> Tested in Incognito – as soon as you enter an email address to log into PayPal, an SMS is immediately sent and the phone number is revealed.
Just tested, can't reproduce. I get the standard email => password => TOTP flow. Also happened to have logged in yesterday on a new device, so pretty sure nothing changed between the blog post and now, at least not for me.
Maybe it's something being rolled out to more customers at the moment.
I have seen this for weeks/months now. It happens when you are about to make a purchase. So for instance, if you click on pay with paypal on a different website, it shows up, presumably to reduce friction or improve clickthrough.
And i have witnessed many examples in the EU where a person had money transferred from their bank account and the banks could not reverse it.
But why have the middleman if you can a avoid it.
There's no way to report it through their website, because it's not a completed transaction. I didn't feel like waiting on hold so I sent a chat message and forwarded the email to phishing@paypal. One invoice still remains in my activity but says "no longer available" when I click on actions.
Already had me more paranoid about their security and now this comes out. My account still seems to be password + SMS thankfully.
EDIT- I didn't know you could even set up TOTP. Last time I used paypal SMS was the only option for 2FA.
For a long time you couldn't. They supported Symantec's app, which was TOTP but obfuscated. So for a long time, you had to extract/reverse engineer the seed from the Symantec app.
Moreover, PayPal is the only financial institution I know that regularly sends emails with a juicy "click here to login" button. All other institutions are trying to teach "don't click links in emails that claim to be from us, only phishing mails will contain links".
I think imma close my PayPal.
However, I can't reproduce the issue described in the article.
The author says when you enter an email, an SMS is sent and number revealed.
What really happens is that it asks me for a password. Below that there's an option to get a one time code. Clicking that reveals the first digit of the area code, then the last 4 digits. You must then click yet again to make it actually send.
So in short, it didn't immediately send an SMS and never showed the full number.
Edit:
I just tried logging in. It's exactly as the author describes - I enter my email and get a "Log in with a one-time code" page with my partial phone number. The code is sent automatically. Must be A/B testing. (No password prompt is shown unless I click "Try another way" below the code field.)
When signing up it also told me my provided contact details weren't correct because I had a forbidden special character in the password that I typed in the previous form. Took a while to figure that one out.
So now I can't log in, which prevents me from deleting the account.
In my case, I had got 2FA through being called by an automated voice giving me a OTP. However, my number in their database had somehow been mangled with a 0 before the country code, so the 2FA had attempted to use the country code as a domestic area code.
BTW. The support assistant on the phone was a young person who had never used land-lines and did not understand what an "area code" was, so I had to explain it to her.
I think I removed and re-added my Authenticator from PayPal’s settings and now it works again, never sending the SMS.
(This was about a year ago.)
Using anything based on a phone for sole verification is inexcusable in any situation, but is that really the case with PayPal? I have an account with MFA and... I don't think that's true
> I have an account with MFA and... I don't think that's true
Try log in using Incognito/private browser. I am either defaulted into the one-time SMS flow, or given the option to log in with a one-time SMS code. In either case, if I enter the SMS code I am not prompted for my password nor TOTP.
Welome to HN, the bikeshedding capital of the world.
I doesn't seem to be happening right now though.
I hope PayPal fixes this shit soon. Not only is this a serious security problem, but the texts are incredibly annoying.
Oddly, I can't make it happen myself -- I don't get the screen being discussed -- but clearly some criminal somewhere does. Must be limited to certain geographic areas?
On the one hand, there are so many stories on HN complaining about incompetent and dystopian security practices in the financial industry.
And many tips on how to cope with it. Like not giving PayPal your bank account, rather pay 3% to put a credit card between PayPal and your bank account. And to keep your phone number secret to avoid sim swapping and PayPal exposing it.
It seems to be a fight between customers who are supposed to try and hide as much data as possible from the companies. Because that data causes a threat to you. And the companies that try to get as much data as possible.
On the other hand, cryptographic solutions which put the user in control and do not expose any data to the outside world are frowned upon. To me, it seems the logical solution. I want a private key, that only I know. And to be able to sign transactions with it without exposing any data.
If such a solution based on cryptography would be widely used, I would hold a smallish amount of buying power on my "crypto wallet" and use that for day to day transactions. And regularly refill it directly from my bank account.
The best of both worlds: For my smallish day-to-day transactions, I am in full control of the security and privacy. And my savings stay on my bank, completely shielded from my day-to-day transactions.
