PayPal Allows Bypassing Two-Factor Authentication with a Button Click

Unfortunately, it seems that Paypal requires a phone number regardless of 2FA method, and there is indeed no way to disable this insane feature.<p>Seems like maybe a good idea for a class action lawsuit? I&#x27;m not sure what to do about that. A company shouldn&#x27;t be able to do this and still meet compliance obligations.<p>I&#x27;ll have to delete my account, unfortunately.<p>edit:<p>1. I didn&#x27;t give Paypal my phone number so that they could use it for this. I gave it to them for banking purposes only. I wonder if this constitutes a GDPR violation?<p>2. I wonder if contacting their auditors would do anything.<p>3. Maybe email some of the politicians who care about this stuff - Ron Wyden, Elizabeth Warren?

I am similarly annoyed by Bank of America. They allow you to enroll a Yubikey for login, making it seem like they have a high level of security.<p>But then on the login screen they moronically offer a one click bypass of it, asking if you want to login by SMS instead. What&#x27;s the fucking point of a Yubikey then!?

What&#x27;s harder, finding the phone number of a PayPal board member, or cloning it? Either way, that&#x27;s probably the quickest way to get this addressed, unfortunate you&#x27;ll need to commit a felony to do it.

I&#x27;m not seeing the &#x27;login with an OTP&#x27; option that TFA complains about, also not in a private tab. I was using the fake elonmusk address from the article and also tried over a VPN pretending to come from the US (I&#x27;m actually located in the EU).<p>Also, I don&#x27;t like the condescending tone of the article, implying that everyone at Paypal is a moron who has no idea what they&#x27;re doing.

&gt; most new iPhones and Android phones by default will display the actual contents of your messages on the lock screen<p>On iPhones by default the contents are only shown after your face is recognized by FaceID.<p>That being said, I don’t like to have one factor authentication tied to my phone number, especially not when I’ve enabled two factor authentication in the settings. I guess the logic behind this decision is that they see your password as the weakest link, so for them 2FA is not so much about having a second factor, but about not being able to use the password as the only factor.

On my phone (Android, Moto Edge) the contents of text messages are hidden on the lock screen. I&#x27;m pretty certain that this is the default behaviour in recent versions of Android that I&#x27;ve seen.<p>So, at least for me, anyone who stole my phone for the purpose of hacking my paypal account would still need my fingerprint or unlock pattern. Someone with a non-smart phone will have a different experience though.<p>And yeah, sms is a poor choice from a technical pov but i can see why they did it for a mass-market service.

Sadly there’s another system that <i>really</i> should know better with terrible 2FA policies: Amazon AWS. The mechanism for protecting an AWS root account is not quite as bad as PayPal, but it’s not much better.<p>AWS should offer the ability to enroll multiple second factor devices and to configure a policy for what subsets of them can log in. But they don’t even come close, and their actual capabilities are far worse than, say, Gmail or GitHub.

I find it absurd, that after I login, or buy something, they send me an email saying:<p>--<p>Since we recognize this device, you’ll continue to stay logged in, so you can skip typing your password during certain activities such as check out.<p>--<p>What?!<p>And there is no opt out, except for you to set a cookie saying you don&#x27;t want that.<p>Hello?! How will I have a cookie for that at $random.place?<p>They literally care nothing about security.

paypal&#x27;s security has always perplexed me a bit. last time i check a few years ago they still limit you to a 20 character password, which is annoying because i would rather use a passphrase so its quicker to type in but i wouldn&#x27;t be comfortable using only 20 characters for something like a bank.<p>for comparison, instagram at the time allowed 250 characters

Reminds me of how on Stripe’s dashboard I keep getting prompted for a password; I can just click cancel and everything continues working fine. Anyone knows what’s up with that?

Ask HN: Is anyone else seeing a steep increase in CAPTCHA and SMS verification prompts on PayPal lately? Yesterday alone I was sent two SMSes and had to solve at least one CAPTCHA. All from the same machine that I always use. It&#x27;s really getting to a point where I rather use an alternative payment service when it&#x27;s possible to do so.<p>Edit: Oh and everytime that happens I get a mail that there is a login with a new device from &quot;dusseldorf nw de&quot;. No, I don&#x27;t live in Düsseldorf, not even close. The fact that they misspell the name and that their GeoIP is reliably off doesn&#x27;t inspire any more confidence.

I guess there is a trade off here of having strong security but then users being completely locked out or falling back to SMS which defeats the purpose of stronger auth like Yubikeys. There should at least be an option to disable SMS for auth. Another option is to call up your telco and ask them to only port a number if you are physically present and verified in a store. This wouldn’t protect against an insider at the telco, but at least common threats.

