PayPal flaw adds to jitters over hacking

Researcher who helped uncover glitch says the effect is likely to be purely psychological - but city is already on edge over cybersecurity

PUBLISHED : Friday, 27 June, 2014, 2:39am
UPDATED : Friday, 27 June, 2014, 8:39am

A security flaw in internet-payment firm PayPal's system may heighten fears about cybersecurity in jittery Hong Kong, but a researcher involved in the discovery of the glitch says it is more likely to cause "psychological" problems than practical ones.

Tests by US firm Duo Security revealed that an extra security measure known as two-step authentication, under which users are sent an additional one-off code to enter alongside their username and password when they log on to their account, could be bypassed on mobile devices.

The discovery came at a time of nervousness in the city over cybersecurity after massive hacking attacks on firms providing technical support to this week's public vote by pro-democracy group Occupy Central. The poll continued as planned, and has drawn about 750,000 voters.

Zach Lanier, Duo Security's senior security researcher, said the practical risk was limited as few users had signed up for two-step security, and breaking into accounts would still require a username and password. But users may believe their money is safer than it actually is, he says.

"What this flaw boils down to is a security feature designed and marketed to enhance your account security does not work. [That] has a social and psychological impact because it's really not living up to the promise it should provide," he said.

Among the organisations that could be affected is Scholarism, the student advocacy group that put forward one of three models for electoral reform that were shortlisted for Occupy's unofficial referendum.

The group says it receives donations remitted abroad via PayPal. But spokeswoman Agnes Chow Ting said the effects would be limited. "When Hong Kong people donate to us, they'll directly donate with cash or through their bank during protests or assemblies, and not through PayPal," she said.

Successful attempts to sidestep two-step authentication, which is a common additional security feature used for online banking, e-mail and social media accounts, are all-but unheard of.

PayPal said customer accounts remained secure as the breach was contained. It said it had fixed the issue prior to the flaw being publicised.

"As a precaution we have disabled the ability for customers who have selected two-factor authentication to log into their PayPal account on the PayPal mobile app and on certain other mobile apps," the company said.

PayPal's own research in 2012 suggested two-thirds of Hong Kong shoppers thought making purchases on mobile devices was not secure enough.

One in six e-commerce payments is funnelled through PayPal, according to research from Morgan Stanley.

PayPal has long been criticised for its high transaction fees and other hidden costs, with some critics opting to use the controversial digital currency bitcoin as a cheaper alternative for international transfers.

Lanier said he would probably be unable to replicate the breach after PayPal made its changes.

"I think it's a sufficient mitigation while PayPal comes up with a permanent fix," he said. "It's unfortunate that it actually does cause some collateral damage [by stopping some users from logging in from mobile devices], but it is sufficient to disrupt our particular [hacking] techniques."