Unfortunately, it seems that Paypal requires a phone number regardless of 2FA method, and there is indeed no way to disable this insane feature.
Seems like maybe a good idea for a class action lawsuit? I'm not sure what to do about that. A company shouldn't be able to do this and still meet compliance obligations.
I'll have to delete my account, unfortunately.
edit:
1. I didn't give Paypal my phone number so that they could use it for this. I gave it to them for banking purposes only. I wonder if this constitutes a GDPR violation?
2. I wonder if contacting their auditors would do anything.
3. Maybe email some of the politicians who care about this stuff - Ron Wyden, Elizabeth Warren?
It was also possible to bypass the "give us your phone" nag screen by messing with the url after login. I've been doing it for years now. I think they "fixed" it sometime this year and I had to give them my number :<
This still works for ebay. I get a prompt for a phone number that I can't cancel out of, but I can close that tab and open ebay and I'm logged in just fine.
It's still possible to "mess with the URL" .. you just go type paypal.com again and it won't show the phone number request the second time. So this number request seems to be part of the login flow, but the session cookie is created regardless. My PayPal account still doesn't have a phone number associated with it.
Companies have to get certified, especially ones who handle payments. An auditor can absolutely push for better controls. Will they? Or will Paypal care? That I do not know, but getting pressure from multiple angles can't hurt.
I have never given paypal my phone number, and can still log in with password.
(This August it would refuse to let me finish logging in without setting up a phone number. I discovered that getting a friend to send me a paypal requst for $1 would get around that requirement.)
> Personal data shall be: […] collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
The GDPR applies in the US but I do think that PayPal is likely only using US numbers for this "feature" because the EU is much more aggressive about protecting users.
1. a company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed; or
2. a company established outside the EU and is offering goods/services (paid or for free) or is monitoring the behaviour of individuals in the EU.
I agree, it is a bit of a stretch. Just brainstorming, not a lawyer. I think you'd have to either make a GDPR case or otherwise get a bunch of users together who have been targeted / attacked and make a case for PayPal not meeting their obligation to protect users/ making users think they are safer than they are (because they offer 2FA but it can be bypassed).
I am similarly annoyed by Bank of America. They allow you to enroll a Yubikey for login, making it seem like they have a high level of security.
But then on the login screen they moronically offer a one click bypass of it, asking if you want to login by SMS instead. What's the fucking point of a Yubikey then!?
From the bank's point of view, it's good enough security.
My wife and I had money stolen from our Wells Fargo checking account and I had a bunch of questions for them. Somebody from higher up eventually called me and when I got to the point about asking why the password was limited to 12 characters (they should be storing a hash and not the password) she told me to stop worrying about it because I'm not responsible for fraud.
> Amazon does not offer a way to remove SMS from your account once it’s added
And even the login problems aside, I'm even more galled by the fact that our system of bank checking accounts allows anyone to fat finger mistakenly debit (ACH) money from your account, and it's up to you to discover and get that reversed.
I know all the historical reasons, etc. but this is still ridiculous to me. All the security in the world, and I still have to worry whether my brokerage funds are missing some each month.
What's harder, finding the phone number of a PayPal board member, or cloning it? Either way, that's probably the quickest way to get this addressed, unfortunate you'll need to commit a felony to do it.
> finding the phone number of a PayPal board member, or cloning it
You don’t need to clone it, you just change the SMSC registration to reroute delivery to the screen of your choice. If you have access, it’s trivially simple to do, but I believe it’s harder to buy your way into access these days because of some high profile news articles about the method in the past.
I'm not seeing the 'login with an OTP' option that TFA complains about, also not in a private tab. I was using the fake elonmusk address from the article and also tried over a VPN pretending to come from the US (I'm actually located in the EU).
Also, I don't like the condescending tone of the article, implying that everyone at Paypal is a moron who has no idea what they're doing.
> most new iPhones and Android phones by default will display the actual contents of your messages on the lock screen
On iPhones by default the contents are only shown after your face is recognized by FaceID.
That being said, I don’t like to have one factor authentication tied to my phone number, especially not when I’ve enabled two factor authentication in the settings. I guess the logic behind this decision is that they see your password as the weakest link, so for them 2FA is not so much about having a second factor, but about not being able to use the password as the only factor.
In the UK there is currently a string of people getting cleaned out 100% after having their wallet and phone stolen at gyms and its suspected this - 2FA visible on locked phone - is the main issue
They're cracking open gym lockers, grabbing phone and bank cards, using knowledge of the bank name, person name and access to the SMS OTP visible on phone to relink a fresh cellphone banking app. That's the speculation anyway & there are some gaps in the theory.
But yeah basically they're gaining access to the entire bank a/c and doing thousands of damage instead of usual credit card stuff which is obv protected legally
It is the shite way the Paypal and I think Amazon does this : they put the code at the start of the SMS, other OTP providers sent it in the middle/end of the SMS, so even if someone set the display of text messages as 'enabled' on the locked screen , they are truncated and you can't see the code (but not in the case of Paypal)- you need to unlock the screen to read the full text
YMMV as some SMS apps display it full.
