> So I have a complex password and TOPT to protect my account. Forget these, because PayPal’s default method of login is now a one-time code sent via SMS. Yes, the very same medium that is generally considered unsafe for two-factor authentication is used by PayPal as the only factor; bypassing both password and TOPT for what appears to be full access to your account. You cannot disable this method of login, and you cannot remove your phone number from your account.
> Tested in Incognito – as soon as you enter an email address to log into PayPal, an SMS is immediately sent and the phone number is revealed.
Just tested, can't reproduce. I get the standard email => password => TOTP flow. Also happened to have logged in yesterday on a new device, so pretty sure nothing changed between the blog post and now, at least not for me.
Maybe it's something being rolled out to more customers at the moment.
I have seen this for weeks/months now. It happens when you are about to make a purchase. So for instance, if you click on pay with paypal on a different website, it shows up, presumably to reduce friction or improve clickthrough.
I've been getting this off and on for a while now. It never proactively sent me the SMS, but it yanks me out of the normal auth flow and asks if I want to authenticate by text, making me click a button to just use my password + 2FA.
I have never once given one of these valley payments companies my bank account information, and this sort of garbage is why. If I need to pay something via PayPal, Venmo, or whoever the hell else, I'll use a credit card and happily eat a 3% fee for doing so, and that's the price I pay to be able to tell Chase or Amex to handle it when some fraudster gets at my info rather than watch my bank account get drained.
In Germany (Europe?) it's not allowed to charge additional fees for using a credit/debitcard. However even bank transactions that were externally charged from your account can be reversed for up to 6 weeks.
The past week I've received two invoices for "bitcoin" in my rarely used paypal account. More deviously, the notes for the invoice contain the phone number to a fake paypal support center run by the scammers. So if you were savvy enough not to pay the invoice they might still steal your info when you call to dispute.
There's no way to report it through their website, because it's not a completed transaction. I didn't feel like waiting on hold so I sent a chat message and forwarded the email to phishing@paypal. One invoice still remains in my activity but says "no longer available" when I click on actions.
Already had me more paranoid about their security and now this comes out. My account still seems to be password + SMS thankfully.
EDIT- I didn't know you could even set up TOTP. Last time I used paypal SMS was the only option for 2FA.
For a long time you couldn't. They supported Symantec's app, which was TOTP but obfuscated. So for a long time, you had to extract/reverse engineer the seed from the Symantec app.
I recall PayPal had a maximum password length when I first made my account.
Moreover, PayPal is the only financial institution I know that regularly sends emails with a juicy "click here to login" button. All other institutions are trying to teach "don't click links in emails that claim to be from us, only phishing mails will contain links".
The author says when you enter an email, an SMS is sent and number revealed.
What really happens is that it asks me for a password. Below that there's an option to get a one time code. Clicking that reveals the first digit of the area code, then the last 4 digits. You must then click yet again to make it actually send.
So in short, it didn't immediately send an SMS and never showed the full number.
I recently created a new PayPal account. Got locked out almost immediately after adding 2FA via TOTP. First login worked, on the second login I just got a message that they were unable to verify it's really me. When contacting customer service, I was told that this is a known problem and I should just write them an email so they can remove 2FA from my account and then readd it a few days later myself.
When signing up it also told me my provided contact details weren't correct because I had a forbidden special character in the password that I typed in the previous form. Took a while to figure that one out.
After reading the discussion here I decided to delete my paypal account. So I attempted to log in, and it required me to provide a 2FA authentication using SMS. Problem is that I don't have access to the registered number anymore.
So now I can't log in, which prevents me from deleting the account.
I had a similar problem for nine months before I could get hold of someone at PayPal. At that moment I was so angry that I chose to close my account. I also don't support businesses that use Bitcoin.
In my case, I had got 2FA through being called by an automated voice giving me a OTP. However, my number in their database had somehow been mangled with a 0 before the country code, so the 2FA had attempted to use the country code as a domestic area code.
BTW. The support assistant on the phone was a young person who had never used land-lines and did not understand what an "area code" was, so I had to explain it to her.
No strong disagreements with the article, however... It's TOTP, not TOPT (a mistake made throughout the article). I am skeptical of the qualifications and much of the basis for complaint.
