What’s going on with security at PayPal?
christianvarga.com> So I have a complex password and TOPT to protect my account. Forget these, because PayPal’s default method of login is now a one-time code sent via SMS. Yes, the very same medium that is generally considered unsafe for two-factor authentication is used by PayPal as the only factor; bypassing both password and TOPT for what appears to be full access to your account. You cannot disable this method of login, and you cannot remove your phone number from your account.
> Tested in Incognito – as soon as you enter an email address to log into PayPal, an SMS is immediately sent and the phone number is revealed.
Just tested, can't reproduce. I get the standard email => password => TOTP flow. Also happened to have logged in yesterday on a new device, so pretty sure nothing changed between the blog post and now, at least not for me.
Maybe it's something being rolled out to more customers at the moment.
OP here - I just tried again and got the normal flow this time. Guessing they must be A/B testing SMS one-time codes as the default.
i've had it like that for months now, maybe it's a geographical thing, for some reason a lot of this stuff comes early to australia?
FB engineer explained they always rolled features out to New Zealand first - similar user behavior as the US but outside the eye of the tech press & smaller market (so less risk).
They actually split Ireland and AU/NZ more recently.
AFAIK with 2FA enabled you'll get SMS prompts only exceptionally.
2FA enabled in Germany I get the SMS prompt always. Still I would wish to have support for a proper Authenticator App here.
>Just tested, can't reproduce.
I have seen this for weeks/months now. It happens when you are about to make a purchase. So for instance, if you click on pay with paypal on a different website, it shows up, presumably to reduce friction or improve clickthrough.
I've been getting this off and on for a while now. It never proactively sent me the SMS, but it yanks me out of the normal auth flow and asks if I want to authenticate by text, making me click a button to just use my password + 2FA.
Can't send sms if there's no phone number to begin with (I never added). Accidentally big brain time
I have never once given one of these valley payments companies my bank account information, and this sort of garbage is why. If I need to pay something via PayPal, Venmo, or whoever the hell else, I'll use a credit card and happily eat a 3% fee for doing so, and that's the price I pay to be able to tell Chase or Amex to handle it when some fraudster gets at my info rather than watch my bank account get drained.
In Germany (Europe?) it's not allowed to charge additional fees for using a credit/debitcard. However even bank transactions that were externally charged from your account can be reversed for up to 6 weeks.
Actually its not allowed to tell the customer about additional fees for using credit cards. The fees are still applied to the merchant, the law just forces the merchant to recoup the fees from all their customers. So in the EU, you are paying credit card fees even when not using a credit card.
And i have witnessed many examples in the EU where a person had money transferred from their bank account and the banks could not reverse it.
Well in the EU credit/debit card fees are capped at 0.3/0.2% so while not exactly fair it’s not a huge deal compared to the US (where everyone is paying for credit card users rewards and cash backs).
AFAIK only SEPA direct debit transfers can be canceled/reversed so normal transfers are still not (easily) reversible.
> Well in the EU credit/debit card fees are capped at 0.3/0.2% so while not exactly fair it’s not a huge deal compared to the US (where everyone is paying for credit card users rewards and cash backs).
And cash has it's own processing fees (security - cameras, register, transportation; counting), which are also hidden. Some smaller places (e.g. cafés) have moved to cashless payments only, because the costs around cash, and the hassle involved at every step, is too much.
that is very true, and so often ignored or forgotten
0.3/0.2% caps are for customers accounts (and don't cover missed payments which can be punitively charged). merchant fees can still be very high, and silently passed on to customers. The fact that the law obfuscates what the CC companies are actually getting from a transaction should worry us, as they can sneak merchant fees up each year without push-back from the general public.
You’re right. It seem the fees are still around 1% at least for smaller businesses in my country.
Paypal can link to your CC and I have never seen a reduced fee for Paypal either.
But why have the middleman if you can a avoid it.
I just have a separate bank account for online exposure to which I move bits of money in from my main account as needed.