On my phone (Android, Moto Edge) the contents of text messages are hidden on the lock screen. I'm pretty certain that this is the default behaviour in recent versions of Android that I've seen.
So, at least for me, anyone who stole my phone for the purpose of hacking my paypal account would still need my fingerprint or unlock pattern. Someone with a non-smart phone will have a different experience though.
And yeah, sms is a poor choice from a technical pov but i can see why they did it for a mass-market service.
Sadly there’s another system that really should know better with terrible 2FA policies: Amazon AWS. The mechanism for protecting an AWS root account is not quite as bad as PayPal, but it’s not much better.
AWS should offer the ability to enroll multiple second factor devices and to configure a policy for what subsets of them can log in. But they don’t even come close, and their actual capabilities are far worse than, say, Gmail or GitHub.
The thing is that the root account at least falls back to an email, not your phone. But yeah it's insane that they don't allow multiple 2FA tokens to be registered.
If the domain of the root account's email address has it's DNS or email handled under that AWS account, then any IAM user that has access to that could intercept the email and use that to gain access to the root account.
So you set up an AWS account with some email xyz@example.com and then you transferred that domain to be managed in that same account? That sounds like a niche and terrible idea tbh, why would you dot hat?
paypal's security has always perplexed me a bit. last time i check a few years ago they still limit you to a 20 character password, which is annoying because i would rather use a passphrase so its quicker to type in but i wouldn't be comfortable using only 20 characters for something like a bank.
for comparison, instagram at the time allowed 250 characters
Reminds me of how on Stripe’s dashboard I keep getting prompted for a password; I can just click cancel and everything continues working fine. Anyone knows what’s up with that?
Ask HN: Is anyone else seeing a steep increase in CAPTCHA and SMS verification prompts on PayPal lately? Yesterday alone I was sent two SMSes and had to solve at least one CAPTCHA. All from the same machine that I always use. It's really getting to a point where I rather use an alternative payment service when it's possible to do so.
Edit: Oh and everytime that happens I get a mail that there is a login with a new device from "dusseldorf nw de". No, I don't live in Düsseldorf, not even close. The fact that they misspell the name and that their GeoIP is reliably off doesn't inspire any more confidence.
I guess there is a trade off here of having strong security but then users being completely locked out or falling back to SMS which defeats the purpose of stronger auth like Yubikeys. There should at least be an option to disable SMS for auth. Another option is to call up your telco and ask them to only port a number if you are physically present and verified in a store. This wouldn’t protect against an insider at the telco, but at least common threats.
I have to PayPal accounts, one personal and one business. Neither have the login option mentioned in the article. It could be in A/B testing at the moment.
PayPal has been doing a number of thoughtless things in this area recently. They are determined that my devices are “trusted”, despite the owner of those devices not trusting them at all. They are continually trying to persuade me to stop using my passwords and such. I mean it’s only direct access to withdraw funds from my bank account, why would that need to be secure, amirite? Mystifying.
Strangely, half of the discussion concentrates on the arguments for and against the alleged (in)security of the PayPal solution in general cases while obviously the solution quality can be decided in a specific context.
At the same time nearly nobody addressed the real source of PayPal's stupidity: the fact the "feature" can't be permanently disabled.
> The only recourse in the meantime is to close your PayPal account.
Except PayPal does not monitor the only email address it lists on its own website, the one designated for the purpose of sending them data deletion or access requests:
This has been reported before, and in my experience, it's a sales funnel/conversion thing. You will likely not see this if you go to paypal.com. Rather, this will show up when you click on the 'buy with paypal' button on a third party site. It is pretty stupid, but I also blame the general population equally. People are just so bad with any type of password management, 2FA stuff, or general web hygiene that companies resort to stupid shit like this. This is also made worse from a few different angles. In places like the US, most users use an iphone and have no idea about the differences between SMS or imessage or what any of the moving pieces are. They just know something is a 'text'. On the other hand, in places like India, the government has crippled everything to such an extent that you cannot function without SMS based 2FA. We'll be stuck with SMS based logins and 2FA for a very long time.
This seems way too unsecure. Could a bad actor exploit this with a massive list of emails and random codes? Even when you have like 5 tries from 1000000 combinations, someone's likely to get hacked with this...
Very long time ago someone abused a referral program of a taxi service by registering multiple accounts just by random-guessing the code. They had badly written rate limiters so a list of 10k proxies, good broadband and a java threadpool were enough to get thousands of free rides in a couple of days.
I do not hate passwords but those who hate them and push with such excuse the mandatory use of smartphones.
I do HATE those who state a crappy Android/iOS OTP app is safer than an offline hardware token just because thanks to their app they also ask for permission for extra stuff like accessing phone location history, contacts etc all with plausible excuses (that's happen in most EU countries with banks crapplications) and so on.