Using anything based on a phone for sole verification is inexcusable in any situation, but is that really the case with PayPal? I have an account with MFA and... I don't think that's true
OP here - thanks for pointing that out, for some reason when I try to type TOTP my fingers keep defaulting to TOPT - some kind of muscle memory I guess. In any case, this has been corrected, although I'm unsure how a simple spelling mistake discredits the basis for the complaint.
> I have an account with MFA and... I don't think that's true
Try log in using Incognito/private browser. I am either defaulted into the one-time SMS flow, or given the option to log in with a one-time SMS code. In either case, if I enter the SMS code I am not prompted for my password nor TOTP.
I've been getting spammed with these SMS codes. They've been baffling me because I use MFA, and didn't understand what mechanism could be sending me random codes. I'm glad I know now.
I hope PayPal fixes this shit soon. Not only is this a serious security problem, but the texts are incredibly annoying.
Oddly, I can't make it happen myself -- I don't get the screen being discussed -- but clearly some criminal somewhere does. Must be limited to certain geographic areas?
This confuses me about discussions like these on HN:
On the one hand, there are so many stories on HN complaining about incompetent and dystopian security practices in the financial industry.
And many tips on how to cope with it. Like not giving PayPal your bank account, rather pay 3% to put a credit card between PayPal and your bank account. And to keep your phone number secret to avoid sim swapping and PayPal exposing it.
It seems to be a fight between customers who are supposed to try and hide as much data as possible from the companies. Because that data causes a threat to you. And the companies that try to get as much data as possible.
On the other hand, cryptographic solutions which put the user in control and do not expose any data to the outside world are frowned upon. To me, it seems the logical solution. I want a private key, that only I know. And to be able to sign transactions with it without exposing any data.
If such a solution based on cryptography would be widely used, I would hold a smallish amount of buying power on my "crypto wallet" and use that for day to day transactions. And regularly refill it directly from my bank account.
The best of both worlds: For my smallish day-to-day transactions, I am in full control of the security and privacy. And my savings stay on my bank, completely shielded from my day-to-day transactions.
I can't claim to speak for "everyone", but I was a crypto fanboy in the early days, when it seemed destined to be an actual currency, which would be great for all the reasons you mention.
But at some point it all went off the rails: crypto became a deeply rigged casino targeting the most vulnerable people they could find, fueled by insane amounts of energy consumption and money laundering.
Because at the end of the day PayPal is better for the average consumer than a solution where somebody needs to handle a private key.
A lot of tech savvy people lost money due to losing their keys. Now imagine the disaster if your mother needs to handle them.
Payment solutions are also heavily regulated, often also in favour of the consumer. If my bank goes bankrupt or gets hacked I have much better garuantees of getting my money back compared to when I lose my private key.
The final reason (in my opinion) that "private key solutions" are not adding much is that to legally use it you need to comply with the regulations for traditional finance. Hosting an exchange without KYC can be considered illigal in many western countries.
Want to advocate for less regulations in finance? Sure, that's a valid political opinion. But you need to go into political solutions for that, not technological ones.
> I want a private key, that only I know. And to be able to sign transactions with it without exposing any data. Why does everyone on HN hate this approach?
Because, in general, key management is hard, and your average user will likely not be able to understand such a flow, and will additionally probably lose their private key.
PayPal already has a pretty reasonable way to secure accounts: username+password+TOTP (using an app for the OTPs, not SMS). No, it's not perfect, and can be phished, but for most people it will be good enough. People who care about the phishing risk can use a FIDO2 hardware token instead of TOTP. All of this is common and widely-implemented enough that it's feasible to require that users do this.
But instead, probably in the name of reducing payment friction, they have decided on this horribly insecure method as described by OP. Ugh.
Cryptocurrencies are what you obviously mean by your "a solution based on cryptography" phrase.
As they exist now, they are even more difficult to use safely and securely. For every one person who gets hacked via paypal's SMS crap and a simswap, there would be 50 people who would lose their crypto wallet to dropping their phone in the river and forgetting the passphrase.
It's perfectly consistent to have issues with cryptocurrency and with other centralized financial institutions since they both have awful security models for the average person. Financial institutes are too insecure, and crypto is too unusable.
I, personally, would like the government to provide a universal authorization server ("log in with GovID" or whatever), and require all banks in the country to support that auth mechanism, and then ensure that mechanism is both incredibly secure, but also has suitable fallbacks to recover access.
The government is uniquely positioned to be able to do that in theory, if only the government weren't wildly allergic to doing _anything_.
