Create an Account
username: password:
 
  MemeStreams Logo

Oops! PayPal Security Key fails

search

Acidus
Picture of Acidus
My Blog
My Profile
My Audience
My Sources
Send Me a Message

sponsored links

Acidus's topics
Arts
Business
Games
Health and Wellness
Home and Garden
Miscellaneous
Current Events
Recreation
Local Information
Science
Society
Sports
Technology

support us

Get MemeStreams Stuff!


 
Oops! PayPal Security Key fails
Topic: Technology 11:04 am EST, Dec  4, 2007

When eBay rolled out the PayPal Security Key earlier this year, its executives hailed it as an important measure that would make users more secure. And it was. By generating a random, six-digit number every 30 seconds that users needed to authenticate themselves online, the small electronic token provided an additional layer of protection against phishers and other online criminals.

Yey Two Factor Auth!

But according to Chris Romero, an IT administrator who has used the Security Key for several months now, a bug could allow phishers and others with bad intent to work around the measure. When accessing his PayPal account from merchant sites and other third-party destinations, he says, his account is validated when he types in any six-digit number, as long as he provides a valid user id and password and answers an accompanying security question.

Oops! Not good. And now for the money shot!

Update
The aforementioned spokeswoman said on Thursday that over the past 24 hours PayPal security people are now able to reproduce the bug and are working on a fix. As we noted above, she said the flaw shouldn't be regarded as significant security risk because users are still required to enter a password and enter a security question

Are you kidding me? Your two factor auth isn't two factor anymore! The whole point is stealing someone's password doesn't grant access to the account because the attacker must also physically possess something. Only PayPal messed up and you don't need to possess anything. That is a radical backstep in security and some silly marketing chick is telling people its not an issue? Are you kidding me? Is that PayPal's official position?

WOW! Just... WOW.

Oops! PayPal Security Key fails



 
 
Powered By Industrial Memetics
RSS2.0