According to ThreatPost, researchers have found a way to bypass PayPal's two-factor authentication an enhanced security feature recommended by many security experts. This proves – much like in the Harry Potter universe – that we must exercise CONSTANT VIGILANCE if we want to deter hackers.
While Harry and his buddies are able to fight off Lord Voldemort and his villainous cadre, security consultants have a harder task. You don't even know whom you're fighting. Hackers are always innovating and coming up with new ways to hack your security. And now, they've found a way past PayPal's two-factor authentication.
What is two-factor authentication? 2FA is an extra layer of security in addition to the password / login. After logging in, users are prompted to enter additional information, such as passcodes, PINs, or even codes they receive via text message.
The way security experts bypassed PayPal's 2FA reveals some of the problems with multi-platform security and how mobile apps can expose you (and your clients) to greater security risks.
How Researchers Exposed PayPal's Mobile App Security
If your account is set to 2FA, PayPal won't let you login via mobile app. While this security feature isn't supported in the app, researchers were able to trick the app to bypass this requirement.
Researchers built their own app that would send the PayPal servers slightly different data. By doing so, they tricked PayPal's servers to let them enter user names and passwords to access a 2FA account without entering the second layer of security. They were even able to transfer money without any 2FA.
You might be thinking: is this such a big deal? Hackers would still need to have a valid user name / password combo. That would be a fair point, if hackers didn't have regular access to scores of passwords and logins.
Many hacker sites have "password dumps" where cyber criminals upload login / password spreadsheets they've stolen from other websites.
In fact, eBay (a partner with PayPal) was hacked just this summer, losing 100 to 200 million user records (see "eBay Data Breach Shows Dangers of Phishing Attacks on Small Businesses"). Given how commonly Internet users recycle passwords and logins, hackers probably have all the information they need to pull off this attack.
PayPal has issued a temporary fix, with a full patch expected to come at the end of July.
What Another PayPal Hack Means for Mobile Security
One of the most interesting things about this hack is that it shows how difficult cross-platform security can be. The exploit is only able to work because of the way security functions differently on PayPal's mobile apps than on its website. Implementing different security requirements across different platforms can lead to these kinds of problems.
It goes to show just how hard it can be to make software truly hack-proof. With mobile technology, users have more ways to access their accounts and small vulnerabilities can lead to big breaches.
The Cyber Security Takeaway: How Much Paranoia Is Enough?
While PayPal and eBay have had a hard few months, their struggles only provide a public example of the difficulties many IT consultants and security professionals have to face every day.
It's impossible to prevent all security flaws. Instead, you have to be adaptive and ready to respond to new vulnerabilities as they become known. Programmers and security consultants must constantly update their software and reevaluate their security if they want to keep up with hackers.
We're not saying you should be paranoid about data security. But maybe you should be a little paranoid. Hacks like this show how even industry-standard payment and ecommerce platforms like PayPal can be exposed to major security vulnerabilities.
The third-party services you recommend to clients (whether it's for a point-of-sale system or data management) can expose you to risk. If any of these services has a security flaw, your clients' data could be exposed and they could sue you for damages.
So how do you watch over your clients' data when it's on someone else's servers? Truth be told, you can't. That's why you need IT insurance.
Errors and Omissions Insurance covers lawsuits over security vulnerabilities, whether the flaws are in code you wrote or in third-party services and software you recommend to clients.
For a free quote on E&O coverage for IT professionals, submit an online insurance application.
