PayPal 'Kicking the Tires' on Integrating Touch ID Into its Mobile Apps

[Mattsasa]

so this is why the iPhone 5S is called Forward Thinking

 

[Menel]

Finally! Some press on Paypal's non-functioning mobile app.

The flaw lay in PayPal’s two-factor authentication (2FA) mechanism which sends users a one-time code to enter after typing in their username and password. “...On a mobile client, such as PayPal for iPad or for Android, that feature has never worked, but oddly can be exploited on a smartphone or tablet.

When a user with 2FA enabled signed in via the mobile app, they were briefly logged in before a message told them they could not continue as the feature was not compatible with mobile.

But by simply turning off connectivity in that brief gap when the user was logged in, and then switching it back on again, the user remained logged in, thereby bypassing the second factor of authentication.

DAMN, if only I had known this trick for the past 2 years.

Lanier told the Guardian he hopes PayPal’s planned fix rectifies the vulnerability and leads to full support of two-factor authentication in their official mobile applications and third-party merchant apps.

Don't count on it Mr, Lanier. The incompetent fools at Paypal haven't been able to make their mobile app work for the last two years... Aren't going to care now.

http://www.theguardian.com/technology/2014/jun/25/paypal-security-protection-hack-researchers

 

[Tech198]

Don't kick my tires please.