Teenage Researcher: Your PayPal Account Can Be Hacked

Can your PayPal account be hacked? You may think your PayPal account is secure, but think again.
Even if you’ve signed up for PayPal’s Security Key feature, you still need to ponder the safety of your account.
An Australian researcher — just 17 years old — says it’s easy, for a hacker at least, to get around PayPal’s two-step (or two-factor) authentication precautions. Security Key is PayPal’s add-on that sends you a text message to your phone with a second security key needed to access your account.
In the security section of the official PayPal website, the company explains:

“The PayPal Security Key gives you a second authentication factor when you’re logging in to your account. In addition to your password, you enter a One Time Pin (OTP) that is unique for each login. These two factors give you stronger account security.”

But that’s not so as Joshua Rogers tells PC Magazine. The problem with PayPal’s Security Key feature is connected to eBay. And a hacker only needs a user’s eBay and PayPal login credentials to access the account holding the money. If you authorize eBay to immediately withdraw its fees from your PayPal account when a sale is complete, your PayPal account could be vulnerable.
On his blog, Rogers describes:

“When setting this up, you’re (obviously) asked for your PayPal login. Once you’re actually logged in, a cookie is set with your details, and you’re redirected to a page to confirm the details of the process. And this is where the exploit lays. Now just load http://www.paypal.com/ , and you are logged in, and don’t need to re-enter your login.”

PC Magazine notes that another loophole in this feature occurs when a person who has enabled Security Key doesn’t have a phone. If they can’t receive a text message with that second code, they can opt to answer two security questions. The magazine suggests that sort of information is readily available to hackers, too.
By going public with the flaw in PayPal’s security system, Rogers will miss out on any compensation for his discovery. PayPal actually offers a Bounty Program for researchers who alert the company to security flaws. Rogers tells PC Magazine that he told PayPal of his work in early June but nothing became of his alerts.