Login

Register

Login

Register


In mid January, Cyber security analysts from CyberNews claim they alerted PayPal to six vulnerabilities through its bug-reporting system. Three were fixed, but the remaining three which, according to CyberNews are the most serious, are still live. PayPal reportedly are denying that two of them are its own responsibility to handle.

The correspondence between CyberNews and PayPal appears to have taken a sour turn, as Bernard Meyer, the Senior Researcher at CyberNews who undertook the research, exclusively revealed to express.co.uk: “We are making these vulnerabilities public to warn its 305 million account holders and compel PayPal to fix them before hackers exploit these security flaws. There is no reason why this cannot be done almost immediately given the size of their resources.

“If you read its blurb, you will think that PayPal gives a lot of money to ethical hackers that find bugs. For instance, in 2018 PayPal announced a maximum bug bounty of $30,000 – a pretty nice sum.

“But the reality is somewhat different. For instance, when our analysts discovered six vulnerabilities in PayPal that put its millions of users’ money at risk, we were met with unresponsive staff, vague responses and often denial.

“When we pushed, its team then removed points from our Reputation score, relegating our profiles on its system to a suspicious, spammy level.

READ MORE: Paypal scam warning: Victims losing millions 

“This happened even though issues we raised were subsequently patched: although we received no bounty, credit, nor even a thanks. Instead, we were worse off than if we hadn’t said anything! Nor are we the only ethical hackers to experience this.”

CyberNews provided details on what the vulnerabilities are and how hackers can take advantage of them all by attaining the users email and password from the dark web:

Bypassing PayPal’s two- factor authentication (2FA) – This would allow a hacker to get into an account and steal money from it. The hacker could keep spending the victim’s more until the account is empty or until the victim notices the problem

Phone verification without One-Touch Password – Hackers don’t need to verify their phones, which makes it easier to create fraudulent accounts. This will be especially problematic for hacked accounts as it is very hard for victims to get their accounts back. This is due to the hacker changing the phone number, meaning the victim can’t confirm that it’s theirs.

Overcoming PayPal’s automatic security measures – These measures are triggered when suspicious activities occur. However, hackers can easily bypass these security features designed to prevent suspicious transactions.

DON’T MISS:
Spotify scam: Convincing way scammers could steal bank details online [ANALYSIS]
Pension scam warning: How to detect a scammer [WARNING]
Amazon Prime scam: Amazon UK reveals four warning signs [INSIGHT]

Mr Meyer detailed that the situation is currently dire with PayPal but there are actions users can take to protect themselves: “It is well known that PayPal users’ access details – their email address and passwords – are widely available on the internet’s Dark Web.

“Often it is because people ignore advice and use the same password for various websites, and sometimes because their computer is infected with keystroke malware that detects valuable passwords.

“Because of this PayPal and other sites such as Amazon and banks use two-factor authentication so if an important change is made to the account this is double-checked, for instance through a security code being texted to the user’s mobile phone.

“We alerted it last month that this double-check can currently be bypassed in PayPal, rendering it ineffective to any hacker who gains a person’s email and PayPal password – which are sadly available right now on the Dark Web for as little as $1.50 {£1.16} each.

“Sadly, its response to us was to say it wasn’t an issue for them to rectify.”

“Also there are multiple services, such as privacy.com, that protect your card details and also allow you to set caps on how much can be purchased from different vendors.

“Keeping a one-time use VCC for payments, or turning it off after your shopping spree is completed, prevents hackers from accessing your funds even if they get into your PayPal account.

“Besides that, we recommend people should never hold any balance in PayPal or any other payment system, except for your bank. This is because scammers target users even with very small amounts on their PayPal account.

“If you don’t have money in your PayPal account, hackers won’t have any motivation to target you and will move onto someone else.

“Finally, make sure you don’t link your cards as, if your PayPal account is accessed, then a scammer can top it up and get their hands-on the money from your bank or credit card.”

In response to CyberNews’s findings, a spokesperson from PayPal detailed: “PayPal takes all Bug Bounty programme submissions seriously and reviews each with an appropriate sense of priority.

“We appreciate the submissions from Bernard Meyer at CyberNews. However, after review, we found that the issues raised did not pose a threat. Accordingly, the tickets were correctly closed in PayPal’s online bug bounty platform provider, HackerOne. Any changes to CyberNews’ HackerOne reputation score is a result of reports submitted to HackerOne that are deemed to be invalid vulnerabilities.”



Source link
——————————————————————————————————

Leave a Reply

Shqip Shqip አማርኛ አማርኛ العربية العربية English English Français Français Deutsch Deutsch Português Português Русский Русский Español Español

National Cyber Security Consulting App

 https://apps.apple.com/us/app/id1521390354

https://play.google.com/store/apps/details?id=nationalcybersecuritycom.wpapp


NATIONAL CYBER SECURITY RADIO
[spreaker type=player resource="show_id=4560538" width="100%" height="550px" theme="light" playlist="show" playlist-continuous="true" autoplay="false" live-autoplay="false" chapters-image="true" episode-image-position="left" hide-logo="false" hide-likes="false" hide-comments="false" hide-sharing="false" hide-download="true"]
HACKER FOR HIRE MURDERS
 [spreaker type=player resource="show_id=4569966" width="100%" height="350px" theme="light" playlist="show" playlist-continuous="true" autoplay="false" live-autoplay="false" chapters-image="true" episode-image-position="left" hide-logo="false" hide-likes="false" hide-comments="false" hide-sharing="false" hide-download="true"]

ALEXA “OPEN NATIONAL CYBER SECURITY RADIO”

National Cyber Security Radio (Podcast) is now available for Alexa.  If you don't have an Alexa device, you can download the Alexa App for free for Google and Apple devices.   

nationalcybersecurity.com

FREE
VIEW