Tell HN: PayPal uses SMS 2FA which is unsecure

5 points by DerekBickerton ↗ HN
So I recently setup a Paypal account and was shocked when I went to login and it required SMS 2FA to verify my identity. I mean, I own a Yubikey, and there's no option to use a Yubikey U2F token to login, strictly SMS only.

Over recent years I've heard horror story after horror story about people getting their number compromised or getting their number into the wrong hands, or getting their SMS OTP codes intercepted, because SMS is unsecure and I regard it as essentially plaintext that can be read by any malicious actor.

I use Paypal since many sites have it integrated and you can cancel subscriptions to avoid unexpected charges on your card. Plus they're a good middleman incase you need to settle disputes, scams etc. Also I'm a freelancer and many clients use Paypal for money transfer since they don't know of any other way to move funds from A to B, so I'm kind of forced to use it.

But I'm so worried about their unsecure and outdated SMS 2FA approach when we have industry standard things like Yubikeys.

This post is just a heads up: if you're using Paypal, you are potentially exposed and unsecure.

3 comments

[ 11.6 ms ] story [ 375 ms ] thread
I use PayPal.

My intuition is that SMS is one of several factors used in its “two factor” authentication.

For example, there’s all the features of the transaction, the hardware, and the geolocations.

Plus whatever data PayPal buys. From your ISP for example.

I have been using the Google Authenticator app for 2FA with my Paypal for years. I refuse to enable SMS 2FA for teh reasons you listed.

I am hoping they get with the times and allow for the use of Yubikeys, but you definitely don't have to use SMS 2FA.

I use FreeOTP+ open source authenticator with Paypal without any issues.