The past week I've received two invoices for "bitcoin" in my rarely used paypal account. More deviously, the notes for the invoice contain the phone number to a fake paypal support center run by the scammers. So if you were savvy enough not to pay the invoice they might still steal your info when you call to dispute.
There's no way to report it through their website, because it's not a completed transaction. I didn't feel like waiting on hold so I sent a chat message and forwarded the email to phishing@paypal. One invoice still remains in my activity but says "no longer available" when I click on actions.
Already had me more paranoid about their security and now this comes out. My account still seems to be password + SMS thankfully.
EDIT- I didn't know you could even set up TOTP. Last time I used paypal SMS was the only option for 2FA.
>EDIT- I didn't know you could even set up TOTP.
For a long time you couldn't. They supported Symantec's app, which was TOTP but obfuscated. So for a long time, you had to extract/reverse engineer the seed from the Symantec app.
I recall PayPal had a maximum password length when I first made my account.
Moreover, PayPal is the only financial institution I know that regularly sends emails with a juicy "click here to login" button. All other institutions are trying to teach "don't click links in emails that claim to be from us, only phishing mails will contain links".
I think imma close my PayPal.
If true, this is borderline criminal incompetence.
However, I can't reproduce the issue described in the article.
Same.
The author says when you enter an email, an SMS is sent and number revealed.
What really happens is that it asks me for a password. Below that there's an option to get a one time code. Clicking that reveals the first digit of the area code, then the last 4 digits. You must then click yet again to make it actually send.
So in short, it didn't immediately send an SMS and never showed the full number.
But the author says a partial number is revealed?
Edit:
I just tried logging in. It's exactly as the author describes - I enter my email and get a "Log in with a one-time code" page with my partial phone number. The code is sent automatically. Must be A/B testing. (No password prompt is shown unless I click "Try another way" below the code field.)
The author never says the full number is revealed. The author says the partial number is revealed.
The article has been changed. The word partially was added in the sentence below after I commented.
> enter an email address to log into PayPal, an SMS is immediately sent and the phone number is partially revealed.
That said, below that it mentioned number guessing so I probably could have guessed that's what they'd meant to write.
Other parts still said partially though. Your comment was left at 4:40 UTC[1]. Here's a snapshot from 4:07 UTC[2]. It says
>PayPal helps them by partially revealing a significant portion of your phone number
>Remember Mat Honan, who’s digital life was destroyed when his iCloud account was wiped in a targeted attack? In that attack, the hacker used social engineering to obtain a partial credit card number from an Amazon employee which Apple then accepted as verification of identity. With PayPal no such social engineering is required; instead revealing half your phone number to anyone who merely enters your email address on the login screen.
>Of course, PayPal also allows users to log in by entering their phone number. Now armed with a partial, a bad actor needs only to enumerate the remaining digits to reveal your full phone number.
[1] https://hacker-news.firebaseio.com/v0/item/32615770.json
[2] https://web.archive.org/web/20220827040709/https://christian...
OP here - yeah that's my bad - I never intended it to be interpreted as fully revealed but a sentence taken out of context can read that way, so I tweaked the article (as well as fixing a few spelling mistakes). Apologies for the confusion.
I was able to reproduce it in incognito. I’m guessing it works only on devices I have signed on before? Someone they have a way to fingerprint me? Irrespective of it, this whole dumbing down security for UX is unacceptable. It’s not even good UX for someone like me with a password manager.
I recently created a new PayPal account. Got locked out almost immediately after adding 2FA via TOTP. First login worked, on the second login I just got a message that they were unable to verify it's really me. When contacting customer service, I was told that this is a known problem and I should just write them an email so they can remove 2FA from my account and then readd it a few days later myself.
When signing up it also told me my provided contact details weren't correct because I had a forbidden special character in the password that I typed in the previous form. Took a while to figure that one out.
After reading the discussion here I decided to delete my paypal account. So I attempted to log in, and it required me to provide a 2FA authentication using SMS. Problem is that I don't have access to the registered number anymore.