ANYTHING tied to closed-source connected platforms can't be secure. That's is.
The article makes it clear that there's a login button which lets you login with an OTP over SMS. So if your phone is stolen or your SIM has been cloned, a crook could get into your PayPal account.
This reads a bit like an alarmist scare. The only real complaint the author has, despite linking it several times, is that SMS is hackable. This is true to some extent, as SIM cloning isn't a straight forward hack and is largely based on social engineering. Still it doesn't really matter for two reasons.
First, common attackers are opportunistic and they are unlikely to know your phone number. Even if they did, it would take skill and effort to clone your SIM. For this to happen you need to be targeted as an individual and that's a different scenario from random PayPal attacks.
Second, PayPal aren't stupid, and they have to be aware of SIM cloning. They also have data that we don't. Looking at their data and the probability of an attacker carrying out SIM cloning, they must have decided the cost of probable cases is acceptable if and when these attacks take place. Or that it's fairly rare to actually happen.
Besides, this option isn't available to all users, so there might be more going on than we realize.
I understand the author is upset that they can't set a single TFA channel to be used exclusively. But I think the real gripe here is that the author feels loss of control rather than a massive security issue.
So basically, since you need to be targeted as an individual rather than at random, and that's rare, then we should be okay with an insecure /banking/ website? I can't get my head around that point of view. This creates a financial incentive for people to scour the internet for people's phone numbers, clone their SIM and steal their PayPal account and so you can be fairly sure people will do that.
> most new iPhones and Android phones by default will display the actual contents of your messages on the lock screen
So stealing a phone and knowing an email address could be enough. New iphones require face id by default, but there loads of cheaper android models that don’t. That is a low bar.
Ever since the first FaceId iPhone (iPhone X) the default for messages is to only show message previews when unlocked. I’m pretty sure non FaceID phones defaulted to not showing previews at all.
Is there a term for the opposite - presuming you're smarter than a huge team of full time employees with specialist knowledge and access to data you don't have?
In their defence, sometimes organisations are stupid where individuals are not.
Many people might realise that cloning is an unaccounted for aspect of a 2FA, but the manager in charge, say, thinks cloning is not a realistic possibility and so doesn't allow it to be taken into account. Or, the manager does think it needs addressing but they get a bonus if the system is completed earlier and they know it will take longer to address the issue, so they argue it's not a realistic attack ...
Argument screens off authority, but you do actually have to have a better argument than the authority figure. Saying "I have an argument, and the experts aren't on Hacker News so we don't know what theirs is" doesn't make it a logical fallacy to disagree with you.
>just because an argument's a logical fallacy, that doesn't make it incorrect. //
An argument that uses fallacious reasoning is an incorrect argument, but pointing out a fallacy doesn't negate a conclusion (that would be the fallacy fallacy).
So, we can't tell if the conclusion is wrong when someone uses a fallacy.
My link did – but I'm making a stronger claim. (A tangential claim, mind.) Just because an argument pattern-matches to a named logical fallacy, that doesn't make it incorrect.
Take the conjunction fallacy. Ultimately, it comes down to the representativeness heuristic. However, the representativeness heuristic matches how we use language: to use Wikipedia's example, "Linda is a bank teller active in the feminist movement" is more correct than "Linda is a bank teller" if Linda is active in the feminist movement, but not a bank teller.
The mistake in such a situation is interpreting it as though the speaker is using classical logic, when they're actually using a fuzzy logic more akin to Bayesian inference. People focus too much on logical fallacies, and not enough on how the average human actually uses language. Precise language is useful, but that doesn't make "heuristic language" wrong, or fallacious.
An argument that's a logical fallacy can still be heuristically correct.
They've decided it's pretty much always better to close the barn doors after the cows leave.
Card fraud problems? Just promise people 'zero liability' rather than some sort of security paradigm stronger than "we told everyone they're not allowed to store the CVV."
Everything identity-theft related? Why bother actually engineering some sort of secure 21st-century authentication systems when you can just pay for a few months of credit monitoring after the inevitable data breach and class action suit.
I wonder if it would be possible to create a more proactive liability framework. Maybe stockholders would be a party with standing-- if you're still doing $known_stupid_thing years after alternatives have been documented, you're failing your fiduciary duty to investors, just waiting for an avoidable damage to the stock price to happen.
People lose their second factors which are intentionally difficult to clone. Phones get replaced, keys get lost. OTP is a more secure fallback method then calling customer support.
I can’t think of another universally available fallback method.
Seems like maybe a good idea for a class action lawsuit? I'm not sure what to do about that. A company shouldn't be able to do this and still meet compliance obligations.
I'll have to delete my account, unfortunately.
edit:
1. I didn't give Paypal my phone number so that they could use it for this. I gave it to them for banking purposes only. I wonder if this constitutes a GDPR violation?
2. I wonder if contacting their auditors would do anything.
3. Maybe email some of the politicians who care about this stuff - Ron Wyden, Elizabeth Warren?