San Jose, Calif. – Researchers at computer security firm Duo Security have discovered a flaw in the two-step method PayPal uses to authenticate account-holders. The flaw involves a temporary security key PayPal users can generate with a personal device as an additional step along with their password for account log-in.
Working properly, this second step requires a hacker or fraudster to have physical access to a user’s personal device, as well as access to their password. However, Duo researchers discovered that experienced computer programmers could exploit a vulnerability in how the PayPal mobile app communicates with the PayPal server to bypass the security key and gain account access using only a password. The flaw does not apply to desktop logins.
PayPal has issued a temporary patch for the problem and says users should not be at risk since it uses many other fraud prevention and detection methods beyond two-step authentication.