So now I can't log in, which prevents me from deleting the account.
I had a similar problem for nine months before I could get hold of someone at PayPal. At that moment I was so angry that I chose to close my account. I also don't support businesses that use Bitcoin.
In my case, I had got 2FA through being called by an automated voice giving me a OTP. However, my number in their database had somehow been mangled with a 0 before the country code, so the 2FA had attempted to use the country code as a domestic area code.
BTW. The support assistant on the phone was a young person who had never used land-lines and did not understand what an "area code" was, so I had to explain it to her.
And once you do log in, I can almost guarantee that you'll be unable to delete the account due to a "pending transaction".
Send a GDPR request to delete it to their support.
Thank you. I order to contact support, I had to log in, so I had to use a different account just you be able to ask the question. We'll see what they reply.
If this fails, I'll go the GDPR route.
Somehow I feel they will claim that banking regulations around records retention trump GDPR, and that they thus cannot proceed with your request.
I had the exact same flow: received a SMS instead of asking for my TOTP, despite having enabled it.
I think I removed and re-added my Authenticator from PayPal’s settings and now it works again, never sending the SMS.
(This was about a year ago.)
No strong disagreements with the article, however... It's TOTP, not TOPT (a mistake made throughout the article). I am skeptical of the qualifications and much of the basis for complaint.
Using anything based on a phone for sole verification is inexcusable in any situation, but is that really the case with PayPal? I have an account with MFA and... I don't think that's true
OP here - thanks for pointing that out, for some reason when I try to type TOTP my fingers keep defaulting to TOPT - some kind of muscle memory I guess. In any case, this has been corrected, although I'm unsure how a simple spelling mistake discredits the basis for the complaint.
> I have an account with MFA and... I don't think that's true
Try log in using Incognito/private browser. I am either defaulted into the one-time SMS flow, or given the option to log in with a one-time SMS code. In either case, if I enter the SMS code I am not prompted for my password nor TOTP.
>although I'm unsure how a simple spelling mistake discredits the basis for the complaint
Welome to HN, the bikeshedding capital of the world.
This exact thing happened to me few months ago. There just wasn't a way to disable this One Time Code login either.
I doesn't seem to be happening right now though.
Wow I had the same SMS yesterday and I actually just ended up completely closing my PayPal account because it seemed so ridiculous
2factor but with the convenience! We’ll invent zero factor!
I've been getting spammed with these SMS codes. They've been baffling me because I use MFA, and didn't understand what mechanism could be sending me random codes. I'm glad I know now.
I hope PayPal fixes this shit soon. Not only is this a serious security problem, but the texts are incredibly annoying.
Oddly, I can't make it happen myself -- I don't get the screen being discussed -- but clearly some criminal somewhere does. Must be limited to certain geographic areas?
This confuses me about discussions like these on HN:
On the one hand, there are so many stories on HN complaining about incompetent and dystopian security practices in the financial industry.
And many tips on how to cope with it. Like not giving PayPal your bank account, rather pay 3% to put a credit card between PayPal and your bank account. And to keep your phone number secret to avoid sim swapping and PayPal exposing it.
It seems to be a fight between customers who are supposed to try and hide as much data as possible from the companies. Because that data causes a threat to you. And the companies that try to get as much data as possible.
On the other hand, cryptographic solutions which put the user in control and do not expose any data to the outside world are frowned upon. To me, it seems the logical solution. I want a private key, that only I know. And to be able to sign transactions with it without exposing any data.
If such a solution based on cryptography would be widely used, I would hold a smallish amount of buying power on my "crypto wallet" and use that for day to day transactions. And regularly refill it directly from my bank account.
The best of both worlds: For my smallish day-to-day transactions, I am in full control of the security and privacy. And my savings stay on my bank, completely shielded from my day-to-day transactions.
Why does everyone on HN hate this approach?
I can't claim to speak for "everyone", but I was a crypto fanboy in the early days, when it seemed destined to be an actual currency, which would be great for all the reasons you mention.
