Tell HN: PayPal uses SMS 2FA which is unsecure
Over recent years I've heard horror story after horror story about people getting their number compromised or getting their number into the wrong hands, or getting their SMS OTP codes intercepted, because SMS is unsecure and I regard it as essentially plaintext that can be read by any malicious actor.
I use Paypal since many sites have it integrated and you can cancel subscriptions to avoid unexpected charges on your card. Plus they're a good middleman incase you need to settle disputes, scams etc. Also I'm a freelancer and many clients use Paypal for money transfer since they don't know of any other way to move funds from A to B, so I'm kind of forced to use it.
But I'm so worried about their unsecure and outdated SMS 2FA approach when we have industry standard things like Yubikeys.
This post is just a heads up: if you're using Paypal, you are potentially exposed and unsecure.
3 comments
[ 11.6 ms ] story [ 375 ms ] threadMy intuition is that SMS is one of several factors used in its “two factor” authentication.
For example, there’s all the features of the transaction, the hardware, and the geolocations.
Plus whatever data PayPal buys. From your ISP for example.
I am hoping they get with the times and allow for the use of Yubikeys, but you definitely don't have to use SMS 2FA.