I'll settle for a bank that does not ever fall back to SMS and supports webauthn so I can use my yubikey, and fortunately such banks do exist, so things aren't actually so bad. As long as I don't use paypal or various other less competent software.
My wife has been getting a bunch of these today. I still don't see what the potential problem is if an attacker has my wife's email (which I can imagine has been made public by 100 data breaches etc) and phone number. A bad actor can't use those to log into Paypal? You still need to GET the text message code.
Is the risk a SIM Swapping attack?
If nothing else, it's information disclosure; you should not be able to go from having a person's email address to having even part of their phone number.
Anything that involves money or things of value I use my yubikey for. If they don't provide 2FA via that method I just look elsewhere. If it's a magazine or comments section? who cares, use a mozmail temp address.
It's not about 2FA though. The problem is that PayPal allows users to log in via a one-time code sent via SMS, without the need to enter their password or TOTP (I assume this extends to hardware keys as well). They're doing 1FA over SMS and there's no way to opt out.
Haven’t used paypal in like 10 years. It was such a bad experience bad then that I’ve done everything to avoid using it. Wondering how people are using paypal nowadays
“Guessing the 5 missing digits” isn’t exactly trivial, there are thousands of combinations. In the US you might figure out the area code, but good luck if the person isn’t a local (or if you just entered a random email).
Also I don’t see the rest being true. If I only enter my phone number, it still asks for the password. And I can’t reset my password unless I also enter my email address.
I do agree though that probably they should just email me instead if I forgot the password.
Believe it or not, PayPal has finally set up security keys and authenticator apps as a 2FA. This must have been recent. I remember trying to do this a year or two ago, after someone cracked my LinkedIn password (but not the 2FA), and 2FA was not available on PayPal at the time.
Too much software development is getting divvied into different product development groups, and collectively it leads to the creation of flows through the product that make literally no sense, yet all of the smaller parts are seemingly fine, because nobody is the thinking of macro-level experience.
I always love when it's clear that nobody has ever actually tried an option.
I once paid for internet via public wifi for a time. When my CC expired and it was time to renew... that was literally impossible because of how they redirected you to their paywall when you tried to visit anything else. Even if you were trying to go to the billing page to renew. So you literally couldn't pay them. Oh, and even if you had other internet access, that wouldn't work either, because the billing site was nowhere on the open internet, only via the municipal wifi.
Or there are similar loops in Amazon's help system, where they make it hard to get a human and it just loops you around the same sets of options when you tell it that it's not working right. So you have to swear at it to see if you can trigger the algorithms to detect frustration and get you out.
And those aren't even deliberate, like the dark patterns some places engage when you try to cancel a service.
> PayPal’s default method of login is now a one-time code sent via SMS
> You cannot disable this method of login, and you cannot remove your phone number from your account.
Well. I'm used to thinking poorly of PayPal, but that's remarkable. Wonder if someone lost money if they could take PayPal to court on account of what could be argued as negligence? (Or maybe not; IANAL for a reason.)
Likely not. Most companies auto-enroll you into binding arbitration agreements now. If you ever want to opt out of it, you have a small window where you need to print out forms, sign them, and snail mail them. Kind of the opposite philosophy of SMS to login.
oefrha|3 years ago
> Tested in Incognito – as soon as you enter an email address to log into PayPal, an SMS is immediately sent and the phone number is revealed.
Just tested, can't reproduce. I get the standard email => password => TOTP flow. Also happened to have logged in yesterday on a new device, so pretty sure nothing changed between the blog post and now, at least not for me.
Maybe it's something being rolled out to more customers at the moment.
levymetal|3 years ago
bubblethink|3 years ago
I have seen this for weeks/months now. It happens when you are about to make a purchase. So for instance, if you click on pay with paypal on a different website, it shows up, presumably to reduce friction or improve clickthrough.
spiffytech|3 years ago
CrimsonRain|3 years ago
paultopia|3 years ago
tomschwiha|3 years ago
quickthrower2|3 years ago
But why have the middleman if you can a avoid it.
udkl|3 years ago
gjs278|3 years ago
[deleted]
m-ee|3 years ago
There's no way to report it through their website, because it's not a completed transaction. I didn't feel like waiting on hold so I sent a chat message and forwarded the email to phishing@paypal. One invoice still remains in my activity but says "no longer available" when I click on actions.
Already had me more paranoid about their security and now this comes out. My account still seems to be password + SMS thankfully.