But at some point it all went off the rails: crypto became a deeply rigged casino targeting the most vulnerable people they could find, fueled by insane amounts of energy consumption and money laundering.
The same happened during the early days of the internet. Insane amounts of companies were founded, hyped and IPOed. Many many naive people turned into investors, losing trillions of Dollars.
Should we have discarded the whole internet idea because of that?
It's hardly comparable.
Scams happened over the internet, but didn't exploit critical problems with the technology itself.
Crypto scams exploit problems with crypto itself. Where else can a tiny mistake allow people to irreversibly drain your account in an instant and vanish?
This comparison was also made a lot in the early days of crypto, but at this point we're 15 years into crypto and real-life use cases remain awfully thin on the ground.
15 years because the Bitcoin whitepaper was written in 2008?
The Internet Protocol whitepaper was written in 1974.
15 years later, in 1989, real-life use cases of the internet were at least as thin on the ground as crypto use cases today.
I am so tired of the comparison with the internet because it tries to conclude that crypto will be successful despite the scepticism because people were also sceptic of the internet. You could compare any new thing with the internet and come up with a similar prophecy, but it just isn't given that the success is ever going to come.
By 1989 the Internet's primary applications are email, Usenet news, and the file transfer protocol. Those may not seem like much today, but they're a big deal in 1989.
In crypto, there are payments, store of value, decentralized exchanges, smart contracts, NFTs, DAOs...
I tend to think crypto is used more already than the internet was in 1989?
Minitel was almost universal in France by '89. It might not be the WorldWideWeb, but it was around.
It had instant messaging, 24hr news, business listings, public databases (similar to wikis), online shopping, prostitution, dating services, online games, public transport ticketing, forums, online payment system, and over 25mil individual people using it on a daily basis.
Apart from the customers, it had all of that from _day one_.
Comparing the internet to crypto is like comparing roads to clown cars.
They are entirely different classes of technology and the second would be completely useless without the first, so like to like comparisons are meaningless.
Aren’t clown cars usually driven off road? (Stages, circus tents)
I'm not sure crypto and the internet are even remotely in the same ballpark for capability or potential.
Because at the end of the day PayPal is better for the average consumer than a solution where somebody needs to handle a private key.
A lot of tech savvy people lost money due to losing their keys. Now imagine the disaster if your mother needs to handle them.
Payment solutions are also heavily regulated, often also in favour of the consumer. If my bank goes bankrupt or gets hacked I have much better garuantees of getting my money back compared to when I lose my private key.
The final reason (in my opinion) that "private key solutions" are not adding much is that to legally use it you need to comply with the regulations for traditional finance. Hosting an exchange without KYC can be considered illigal in many western countries.
Want to advocate for less regulations in finance? Sure, that's a valid political opinion. But you need to go into political solutions for that, not technological ones.
For the average use "handle a private key" just means installing an app. If crypto currencies were popular enough, it would already come with a phone, just like a browser.
People already keep super important stuff on their phones. Their email accounts, their lifetimes photos, their contacts, their notes... Losing those seems to be more dangerous than losing your digital wallet. An event that would be similar to losing your physical wallet.
Loosing my physical wallet will cost me: About a hundred euros (cash), the annoyance of having to get a replacement for the cards: - ID (probably 4 weeks or so and a visit to my Bürgeramt) - Medical Insurance (probably a week and a phone call) - 2 credit cards and a bank card (one, maybe two phone calls and a couple of euros) - a handful of membership cards, non of which are card only and only there for backup to the corresponding app I would say the total loss of this rounds to 100 euros and a couple of phone calls.
Your equivalent is not "loosing your wallet, it's loosing access to your bank account (which would cost at least thousands of euros). There is a difference! No, being in physical possession of my bank card doesn't give you the right to the contents of it. And there are _lots_ of redundant security layers beyond the simple card.
