PayPal has revealed that its recently acquired company TIO Networks has suffered a data breach compromising the personal information of 1.6 million customers.

PayPal bought the Canadian payment processing company, which has over 60,000 utility and bills payment kiosks across North America, for $238m in cash in July. On Friday, 1 December, PayPal said a review of TIO's network showed evidence of a breach that may have compromised the details of about 1.6 million users, including locations that stored personal data of TIO customers and customers of TIO billers. 

The holidays are upon us, and so it is to remind ourselves once again of just how much cyber criminals enjoy playing on the very fears of consumer fraud they elicit.

If the last thing you want interrupting your time with friends and loved ones is a slew of fraudulent bank charges, you’ll need to keep your wits about you. As you read this, an illicit campaign is underway to deceive PayPal users into believing recent transactions they’ve made “could not be verified.” In emails bearing PayPal’s logo, consumers are warned that PayPal has detected suspicious activity on their accounts and that the company requires updated information to avoid fraudulent charges. 

Banking Trojan TrickBot is no longer hitting only banks and financial institutions, but also added payment processing and Customer Relationship Management (CRM) providers to its list of targets.

Supposedly developed by the same gang that previously operated the Dyre Trojan, TrickBot was first spotted in the summer of 2016, and initially detailed in October. By November, the malware was being used in widespread infection campaigns in the UK and Australia, and popped up in Asia the next month. Earlier this year, it started targeting the private banking sector. The 26 active TrickBot configurations observed in May 2017 were targeting banks.

UK security researcher Henry Hoggard has found a very simple method of bypassing PayPal's two-factor authentication (2FA) mechanism, allowing an attacker to take over PayPal accounts in less than a minute.

The researcher claims to have discovered this method while in a hotel with no telephone signal, and no way to receive the 2FA verification code to his device via SMS. The researcher says the problem was found in the "Try another way" link that appears under the 2FA section of the login screen. PayPal provides this option to PayPal account owners for situations when they can't reach their phone, or they have no signal, as was case for him.

Hackers are spreading the Chthonic banking trojan via legitimate-looking PayPal emails, security outfit Proofpoint has warned. The emails are 'authentic' and don't trigger antivirus warnings because they come via PayPal from accounts that appear to be legitimate.

"The sender does not appear to be faked. Instead the spam is generated by registering with PayPal and then using the portal to request money," said Proofpoint in a security advisory. The attackers take advantage of a feature that allows users to include notes when sending money request messages. One sample picked up by Proofpoint showed that Gmail failed to block the email since it appeared to be legitimate.

PayPal has addressed a vulnerability that could have been exploited by hackers to insert malicious images into payment pages. Security researcher discovered that the URL of payment pages set up by PayPal users included a parameter called “image_url.”

The value of this parameter could have been replaced with a URL pointing to an image hosted on a remote server. This could have allowed an attacker to use a third-party vendor’s PayPal payment page to deliver malicious images. An attacker could have exploited this vulnerability by getting an unauthenticated user to click on a specially crafted link.

PayPal has patched a security issue which could allow attackers to exploit the platform for the purpose of sending malicious emails. Researcher revealed the existence of an application-side mail encoding web vulnerability and filter bypass issue in the official PayPal online Web application.

Granted a Common Vulnerability Scoring System score of 3.9, the security problem is considered a "medium" threat to the online payment provider's services. If exploited, cyberattackers are able to inject malicious codes into the mail header of emails sent via PayPal's portal. Cyberattackers were able to compromise PayPal's systems.

PayPal has fixed a serious vulnerability in its back-end management system that could have allowed attackers to execute arbitrary commands on the server and potentially install a backdoor.

The vulnerability is part of a class of bugs that stem from Java object deserialization and which security researchers have warned about a year ago. In programming languages, serialization is the process of converting data to a binary format for storing it or for sending it over the network. Deserialization is not an issue in itself, but like most processes that involve processing potentially untrusted input, measures need to be taken to ensure that it is performed safely.

Under specific conditions, PayPal can ask users to confirm their identity to prevent frauds. When users are asked to verify their identity, their account is not accessible and in order to unblock it PayPal request them to make a call or send an email to its service and complete the procedure.

Mejri explained that a vulnerability affecting the PayPal mobile app that can be exploited by attackers to access blocked accounts through repeated login attempts that leverage valid session cookies. The same trick could be used to bypass two-factor authentication process, once the attacker successfully accesses the account is it able to change its settings.

Evaluating online cybersecurity awareness of 2,011 consumers from the USA and United Kingdom, a new survey by One Poll and Dimensional Research revealed that a lot of respondents believe using a third party payer such as PayPal or Google Wallet is the safest way to pay for goods online.

With so many retail breaches this year, it is not surprising that people are now more comfortable shopping online. However, consumers still need to be wary of where they are storing their data. Third party payment providers make the online shopping experience easier, but they can and will be targeted just the same as the retailers themselves.