This morning I was woken up by unexpected SMS.
[/URL]
I think I shared my code.
Strange. I don't remember using PayPal in my sleep. However, this happens. Someone periodically enters your email on the site and clicks “Forgot password”.
A one-time code is sent to your email and remains buried there forever, since the hacker (or the person who entered it incorrectly) does not have access to other information that I have. They are unlikely to get my password since it is a randomly generated sequence of 12 or more characters.
“I simply enable two-factor authentication using Authenticator and no longer worry about my PayPal being hacked.”
That's what I thought...
But, as it turned out, even enabling 2FA in PayPal does not prevent anyone from logging into your account with only my email and the code from SMS. No password is required for this.
The way it is. In a very clever way, PayPal (NASDAQ: PYPL) has implemented a super convenient login method that doesn't require you to remember that pesky password.
This method is called one-time code login. And he's terrible.
The “Log in with a one-time code” button appears on the screen as soon as the email address associated with your PayPal account is entered.
We all hate passwords, right? They are easy to guess, hard to remember, and if we abolish them in the near future, maybe this world will be a better place. That's why PayPal, a banking app, offered a way to access your account without entering a password using a one-time code.
And this looks very convenient for anyone who doesn’t like to rack their brains trying to find their own password. Many sites, such as Slack, Cash App and even Medium, allow you to log in using a one-time code that is sent to your email. I don’t like the fact that my banking apps have this feature, especially when they use SMS to send the code, which is very easy to intercept using number porting. Well, let's just disable this feature so that we always log in with the password and authenticator app code.
But we won't be able to do this.
This little “Log in with a one-time code” button is always present . For anyone and everyone. It is always located right under the “Log In” button (unless, of course, you are on PayPal.com and not in the PayPal app). Anyone who wants to log into your account without a password can do so, even if you have set up 2FA.
This last statement is very important and needs to be repeated clearly:
So whether you've set up 2FA on your PayPal account, say using the Google Authenticator app or a USB security key, doesn't matter. The “Log in with a one-time code” button (this button should have been called “ I’ll log in anyway ”) uses a completely different authentication path that bypasses the usual password or password and token paths . This is a completely separate path, requiring only a one-time SMS code, which has been proven time and time again to be insecure and easily hacked.
What the hell is this? A banking giant like PayPal simply couldn’t help but justify its existence in some way, couldn’t it?
But no! PayPal doesn't say anything about this at all other than "this feature is enabled at all times to protect our customers."
On the paypal-community.com forums, a user with the nickname Only1KW created a thread on November 1, 2021 called “How do I disable one-time codes.”
In a discussion on this thread, Only1KW complains about the one-time code feature and asks how to disable it so that a password is always used to log in. In the following responses, PayPal forum moderators attempt to "find a solution." In fact, they either offer a solution to another problem , or they offer nothing at all.
Moderator PayPal_Natasha states that codes in SMS are always active, supposedly to “protect” customers.
The thread continues a few more pages ahead and is full of dissatisfied customer reviews who say that even if this feature is supposed to protect customers, it does the opposite. The PayPal_Natasha response shown above is the latest response from a PayPal moderator in this thread.
While one-time codes are common across a wide variety of sites and apps, they are always accompanied by another authentication factor if the user desires it. And while you can log into Slack or Cash App with a single email or SMS code, enabling two-factor authentication in either app means that a second factor of authentication is now required. In the case of PayPal, this remains only an offer.
If you look at the Security tab in PayPal settings, it is not surprising that both users and support staff are confused about the various security settings.
"Security" tab in your PayPal account settings.
In addition to the usual security settings, such as changing your password, enabling two-step verification, and managing the devices you're signed in to, PayPal also has four additional security settings. None of them enable or disable login using one-time codes. In fact, we can safely say that all these additional settings only provide additional ways for unauthorized access to your PayPal account. It’s no secret that all these “security issues” are ineffective and easy to guess, but hardly anyone knows why two different types of PIN codes are actually needed.
“My friend’s SIM card was actually hacked and they used it to log into her PayPal,” writes user Mmcgo1 [approx. translation — her name is Mary McGowen]. “That’s why I deleted my PayPal bank accounts.”
“If my phone is stolen, they can immediately buy through PayPal without even knowing my password, or skip the authentication screen because these one-time text notifications appear right on the lock screen. Who might this make life easier for, except possible scammers?” — user adampcompton is indignant. And he's right—most iPhones and Android smartphones display the actual content of your messages on the lock screen by default. I highly recommend turning off this feature in your phone settings.
PayPal should require two-factor authentication on all accounts where users have it set up. The ability to log in with one-time codes should at a minimum allow for the addition of a second authentication factor, such as a security question or PIN. Allowing logins with one insecure authentication factor when users have set up 2FA on their accounts is a dangerous and irresponsible approach that costs innocent people their money.
The only remedy for this is to close your PayPal account.