False equivalence. If you lose your crypto hot wallet, you might lose $100 as well. Much less of a hassle than losing your physical wallet with several important credit, debit, health, driver’s, and ID cards.
A hot wallet is meant to be used like cash in your pocket. Putting thousands or millions of dollars in your pocket would be unwise. The same logic should apply to a hot wallet.
You can store higher amount of wealth in a cold wallet, like a multi sig or smart contract wallet that has social recovery and transfer protection.
> I want a private key, that only I know. And to be able to sign transactions with it without exposing any data. Why does everyone on HN hate this approach?
Because, in general, key management is hard, and your average user will likely not be able to understand such a flow, and will additionally probably lose their private key.
PayPal already has a pretty reasonable way to secure accounts: username+password+TOTP (using an app for the OTPs, not SMS). No, it's not perfect, and can be phished, but for most people it will be good enough. People who care about the phishing risk can use a FIDO2 hardware token instead of TOTP. All of this is common and widely-implemented enough that it's feasible to require that users do this.
But instead, probably in the name of reducing payment friction, they have decided on this horribly insecure method as described by OP. Ugh.
Cryptocurrencies are what you obviously mean by your "a solution based on cryptography" phrase.
As they exist now, they are even more difficult to use safely and securely. For every one person who gets hacked via paypal's SMS crap and a simswap, there would be 50 people who would lose their crypto wallet to dropping their phone in the river and forgetting the passphrase.
It's perfectly consistent to have issues with cryptocurrency and with other centralized financial institutions since they both have awful security models for the average person. Financial institutes are too insecure, and crypto is too unusable.
I, personally, would like the government to provide a universal authorization server ("log in with GovID" or whatever), and require all banks in the country to support that auth mechanism, and then ensure that mechanism is both incredibly secure, but also has suitable fallbacks to recover access.
The government is uniquely positioned to be able to do that in theory, if only the government weren't wildly allergic to doing _anything_.
I'll settle for a bank that does not ever fall back to SMS and supports webauthn so I can use my yubikey, and fortunately such banks do exist, so things aren't actually so bad. As long as I don't use paypal or various other less competent software.
Which government? US? German? UK? Australian? ..
Cryptographic key management is a hard thing for the masses.
Biggest problem is losing the key. Also how to sync the key between devices. Not get tricked into giving it away.
Best case might be a authenticator type of app piggy backing on your phones physical and electronic security.
Most people look after their phones. Then maybe they back up somewhere else.
My wife has been getting a bunch of these today. I still don't see what the potential problem is if an attacker has my wife's email (which I can imagine has been made public by 100 data breaches etc) and phone number. A bad actor can't use those to log into Paypal? You still need to GET the text message code. Is the risk a SIM Swapping attack?
SIM swapping is pretty easy, or you just call the number right after or before and pretend to be PayPal checking something.
“We’re verifying your account, please read the number I’m about to send you.”
This is made worse because actual banks actually do this.
If nothing else, it's information disclosure; you should not be able to go from having a person's email address to having even part of their phone number.
Six digit code means they can brute force it if they try across enough accounts. 500k tries they'll have 50% success rate of brute forcing 1 account.
Nitpick: Less than 50% chance, but with a chance of finding more than 1.
Anything that involves money or things of value I use my yubikey for. If they don't provide 2FA via that method I just look elsewhere. If it's a magazine or comments section? who cares, use a mozmail temp address.
It's not about 2FA though. The problem is that PayPal allows users to log in via a one-time code sent via SMS, without the need to enter their password or TOTP (I assume this extends to hardware keys as well). They're doing 1FA over SMS and there's no way to opt out.
Haven’t used paypal in like 10 years. It was such a bad experience bad then that I’ve done everything to avoid using it. Wondering how people are using paypal nowadays
“Guessing the 5 missing digits” isn’t exactly trivial, there are thousands of combinations. In the US you might figure out the area code, but good luck if the person isn’t a local (or if you just entered a random email).
Also I don’t see the rest being true. If I only enter my phone number, it still asks for the password. And I can’t reset my password unless I also enter my email address.
