The Corliss Group Latest Tech Review – Concerned about protecting the personal and financial details of its users, PayPal, the online payments company, has introduced a system called “two-factor authentication”.
To log in, users must first enter their user name and password. They then receive a security code by mobile phone that they have to type in to gain entry. The idea is to create an extra barrier that makes it harder for criminals to break into a customer’s account.
The only problem was that this additional line of defence had a significant flaw. Last year, a group of computer hackers from Duo Security, a Michigan-based cyber security company, discovered a problem with PayPal’s mobile app that meant it was possible to bypass this second barrier because of a previously unknown bug in PayPal’s systems.
Zach Lanier, senior security researcher at Duo, says users could have been “lulled into a false sense of security, unaware that a security feature isn’t living up to its promise”.
It was lucky for PayPal that it was Mr Lanier’s team that discovered the problem. He was able to warn the company through its “bug bounty” programme, which pays people who discover security vulnerabilities. Duo Security pocketed the bounty while PayPal fixed the bug before revealing publicly how it been discovered.
Google, Mozilla and Hewlett-Packard are among other technology groups that have bug bounty programmes. Bounties range from $500 for spotting tiny bugs to $60,000 for uncovering serious flaws. Millions of dollars have been paid to individual hackers and security companies through these schemes. Unveiling Facebook’s bug bounty programme in 2011, Joe Sullivan, the social network’s chief security officer, wrote on the company’s website: “We realise . . . that there are many talented and well intentioned security experts around the world who don’t work for Facebook. We established this bug bounty programme in an effort to recognise and reward these individuals for their good work and encourage others to join.”
There is no way for companies to create perfect online defences. Underlying every website or app are lines of code. As these have been written by humans, defences can range from the well constructed to the sloppy and flawed.
In theory, thanks to bug bounties, some hackers can make a decent living just looking for security flaws. However, most who participate in the programmes are computer professionals who uncover bugs in their spare time to make some extra cash, or they stumble across problems by chance.