PayPal Allows Bypassing Two-Factor Auth with a Button Click

21 points by assttoasstmgr 2 years ago | 4 comments
  • IronWolve 2 years ago
    Yup, hackers run through leaked email addresses, or target people. If your email is listed in haveibeenpwned.com dumps, scripts are processing the lists.

    Only real basic things you can do, dont use your primary cell/emails as 2FA backup. Amazed theres no company offering security enabled sms enabled numbers via a webpage to plug the sms hole.

    And if you use your primary cell for 2fa, call your carrier and put a no-transfer lock on your account. This is how the bitcoin hacks happen.

    Also, google has titan keys, they ignore them for 2FA also. Kinda mornic.

    • beauHD 2 years ago
      In the EU, PayPal defaults to SMS 2FA. I had to go out of my way to enable a Yubikey to login. U2F should be the default, but not everyone owns a Yubikey, so they would piss many people off demanding Yubikey-only 2FA.

      Alongside this, they sometimes send an SMS OTP to verify it's you making a purchase. I don't want PayPal anywhere near my SMS inbox. It's so backwards.

      • toomuchtodo 2 years ago
        Supporting passkeys and hardware keys for MFA should be mandated by statute. I know, heavy handed, but witness the current auth/identity challenges making the need clear.
    • amaccuish 2 years ago
      The worst is PayPal for iOS. Even with Face ID turned on, I still have to enter my TOTP code, EVERY time I open the app.