Skip to main content

PayPal fixed a major problem with its multifactor authentication protection

amazon paypal news office
Ken Wolter
Multifactor authentication has become much more commonplace in recent years, with many experts pointing to the technique as a good method of keeping personal information safe online. However, not all implementations of multifactor authentication are created equal, and it seems that PayPal’s usage didn’t cut the mustard until very recently.

Recently, mobile security consultant Henry Hoggard found himself in a hotel room, needing to make a payment via PayPal. However, there was no phone signal, so he wasn’t able to receive his two-factor authentication token via text message. Hoggard had to think outside of the box.

Recommended Videos

In the event that a user can’t receive their authentication token, PayPal offers up their security question as an alternative. Upon being given this option, Hoggard quickly discovered a major flaw in the service’s security efforts, according to a report from analyst Graham Cluley.

Please enable Javascript to view this content

Hoggard discovered that he could use a proxy to remove certain elements from the post data associated with the security question. By doing so, he could trick PayPal into thinking that he’d answered the question, no matter what he entered into the field, thereby rendering the multifactor authentication protection useless.

Fortunately, Hoggard alerted PayPal to the problem, and the company has now fixed the gap in its security measures. The researcher received a bounty for his part in addressing the issue — and, more importantly, users can be safe in the knowledge that multifactor authentication is being used to its intended effect.

It’s worth noting that an attacker would have needed to know the user’s password in order to actually take advantage of this weakness. That being said, it’s still surprising that such a major online payments service would find this kind of gap in its defenses.

Brad Jones
Former Digital Trends Contributor
Brad is an English-born writer currently splitting his time between Edinburgh and Pennsylvania. You can find him on Twitter…
Big tech is dominating my digital life — here’s how I fixed it
big tech logos around capitol hill

Big tech companies are so dominant and so far-reaching right now that people could probably live their entire digital lives interacting only with Google, Apple, Meta, Microsoft, and Amazon products. Things never got quite that bad for me but I did realize recently that I've been relying far too much on Google, plus I’ve been using Safari for years even though I don’t actually like it that much.

So I decided to find some new apps to try out and came across a nice resource full of European, open-source, or non-profit alternatives for a range of different services. It introduced me to quite a few apps that are more than good enough to replace what I was using, and although I’m not hardcore enough to completely kick Google out of my life, I’m pretty happy with the results.
What’s so bad about big tech?

Read more
Meta faces lawsuit for training AI with pirated books
A silhouetted person holds a smartphone displaying the Facebook logo. They are standing in front of a sign showing the Meta logo.

In a recent lawsuit, Meta has been accused of using pirated books to train its AI models, with CEO Mark Zuckerberg's approval. As per Ars Technica, the lawsuit filed by authors including Ta-Nehisi Coates and Sarah Silverman in a California federal court, cite internal Meta communications indicating that the company utilized the Library Genesis (LibGen) dataset—a vast online repository known for hosting pirated books—despite internal concerns about the legality of using such material.

The authors argue that Meta's actions infringe upon their copyrights and could undermine the company's position with regulators. They claim that Meta's AI models, including Llama, were trained using their works without permission, potentially harming their livelihoods. Meta has defended its practices by invoking the "fair use" doctrine, asserting that using publicly available materials to train AI tools is legal in certain cases, such as "using text to statistically model language and generate original expression."

Read more
Intel needed a win — its new laptop CPU delivers just that
An MSI laptop sitting on a table.

It feels cliche at this point, but it's true. Intel can't catch a break. The new Arrow Lake-H chips feel like a tide shift for Team Blue, though, leveraging the highly efficient architectures the company debuted with Lunar Lake to deliver performance and battery life worthy of the best laptops on the market.
By the numbers
We've already seen what Intel's Lunar Lake processors are capable of -- read our Asus Zenbook S 14 review for more on that -- but these new Arrow Lake-H offerings are a bit different. Under the hood, Intel is still using its Lion Cove and Skymont core architectures, which Arrow Lake-H shares with Lunar Lake. However, these chips get a larger core count, higher power budget, and beefier integrated graphics based on Intel's Battlemage architecture.

The power budget is really important here. The base power is 45W, but Intel allows the chip to boost up to 115W for short periods of time. The core split is interesting, too. You get 16 total cores, but they're split between six performance cores, eight efficient cores, and two low-power efficient cores. If you remember, the efficient cores are actually the main performance driver in this architecture, so the extra two low-power ones are simply there for a little extra multi-core grunt.

Read more