It is very troubling to realize one could access someone’s financial account without answering the security questions.
The most commonly used online payment methods are not necessarily the safest option. PayPal, while globally used among consumers and retailers, is such an example. There is a newly discovered authentication bug which allows hackers to bypass PayPal’s 2FA security. Not the news most people were looking forward to, but third-party service providers are inherently insecure.
While it is good to see PayPal take these authentication bug submissions to heart, although they should not be possible in the first place. The company did close the security hole, but that does not mean the platform is fully safe from now on. Security experts are seriously concerned about what other skeletons may be in the PayPal closet.
PayPal Authentication is An Utter Joke
In fact, some people are wondering who is conducting PayPal’s security audits, to begin with. Bypassing 2FA turned out to be way too easy, as it did not even require specific coding skills. When logging into the service through 2Fa, there is an option to “try another way.” Clicking this option yielded some unexpected options.
As most users are well aware of, PayPal usually asks for two answers to as many security questions. However, the URL for this page has both the question and the answers embedded within. This would allow any assailant from entering the combination required to access the account in question. Moreover, it is also possible to remove the questions and answers from the URL, resulting in zero wrong answers.
It is very troubling to realize one could access someone’s financial account without answering the security questions. In fact, they need only to have a mouse and keyboard to do so. Such a method of authentication should have never been possible through PayPal, yet it was only discovered a few weeks ago.
This also highlights the way PayPal treats user authentication, to begin with. Security questions are far from a safe security measure, as the answers can be guessed quite easily in most cases. Real authentication measures are direly needed, and we can only hope the company steps up their game soon.
Header image courtesy of Shutterstock