> So I have a complex password and TOPT to protect my account. Forget these, because PayPal’s default method of login is now a one-time code sent via SMS. Yes, the very same medium that is generally considered unsafe for two-factor authentication is used by PayPal as the only factor; bypassing both password and TOPT for what appears to be full access to your account. You cannot disable this method of login, and you cannot remove your phone number from your account.<p>> Tested in Incognito – as soon as you enter an email address to log into PayPal, an SMS is immediately sent and the phone number is revealed.<p>Just tested, can't reproduce. I get the standard email => password => TOTP flow. Also happened to have logged in yesterday on a new device, so pretty sure nothing changed between the blog post and now, at least not for me.<p>Maybe it's something being rolled out to more customers at the moment.
I have never once given one of these valley payments companies my bank account information, and this sort of garbage is why. If I need to pay something via PayPal, Venmo, or whoever the hell else, I'll use a credit card and happily eat a 3% fee for doing so, and that's the price I pay to be able to tell Chase or Amex to handle it when some fraudster gets at my info rather than watch my bank account get drained.
The past week I've received two invoices for "bitcoin" in my rarely used paypal account. More deviously, the notes for the invoice contain the phone number to a fake paypal support center run by the scammers. So if you were savvy enough not to pay the invoice they might still steal your info when you call to dispute.<p>There's no way to report it through their website, because it's not a completed transaction. I didn't feel like waiting on hold so I sent a chat message and forwarded the email to phishing@paypal. One invoice still remains in my activity but says "no longer available" when I click on actions.<p>Already had me more paranoid about their security and now this comes out. My account still seems to be password + SMS thankfully.<p>EDIT- I didn't know you could even set up TOTP. Last time I used paypal SMS was the only option for 2FA.
I recall PayPal had a maximum password length when I first made my account.<p>Moreover, PayPal is the only financial institution I know that regularly sends emails with a juicy "click here to login" button. All other institutions are trying to teach "don't click links in emails that claim to be from us, only phishing mails will contain links".<p>I think imma close my PayPal.
I recently created a new PayPal account. Got locked out almost immediately after adding 2FA via TOTP. First login worked, on the second login I just got a message that they were unable to verify it's really me. When contacting customer service, I was told that this is a known problem and I should just write them an email so they can remove 2FA from my account and then readd it a few days later myself.<p>When signing up it also told me my provided contact details weren't correct because I had a forbidden special character in the password that I typed in the previous form. Took a while to figure that one out.
After reading the discussion here I decided to delete my paypal account. So I attempted to log in, and it required me to provide a 2FA authentication using SMS. Problem is that I don't have access to the registered number anymore.<p>So now I can't log in, which prevents me from deleting the account.
I had the exact same flow: received a SMS instead of asking for my TOTP, despite having enabled it.<p>I think I removed and re-added my Authenticator from PayPal’s settings and now it works again, never sending the SMS.<p>(This was about a year ago.)
No strong disagreements with the article, however... It's TOTP, not TOPT (a mistake made throughout the article). I am skeptical of the qualifications and much of the basis for complaint.<p>Using anything based on a phone for sole verification is inexcusable in any situation, but is that really the case with PayPal? I have an account with MFA and... I don't think that's true
This exact thing happened to me few months ago.
There just wasn't a way to disable this One Time Code login either.<p>I doesn't seem to be happening right now though.
I've been getting spammed with these SMS codes. They've been baffling me because I use MFA, and didn't understand what mechanism could be sending me random codes. I'm glad I know now.<p>I hope PayPal fixes this shit soon. Not only is this a serious security problem, but the texts are incredibly annoying.<p>Oddly, I can't make it happen myself -- I don't get the screen being discussed -- but clearly some criminal somewhere does. Must be limited to certain geographic areas?
This confuses me about discussions like these on HN:<p>On the one hand, there are so many stories on HN complaining about incompetent and dystopian security practices in the financial industry.<p>And many tips on how to cope with it. Like not giving PayPal your bank account, rather pay 3% to put a credit card between PayPal and your bank account. And to keep your phone number secret to avoid sim swapping and PayPal exposing it.<p>It seems to be a fight between customers who are supposed to try and hide as much data as possible from the companies. Because that data causes a threat to you. And the companies that try to get as much data as possible.<p>On the other hand, cryptographic solutions which put the user in control and do not expose any data to the outside world are frowned upon. To me, it seems the logical solution. I want a private key, that only I know. And to be able to sign transactions with it without exposing any data.<p>If such a solution based on cryptography would be widely used, I would hold a smallish amount of buying power on my "crypto wallet" and use that for day to day transactions. And regularly refill it directly from my bank account.<p>The best of both worlds: For my smallish day-to-day transactions, I am in full control of the security and privacy. And my savings stay on my bank, completely shielded from my day-to-day transactions.<p>Why does everyone on HN hate this approach?
My wife has been getting a bunch of these today. I still don't see what the potential problem is if an attacker has my wife's email (which I can imagine has been made public by 100 data breaches etc) and phone number. A bad actor can't use those to log into Paypal? You still need to GET the text message code.
Is the risk a SIM Swapping attack?
Anything that involves money or things of value I use my yubikey for. If they don't provide 2FA via that method I just look elsewhere. If it's a magazine or comments section? who cares, use a mozmail temp address.
Haven’t used paypal in like 10 years. It was such a bad experience bad then that I’ve done everything to avoid using it. Wondering how people are using paypal nowadays
“Guessing the 5 missing digits” isn’t exactly trivial, there are thousands of combinations. In the US you might figure out the area code, but good luck if the person isn’t a local (or if you just entered a random email).<p>Also I don’t see the rest being true. If I only enter my phone number, it still asks for the password. And I can’t reset my password unless I also enter my email address.<p>I do agree though that probably they should just email me instead if I forgot the password.
Believe it or not, PayPal has finally set up security keys and authenticator apps as a 2FA. This must have been recent. I remember trying to do this a year or two ago, after someone cracked my LinkedIn password (but not the 2FA), and 2FA was not available on PayPal at the time.
My recent PayPal experience:<p>- try to pay for rental car in Mexico<p>- transaction declined<p>- get email saying account permanently locked<p>- get 2nd email w/ link to unblock (says click on unblock notification)<p>- no notification<p>- chatbot asks if I want help, redirects me to help page<p>- help page contains none of the following: unblock, unlock, locked<p>- chatbot asks if I still need help, says I have to call<p>- call link redirects to account home page
> PayPal’s default method of login is now a one-time code sent via SMS<p>> You cannot disable this method of login, and you cannot remove your phone number from your account.<p>Well. I'm used to thinking poorly of PayPal, but that's remarkable. Wonder if someone lost money if they could take PayPal to court on account of what could be argued as negligence? (Or maybe not; IANAL for a reason.)