‘Shoddy' PayPal criticised for 2FA
Ecommerce giant eBay didn't win a lot of friends in the security world after its data breach last month and that's unlikely to change now that a research company has branded its payment subsidiary, PayPal, ‘shoddy' for easily by-passable two-factor authentication (2FA).
Duo Security researchers this week detailed how vulnerability in PayPal's 2FA allows anyone with access to legitimate primary credentials to bypass the 2FA settings and transfer funds out of the account.
In a blog post published earlier this week, Zach Lanier described how it was possible to use PayPal's iOS and Android apps – as well as associated third-party apps – to log-in, bypass the 2FA enabled, and transfer money out.
Lanier said that he logged into the app, which them told him that the app does not support a security key, but got a glimpse of account. Logging back in with airplane mode, he got a quick view of the account and was able to get unfettered access to PayPal accounts and funds when he deactivated airplane mode.
“Through reverse engineering and the proxying of traffic, we were able to write a proof-of-concept that, with just regular credentials, was enough to bypass two-factor authentication, access accounts, and send money,” Lanier told SC US. “Ultimately, that flaw weakened the two-factor authentication, and [made it] kind of moot.” Lanier demonstrated the exploit on an iPad using his own PayPal account, which is 2FA enabled.
Google Glass: Hacked, may contravene data protection laws
The UK launch of Google Glass made national news this week and it's little surprise; ‘wearables' is the new buzzword in the consumer electronics industry, and devices like Glass, LG G Watch – and perhaps Apple's widely-anticipated iWatch – have the capability to change how people interact over the internet.
But there are considerable security and privacy concerns, as also evidenced this week. A bunch of researchers from the Netherlands found that they could hack Glass – helped no doubt by the fact that it has no form of authentication (PIN, password or other), while UK watchdog ICO has warned that the device could be in breach of certain privacy regulations, including the 1998 Data Protection Act.
Computer experts from Dutch IT company Masc and accountancy group Deloitte showed local newspapers how they could use a USB stick to implant code over the glasses and take control of the device to take photos and videos without the user being aware.
This, of course, is unlikely to put the brakes on Glass but it could slow down any such adoption in enterprises, or may cause Google to look increasingly at how such products can be secured.