EDIT- I didn't know you could even set up TOTP. Last time I used paypal SMS was the only option for 2FA.
bubblethink|3 years ago
For a long time you couldn't. They supported Symantec's app, which was TOTP but obfuscated. So for a long time, you had to extract/reverse engineer the seed from the Symantec app.
rocqua|3 years ago
Moreover, PayPal is the only financial institution I know that regularly sends emails with a juicy "click here to login" button. All other institutions are trying to teach "don't click links in emails that claim to be from us, only phishing mails will contain links".
I think imma close my PayPal.
hedora|3 years ago
However, I can't reproduce the issue described in the article.
silisili|3 years ago
The author says when you enter an email, an SMS is sent and number revealed.
What really happens is that it asks me for a password. Below that there's an option to get a one time code. Clicking that reveals the first digit of the area code, then the last 4 digits. You must then click yet again to make it actually send.
So in short, it didn't immediately send an SMS and never showed the full number.
mimimi31|3 years ago
When signing up it also told me my provided contact details weren't correct because I had a forbidden special character in the password that I typed in the previous form. Took a while to figure that one out.
lokedhs|3 years ago
So now I can't log in, which prevents me from deleting the account.
Findecanor|3 years ago
In my case, I had got 2FA through being called by an automated voice giving me a OTP. However, my number in their database had somehow been mangled with a 0 before the country code, so the 2FA had attempted to use the country code as a domestic area code.
BTW. The support assistant on the phone was a young person who had never used land-lines and did not understand what an "area code" was, so I had to explain it to her.
b800h|3 years ago
s_dev|3 years ago
WA|3 years ago
I think I removed and re-added my Authenticator from PayPal’s settings and now it works again, never sending the SMS.
(This was about a year ago.)
throwawybllion|3 years ago
Using anything based on a phone for sole verification is inexcusable in any situation, but is that really the case with PayPal? I have an account with MFA and... I don't think that's true
levymetal|3 years ago
> I have an account with MFA and... I don't think that's true
Try log in using Incognito/private browser. I am either defaulted into the one-time SMS flow, or given the option to log in with a one-time SMS code. In either case, if I enter the SMS code I am not prompted for my password nor TOTP.
httpz|3 years ago
I doesn't seem to be happening right now though.
radicalriddler|3 years ago
bombcar|3 years ago
JohnFen|3 years ago
I hope PayPal fixes this shit soon. Not only is this a serious security problem, but the texts are incredibly annoying.
Oddly, I can't make it happen myself -- I don't get the screen being discussed -- but clearly some criminal somewhere does. Must be limited to certain geographic areas?
JonathanBeuys|3 years ago
On the one hand, there are so many stories on HN complaining about incompetent and dystopian security practices in the financial industry.
And many tips on how to cope with it. Like not giving PayPal your bank account, rather pay 3% to put a credit card between PayPal and your bank account. And to keep your phone number secret to avoid sim swapping and PayPal exposing it.
It seems to be a fight between customers who are supposed to try and hide as much data as possible from the companies. Because that data causes a threat to you. And the companies that try to get as much data as possible.
On the other hand, cryptographic solutions which put the user in control and do not expose any data to the outside world are frowned upon. To me, it seems the logical solution. I want a private key, that only I know. And to be able to sign transactions with it without exposing any data.
If such a solution based on cryptography would be widely used, I would hold a smallish amount of buying power on my "crypto wallet" and use that for day to day transactions. And regularly refill it directly from my bank account.
The best of both worlds: For my smallish day-to-day transactions, I am in full control of the security and privacy. And my savings stay on my bank, completely shielded from my day-to-day transactions.
Why does everyone on HN hate this approach?
thematrixturtle|3 years ago
But at some point it all went off the rails: crypto became a deeply rigged casino targeting the most vulnerable people they could find, fueled by insane amounts of energy consumption and money laundering.
LeetHacks|3 years ago
A lot of tech savvy people lost money due to losing their keys. Now imagine the disaster if your mother needs to handle them.
Payment solutions are also heavily regulated, often also in favour of the consumer. If my bank goes bankrupt or gets hacked I have much better garuantees of getting my money back compared to when I lose my private key.
The final reason (in my opinion) that "private key solutions" are not adding much is that to legally use it you need to comply with the regulations for traditional finance. Hosting an exchange without KYC can be considered illigal in many western countries.