I didn&#x27;t even make it halfway through the article before I logged into Paypal and removed my payment info.<p>Strangely though, when I logged in I wasn&#x27;t prompted to use a one-time code.

PayPal has been doing a number of thoughtless things in this area recently. They are determined that my devices are “trusted”, despite the owner of those devices not trusting them at all. They are continually trying to persuade me to stop using my passwords and such. I mean it’s only direct access to withdraw funds from my bank account, why would that need to be secure, amirite? Mystifying.

Strangely, half of the discussion concentrates on the arguments for and against the alleged (in)security of the PayPal solution in general cases while obviously the solution quality can be decided in a specific context. At the same time nearly nobody addressed the real source of PayPal&#x27;s stupidity: the fact the &quot;feature&quot; can&#x27;t be permanently disabled.

That&#x27;s pretty wild.<p>I&#x27;ve seen mechanisms on some sites like my energy provider...but I doubt the crooks feel like paying my energy bills so whatever

&gt; The only recourse in the meantime is to close your PayPal account.<p>Except PayPal does not monitor the only email address it lists on its own website, the one designated for the purpose of sending them data deletion or access requests:<p><a href="https:&#x2F;&#x2F;twitter.com&#x2F;ConsciousDigit&#x2F;status&#x2F;1587824741766889477?t=j1OOiJSB1Tg9x_SC5DkMwA&amp;s=19" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;ConsciousDigit&#x2F;status&#x2F;158782474176688947...</a><p>(Source: my nonprofit runs YourDigitalRights.org where we make it easy to send the likes of PayPal data deletion request under the GDPR &#x2F; CCPA etc)

This was a good reminder that I’ve been meaning to close my PayPal account for a while. It was a suspiciously easy process

This has been reported before, and in my experience, it&#x27;s a sales funnel&#x2F;conversion thing. You will likely not see this if you go to paypal.com. Rather, this will show up when you click on the &#x27;buy with paypal&#x27; button on a third party site. It is pretty stupid, but I also blame the general population equally. People are just so bad with any type of password management, 2FA stuff, or general web hygiene that companies resort to stupid shit like this. This is also made worse from a few different angles. In places like the US, most users use an iphone and have no idea about the differences between SMS or imessage or what any of the moving pieces are. They just know something is a &#x27;text&#x27;. On the other hand, in places like India, the government has crippled everything to such an extent that you cannot function without SMS based 2FA. We&#x27;ll be stuck with SMS based logins and 2FA for a very long time.

This seems way too unsecure. Could a bad actor exploit this with a massive list of emails and random codes? Even when you have like 5 tries from 1000000 combinations, someone&#x27;s likely to get hacked with this...

I do not hate passwords but those who hate them and push with such excuse the mandatory use of smartphones.<p>I do HATE those who state a crappy Android&#x2F;iOS OTP app is safer than an offline hardware token just because thanks to their app they also ask for permission for extra stuff like accessing phone location history, contacts etc all with plausible excuses (that&#x27;s happen in most EU countries with banks crapplications) and so on.<p>ANYTHING tied to closed-source connected platforms can&#x27;t be secure. That&#x27;s is.

I&#x27;m glad I&#x27;ve never used PayPal, and I probably never will. Their decision just seem to go from bad to worse.

Having just added a yubikey as a PayPal 2FA device it niw appears that PayPal only supports one key. Not great.

i have yubikey (usb hardware dongle) for paypal and it doesnt have this one-time option?<p>cannot reproduce bug

Maybe it cross refences with the IP of past logins. So it would not work from a different area.

This reads a bit like an alarmist scare. The only real complaint the author has, despite linking it several times, is that SMS is hackable. This is true to some extent, as SIM cloning isn&#x27;t a straight forward hack and is largely based on social engineering. Still it doesn&#x27;t really matter for two reasons.<p>First, common attackers are opportunistic and they are unlikely to know your phone number. Even if they did, it would take skill and effort to clone your SIM. For this to happen you need to be targeted as an individual and that&#x27;s a different scenario from random PayPal attacks.<p>Second, PayPal aren&#x27;t stupid, and they have to be aware of SIM cloning. They also have data that we don&#x27;t. Looking at their data and the probability of an attacker carrying out SIM cloning, they must have decided the cost of probable cases is acceptable if and when these attacks take place. Or that it&#x27;s fairly rare to actually happen.<p>Besides, this option isn&#x27;t available to all users, so there might be more going on than we realize.<p>I understand the author is upset that they can&#x27;t set a single TFA channel to be used exclusively. But I think the real gripe here is that the author feels loss of control rather than a massive security issue.