Why does everyone on HN hate this approach?
But at some point it all went off the rails: crypto became a deeply rigged casino targeting the most vulnerable people they could find, fueled by insane amounts of energy consumption and money laundering.
Should we have discarded the whole internet idea because of that?
A lot of tech savvy people lost money due to losing their keys. Now imagine the disaster if your mother needs to handle them.
Payment solutions are also heavily regulated, often also in favour of the consumer. If my bank goes bankrupt or gets hacked I have much better garuantees of getting my money back compared to when I lose my private key.
The final reason (in my opinion) that "private key solutions" are not adding much is that to legally use it you need to comply with the regulations for traditional finance. Hosting an exchange without KYC can be considered illigal in many western countries.
Want to advocate for less regulations in finance? Sure, that's a valid political opinion. But you need to go into political solutions for that, not technological ones.
People already keep super important stuff on their phones. Their email accounts, their lifetimes photos, their contacts, their notes... Losing those seems to be more dangerous than losing your digital wallet. An event that would be similar to losing your physical wallet.
Because, in general, key management is hard, and your average user will likely not be able to understand such a flow, and will additionally probably lose their private key.
PayPal already has a pretty reasonable way to secure accounts: username+password+TOTP (using an app for the OTPs, not SMS). No, it's not perfect, and can be phished, but for most people it will be good enough. People who care about the phishing risk can use a FIDO2 hardware token instead of TOTP. All of this is common and widely-implemented enough that it's feasible to require that users do this.
But instead, probably in the name of reducing payment friction, they have decided on this horribly insecure method as described by OP. Ugh.
As they exist now, they are even more difficult to use safely and securely. For every one person who gets hacked via paypal's SMS crap and a simswap, there would be 50 people who would lose their crypto wallet to dropping their phone in the river and forgetting the passphrase.
It's perfectly consistent to have issues with cryptocurrency and with other centralized financial institutions since they both have awful security models for the average person. Financial institutes are too insecure, and crypto is too unusable.
I, personally, would like the government to provide a universal authorization server ("log in with GovID" or whatever), and require all banks in the country to support that auth mechanism, and then ensure that mechanism is both incredibly secure, but also has suitable fallbacks to recover access.
The government is uniquely positioned to be able to do that in theory, if only the government weren't wildly allergic to doing _anything_.
I'll settle for a bank that does not ever fall back to SMS and supports webauthn so I can use my yubikey, and fortunately such banks do exist, so things aren't actually so bad. As long as I don't use paypal or various other less competent software.
Biggest problem is losing the key. Also how to sync the key between devices. Not get tricked into giving it away.
Best case might be a authenticator type of app piggy backing on your phones physical and electronic security.
Most people look after their phones. Then maybe they back up somewhere else.
“We’re verifying your account, please read the number I’m about to send you.”
This is made worse because actual banks actually do this.
Also I don’t see the rest being true. If I only enter my phone number, it still asks for the password. And I can’t reset my password unless I also enter my email address.
I do agree though that probably they should just email me instead if I forgot the password.
i've been using totp for a long time but webauthn has been long overdue.
- try to pay for rental car in Mexico
- transaction declined
- get email saying account permanently locked
- get 2nd email w/ link to unblock (says click on unblock notification)
- no notification
- chatbot asks if I want help, redirects me to help page
- help page contains none of the following: unblock, unlock, locked
- chatbot asks if I still need help, says I have to call
- call link redirects to account home page
I once paid for internet via public wifi for a time. When my CC expired and it was time to renew... that was literally impossible because of how they redirected you to their paywall when you tried to visit anything else. Even if you were trying to go to the billing page to renew. So you literally couldn't pay them. Oh, and even if you had other internet access, that wouldn't work either, because the billing site was nowhere on the open internet, only via the municipal wifi.
Or there are similar loops in Amazon's help system, where they make it hard to get a human and it just loops you around the same sets of options when you tell it that it's not working right. So you have to swear at it to see if you can trigger the algorithms to detect frustration and get you out.
And those aren't even deliberate, like the dark patterns some places engage when you try to cancel a service.
> You cannot disable this method of login, and you cannot remove your phone number from your account.
Well. I'm used to thinking poorly of PayPal, but that's remarkable. Wonder if someone lost money if they could take PayPal to court on account of what could be argued as negligence? (Or maybe not; IANAL for a reason.)
Same is not true of paypal funds.
The reality is that cashing out significant amounts of money this way tends to be rather difficult.
