We always hear to tighten your security online by using two factor authentication, it does make sense unless that two factor authentication is easily bypassed. PC World did a story on a 17 year old Australian who found a way to get around it.
What is disturbing is the fact that Joshua Rogers contacted Paypal on June 5 and PayPal did not fix the flaw. Rogers went public on his own blog which means he will not get a reward that is usually paid by PayPal to security researchers that requires confidentiality until a software vulnerability is fixed. Rogers estimated the reward might be around $3000, although PayPal didn’t give him a figure.
“I don’t care about the money, no,” he said via email. “Money isn’t everything in this world.”
From the article:
A security feature offered by PayPal to help prevent accounts from being taken over by hackers can be easily circumvented, an Australian security researcher has found.
PayPal users can elect to receive a six-digit passcode via text message in order to access their accounts. The number is entered after a username and password is submitted.
The security feature, known as two-factor authentication, is an option on many online services such as Google and mandatory on many financial services websites for certain kinds of high-risk transactions. Since the code is sent offline or generated by a mobile application, it is much more difficult for hackers to intercept although by no means impossible.
Joshua Rogers, a 17-year-old based in Melbourne, found a way to get access to a PayPal account that has enabled two-factor authentication. He published details of the attack on his blog on Monday after he said PayPal failed to fix the flaw despite being notified on June 5.
Read the full article here