How secure is PayPal? Secure until you start using your mobile device. According to Kelly Higgin’s article, PayPal Two-Factor Authentication Broken, Dan Saltman, an independent researcher, “reported to PayPal that he had discovered a way to bypass two-factor authentication in Apple iOS, but after getting no response from PayPal, Saltman in April went to friends at mobile security firm Duo Security.” From there, Duo Security confirmed Saltman’s finding and helped him reach PayPal. Duo Security also detected the same problem in the Android app and reported that along with the flaw in the Apple application flaw.
The webapplication of PayPal does not contain this same flaw; it is only found in PayPal’s mobile feature. Higgins states in her article that the vulnerability is in “api.paypal.com — a PayPal API that uses OAuth for authentication and authorization — is flawed and does not enforce two-factor authentication on the server while authorizing a user.” With two-factor authentication disabled, it leaves the application open to attacks and compromised data.
A solution to this flaw is being worked out by PayPal, and there are plans to release a July 28th update to the PayPal app according to Duo Security. In the meantime, the second-factor feature has been disabled for PayPal. You can see a demonstration of the PayPal flaw that Duo Security put together by clicking here.