I do agree though that probably they should just email me instead if I forgot the password.
I wonder if PayPal uses Twilio to send these codes.
That would be hilarious
I just did a test in an incognito window and I don't get an SMS message, but just a regular password prompt.
Believe it or not, PayPal has finally set up security keys and authenticator apps as a 2FA. This must have been recent. I remember trying to do this a year or two ago, after someone cracked my LinkedIn password (but not the 2FA), and 2FA was not available on PayPal at the time.
wow, webauthn is indeed available now.
i've been using totp for a long time but webauthn has been long overdue.
This happened to me. They somehow got my password changed (maybe reset?). But no money taken. Had to call to get it resolved. Now added 2FA.
I just tried it on my account (private browsing window) and confirmed that 5 digits of my phone number were revealed.
PayPal’s stubborn refusal to implement U2F tells me all I need to know about their security: it’s pure theater.
I cannot reproduce this on my account. Could it be specific to the US?
I received the same text this morning
My recent PayPal experience:
- try to pay for rental car in Mexico
- transaction declined
- get email saying account permanently locked
- get 2nd email w/ link to unblock (says click on unblock notification)
- no notification
- chatbot asks if I want help, redirects me to help page
- help page contains none of the following: unblock, unlock, locked
- chatbot asks if I still need help, says I have to call
- call link redirects to account home page
Too much software development is getting divvied into different product development groups, and collectively it leads to the creation of flows through the product that make literally no sense, yet all of the smaller parts are seemingly fine, because nobody is the thinking of macro-level experience.
Yep, or it made sense at one time, until the <person> in <department> that was overseeing the holistic workflow left.
I always love when it's clear that nobody has ever actually tried an option.
I once paid for internet via public wifi for a time. When my CC expired and it was time to renew... that was literally impossible because of how they redirected you to their paywall when you tried to visit anything else. Even if you were trying to go to the billing page to renew. So you literally couldn't pay them. Oh, and even if you had other internet access, that wouldn't work either, because the billing site was nowhere on the open internet, only via the municipal wifi.
Or there are similar loops in Amazon's help system, where they make it hard to get a human and it just loops you around the same sets of options when you tell it that it's not working right. So you have to swear at it to see if you can trigger the algorithms to detect frustration and get you out.
And those aren't even deliberate, like the dark patterns some places engage when you try to cancel a service.
> PayPal’s default method of login is now a one-time code sent via SMS
> You cannot disable this method of login, and you cannot remove your phone number from your account.
Well. I'm used to thinking poorly of PayPal, but that's remarkable. Wonder if someone lost money if they could take PayPal to court on account of what could be argued as negligence? (Or maybe not; IANAL for a reason.)
Likely not. Most companies auto-enroll you into binding arbitration agreements now. If you ever want to opt out of it, you have a small window where you need to print out forms, sign them, and snail mail them. Kind of the opposite philosophy of SMS to login.
This is silly. Nobody is going to sim swap you to steal your paypal funds, getting the money out is way too difficult.
I’ve seen sim swaps to get desirable instagram handles. I have to believe it’s easier to extract money from a PayPal account takeover than insta.
I have an instagram account that I basically don't use, created probably 10+ years ago. At one point I randomly decided to log in and found that my username was randomized and someone else (not even a brand account) was using my original name. I never got any emails about my account being accessed, my password was random, no login activity, etc. To this day I'm still wondering if the account was compromised without a trace or if instagram just decided to give my name to someone else.
Unless your email was also compromised, your name was taken by an FB employee. They do this all the time for their friends and whoever might bribe them.
This is incorrect. Instagram names are essentially impossible to recover (unless you know an insider) and there’s a liquid market for them.
Same is not true of paypal funds.
What about buying something?
Keep in mind that stolen credit cards sell for a couple of $, having a sim swapped paypal account wouldn’t offer you much of an advantage here.
The reality is that cashing out significant amounts of money this way tends to be rather difficult.