Zach Lanier, senior security researcher at Duo Security, talks to Ryan Naraine about a gaping hole in the way two-factor authentication is implemented in the PayPal mobile app (iOS and Android). Because of this bypass, an attacker with a PayPal user’s username and password, even if it is a two-factor-enabled account, can access the account and transfer money — all without two-factor being enforced.