Want to advocate for less regulations in finance? Sure, that's a valid political opinion. But you need to go into political solutions for that, not technological ones.
kelnos|3 years ago
Because, in general, key management is hard, and your average user will likely not be able to understand such a flow, and will additionally probably lose their private key.
PayPal already has a pretty reasonable way to secure accounts: username+password+TOTP (using an app for the OTPs, not SMS). No, it's not perfect, and can be phished, but for most people it will be good enough. People who care about the phishing risk can use a FIDO2 hardware token instead of TOTP. All of this is common and widely-implemented enough that it's feasible to require that users do this.
But instead, probably in the name of reducing payment friction, they have decided on this horribly insecure method as described by OP. Ugh.
TheDong|3 years ago
As they exist now, they are even more difficult to use safely and securely. For every one person who gets hacked via paypal's SMS crap and a simswap, there would be 50 people who would lose their crypto wallet to dropping their phone in the river and forgetting the passphrase.
It's perfectly consistent to have issues with cryptocurrency and with other centralized financial institutions since they both have awful security models for the average person. Financial institutes are too insecure, and crypto is too unusable.
I, personally, would like the government to provide a universal authorization server ("log in with GovID" or whatever), and require all banks in the country to support that auth mechanism, and then ensure that mechanism is both incredibly secure, but also has suitable fallbacks to recover access.
The government is uniquely positioned to be able to do that in theory, if only the government weren't wildly allergic to doing _anything_.
I'll settle for a bank that does not ever fall back to SMS and supports webauthn so I can use my yubikey, and fortunately such banks do exist, so things aren't actually so bad. As long as I don't use paypal or various other less competent software.
quickthrower2|3 years ago
Biggest problem is losing the key. Also how to sync the key between devices. Not get tricked into giving it away.
Best case might be a authenticator type of app piggy backing on your phones physical and electronic security.
Most people look after their phones. Then maybe they back up somewhere else.
muppetman|3 years ago
bombcar|3 years ago
“We’re verifying your account, please read the number I’m about to send you.”
This is made worse because actual banks actually do this.
yjftsjthsd-h|3 years ago
adrr|3 years ago
stjohnswarts|3 years ago
levymetal|3 years ago
baby|3 years ago
laundermaf|3 years ago
Also I don’t see the rest being true. If I only enter my phone number, it still asks for the password. And I can’t reset my password unless I also enter my email address.
I do agree though that probably they should just email me instead if I forgot the password.
richbell|3 years ago
jonas-w|3 years ago
unknown|3 years ago
[deleted]
dreadlordbone|3 years ago
lambdasquirrel|3 years ago
zhfliz|3 years ago
i've been using totp for a long time but webauthn has been long overdue.
unknown|3 years ago
[deleted]
quickthrower2|3 years ago
presto8|3 years ago
fmajid|3 years ago
kaeruct|3 years ago
tylergetsay|3 years ago
devoutsalsa|3 years ago
- try to pay for rental car in Mexico
- transaction declined
- get email saying account permanently locked
- get 2nd email w/ link to unblock (says click on unblock notification)
- no notification
- chatbot asks if I want help, redirects me to help page
- help page contains none of the following: unblock, unlock, locked
- chatbot asks if I still need help, says I have to call
- call link redirects to account home page
88913527|3 years ago
Natsu|3 years ago
I once paid for internet via public wifi for a time. When my CC expired and it was time to renew... that was literally impossible because of how they redirected you to their paywall when you tried to visit anything else. Even if you were trying to go to the billing page to renew. So you literally couldn't pay them. Oh, and even if you had other internet access, that wouldn't work either, because the billing site was nowhere on the open internet, only via the municipal wifi.
Or there are similar loops in Amazon's help system, where they make it hard to get a human and it just loops you around the same sets of options when you tell it that it's not working right. So you have to swear at it to see if you can trigger the algorithms to detect frustration and get you out.
And those aren't even deliberate, like the dark patterns some places engage when you try to cancel a service.
yjftsjthsd-h|3 years ago
> You cannot disable this method of login, and you cannot remove your phone number from your account.
Well. I'm used to thinking poorly of PayPal, but that's remarkable. Wonder if someone lost money if they could take PayPal to court on account of what could be argued as negligence? (Or maybe not; IANAL for a reason.)
bubblethink|3 years ago
prvit|3 years ago
2arrs2ells|3 years ago
quickthrower2|3 years ago