discovered

By Bogdan Popa, Security and Search Engines Editor

29th of November 2007, 08:40 GMT

Adjust text size:

PayPal's Security Key was regarded as an extremely efficient solution to stop potential phishing or other web attacks over the PayPal members, as it generates a

six-character code to be entered for authentification. Along with a username, a password and an answer to a secret question, it's probably impossible to break and get access to the account. At least this is what we know. But here's Chris Romero, an IT administrator, as the Channel Register reports, who informed that the PayPal Security Key is not as safe as we are led to believe. It appears that he managed to complete some transactions using any six-digit verification code and not the one that should have protect the account.

But according to the same source mentioned above, the eBay representatives said that they couldn't find such a bug, as the Security Key technology works perfectly for them. Here's how it works: after the buyer chooses a product and loads the page to enter his PayPal information, he's asked to enter the six-digit code. Channel Register reported that Chris Romero entered a random code (test conducted on two different computers) and he was allowed to complete the transactions. "Sure, the need of a valid username and password still exists, but Security Key doesn't work as it should", Chris Romero said.

"For someone who's paid money for a Security Key and is thinking their wife or brother can't get into their account because they don't have the key fob, they're thinking that my account is secure because it doesn't matter what anyone else has. They're not getting the security that they assume they have," Chris Romero told Channel Register.

Certainly, the Security Key was implemented in order to represent a security measure for all the PayPal members, so in case it's not working, eBay will try anything it can to correct this issue. So, keep an eye on the news to find out if the glitch is confirmed.

TAGS:

paypal | security key | security | bug

SEARCH THE NEWS ARCHIVE :

Today's News | Yesterday's News | News Archive

User opinions:

Comment #1 by: 1234567890123456789 on 27 Aug 2008, 15:48 GMT

reply to this comment

Hello,
I would like to offer this information to counter some of eBay and Paypal's claims that they systems are totally secure.� I know for a fact Paypal is not secure, the other day I called paypal as requested entered my phone number.� I was then asked for a 6 digit Temporary web PIN which I did NOT know.� So to get through to an operator I just dialled 000000.� To my alarm the answer phone then preceded to me my account balance, which was correct.
When I did get through to an operator I immediately explained to her, she said she would forward the information on to the relevant people.� Today a week later I did the same again and to my despair, the system again told me my account balance whilst only requiring my phone number.� I have called and emailed paypal and they just respond as if I must be mad.
I am no expert on internet security but I fear what else you can do with just a correct telephone number using paypal's contact centre.
Can somebody please tell me who to report this to as paypal are not acting on my reports.� I also recommend checking for yourself and if you have the same problem please report to paypal.

Share your opinion:

SUBMIT PROGRAM \| ADVERTISE \| GET HELP \| SEND US FEEDBACK \| RSS FEEDS \| ENTER NEWS SITE \| ENGLISH BOARD \| ROMANIAN FORUM
© 2001 - 2008 Softpedia. All rights reserved. Softpedia™ and the Softpedia™ logo are registered trademarks of SoftNews NET SRL.	Copyright Information \| Privacy Policy \| Terms of Use \| Update your software \| Archive

NEWS CATEGORIES: