COVID-19 is causing many of us to order items online, and we're using online payment methods such as Paypal and Venmo to pay for the items.

In January 2020, researchers at the Center for Information Technology Policy at Princeton University released a study that showed that hackers could take control of users' accounts on those services and others as well.A problem with multi-factor authenticationThe researchers analyzed the multi-factor authentication (MFA) procedures used by 140 online sites that included social media networks, email providers, and enterprise solutions.

Multi-factor authentication is an online security measure and it refers to an authentication method that requires two or more pieces of evidence, or factors. Typical factors include:Something only the user knows - includes passwords, PINs, combinations, and code wordsSomething only the user has - includes physical objects such as keys, smartphones, smart cards, USB drives, and token devicesSomething the user is - includes fingerprints, palm scanning, facial recognition, retina scans, iris scans, and voice verification.The researchers found 17 companies where a phone that had been SIM swapped could then be used to reset an account's password. SIM swap fraud allows someone to take control of your phone, and a hacker can then gain full access to your online profiles on various websites.

The companies that were affected included, Adobe, Amazon, AOL, Blizzard, eBay, Finnair, Gaijin Entertainment, Mailchimp, Microsoft, Online, Paypal, Snapchat, Taxact, Venmo, WordPress, Yahoo and Zoho Mail.

The researchers attempted to report the vulnerability to the affected companies via three methods: direct reporting to the company, posting on bug bounty platforms such as HackerOne, and through customer support channels.

Three of the four reports given to third-party bug bounty programs were disregarded. Even worse, HackerOne restricts those who have submitted what HackerOne considers to be too many bug reports from submitting new ones.

Five companies, AOL, Finnair, Mailchimp, Venmo, and WordPress, didn't respond to the researchers at all.*