Researcher Bypassed 2SV for PayPal in Four Easy Steps

A researcher developed a method to bypass the two-step verification (2SV) account security measure for PayPal in four easy steps.Like most other web services, PayPal provides users with the option to enable two-step verification (2SV) on their accounts. 2SV is a feature through which a web service sends users a one-time SMS code to a verified mobile phone whenever they attempt to log in to their account with their username and password. Users require cell service to receive that code. Without a signal, they can’t receive a code sent to their mobile phone, which means he they can’t log into their account through the standard method of 2SV.That’s exactly what happened to security consultant Henry Hoggard, who developed the proof of concept bypass when he was at a hotel and discovered he had no cell service.First, he logged into his PayPal account and clicked on “Try another way” when he was asked if PayPal should send him a one-time 2SV code.

verifynumber

Hoggard elected to log in by answering some security questions, though he didn’t do so with any of his own unique answers. He did so by entering any answer (in this case “test”) into the provided text fields.From there, the security consultant leveraged a proxy to remove both security questions from the post data.postdata

postdata

Lo and behold, it worked!verified

verified

This work-around is no laughing matter. If an attacker acquired a victim’s PayPal username and password, they could circumvent 2SV and still gain access to their account.Recognizing that threat, Hoggard reported the issue to PayPal on 3 October 2016. The online payment company began investigating the bug the next day before fixing it on 21 October 2016.As a general rule of thumb, users should always implement two-step verification on any web service (including PayPal) that makes the additional layer of security available. They should also save any back-up codes so that they can still access their accounts in the event they lose their mobile device.News of this fix follows a few weeks after researchers spotted an angler phishing campaign targeting PayPal users on Twitter.

Leave a Reply