(c) Original author: Alex Pastel
I think I shared my code.
Strange. I don't remember using PayPal in my sleep. However, this happens. Someone periodically enters your email on the site and clicks “Forgot password”.
A one-time code is sent to your email and remains buried there forever, since the hacker (or the person who entered it incorrectly) does not have access to other information that I have. They are unlikely to get my password since it is a randomly generated sequence of 12 or more characters.
“I simply enable two-factor authentication using Authenticator and no longer worry about my PayPal being hacked.”
That's what I thought...
But, as it turned out, even enabling 2FA in PayPal does not prevent anyone from logging into your account with only my email and the code from SMS. No password is required for this.
The way it is. In a very clever way, PayPal (NASDAQ: PYPL) has implemented a super convenient login method that doesn't require you to remember that pesky password.
This method is called one-time code login. And he's terrible.
The “Log in with a one-time code” button appears on the screen as soon as the email address associated with your PayPal account is entered.
We all hate passwords, right? They are easy to guess, hard to remember, and if we abolish them in the near future, maybe this world will be a better place. That's why PayPal, a banking app, offered a way to access your account without entering a password using a one-time code.
And this looks very convenient for anyone who doesn’t like to rack their brains trying to find their own password. Many sites, such as Slack, Cash App and even Medium, allow you to log in using a one-time code that is sent to your email. I don’t like the fact that my banking apps have this feature, especially when they use SMS to send the code, which is very easy to intercept using number porting. Well, let's just disable this feature so that we always log in with the password and authenticator app code.
But we won't be able to do this.
This little “Log in with a one-time code” button is always present . For anyone and everyone. It is always located right under the “Log In” button (unless, of course, you are on PayPal.com and not in the PayPal app). Anyone who wants to log into your account without a password can do so, even if you have set up 2FA.
This last statement is very important and needs to be repeated clearly:
So whether you've set up 2FA on your PayPal account, say using the Google Authenticator app or a USB security key, doesn't matter. The “Log in with a one-time code” button (this button should have been called “ I’ll log in anyway ”) uses a completely different authentication path that bypasses the usual password or password and token paths . This is a completely separate path, requiring only a one-time SMS code, which has been proven time and time again to be insecure and easily hacked.
What the hell is this? A banking giant like PayPal simply couldn’t help but justify its existence in some way, couldn’t it?
But no! PayPal doesn't say anything about this at all other than "this feature is enabled at all times to protect our customers."
On the paypal-community.com forums, a user with the nickname Only1KW created a thread on November 1, 2021 called “How do I disable one-time codes.”
In a discussion on this thread, Only1KW complains about the one-time code feature and asks how to disable it so that a password is always used to log in. In the following responses, PayPal forum moderators attempt to "find a solution." In fact, they either offer a solution to another problem , or they offer nothing at all.
Moderator PayPal_Natasha states that codes in SMS are always active, supposedly to “protect” customers.
The thread continues a few more pages ahead and is full of dissatisfied customer reviews who say that even if this feature is supposed to protect customers, it does the opposite. The PayPal_Natasha response shown above is the latest response from a PayPal moderator in this thread.
While one-time codes are common across a wide variety of sites and apps, they are always accompanied by another authentication factor if the user desires it. And while you can log into Slack or Cash App with a single email or SMS code, enabling two-factor authentication in either app means that a second factor of authentication is now required. In the case of PayPal, this remains only an offer.
If you look at the Security tab in PayPal settings, it is not surprising that both users and support staff are confused about the various security settings.
"Security" tab in your PayPal account settings.
In addition to the usual security settings, such as changing your password, enabling two-step verification, and managing the devices you're signed in to, PayPal also has four additional security settings. None of them enable or disable login using one-time codes. In fact, we can safely say that all these additional settings only provide additional ways for unauthorized access to your PayPal account. It’s no secret that all these “security issues” are ineffective and easy to guess, but hardly anyone knows why two different types of PIN codes are actually needed.
“My friend’s SIM card was actually hacked and they used it to log into her PayPal,” writes user Mmcgo1 [approx. translation — her name is Mary McGowen]. “That’s why I deleted my PayPal bank accounts.”
“If my phone is stolen, they can immediately buy through PayPal without even knowing my password, or skip the authentication screen because these one-time text notifications appear right on the lock screen. Who might this make life easier for, except possible scammers?” — user adampcompton is indignant. And he's right—most iPhones and Android smartphones display the actual content of your messages on the lock screen by default. I highly recommend turning off this feature in your phone settings.
PayPal should require two-factor authentication on all accounts where users have it set up. The ability to log in with one-time codes should at a minimum allow for the addition of a second authentication factor, such as a security question or PIN. Allowing logins with one insecure authentication factor when users have set up 2FA on their accounts is a dangerous and irresponsible approach that costs innocent people their money.
The only remedy for this is to close your PayPal account.
(c) Original author: Alex Pastel
