Tell HN: PayPal now allows to bypass 2FA with a SMS login
2FA was disabled because it doesn't work in Safari (including logging in from their iOS app, imagine this), so I blamed myself, turned it on, reported the unauthorized transaction to PayPal… and had $1.5k more withdrawn to a newly added card two days later!
Apparently, there is an option of an SMS-based login(!!!) where they send you a 6-digit code that allows for a login without 2FA: https://www.paypal-community.com/t5/Managing-Account/How-do-I-disable-one-time-codes/td-p/2835147
I don't know if the SMS gateway to my Chilean number is leaky or if they just brute-forced the code, but here we are. Also, no confirmation is needed to add new cards and make withdrawals even when 2FA is enabled.
(Yes, I know keeping money at non-bank payment services isn't good, but withdrawing it from there meant a conversion to my local currency which nowadays devalues much faster than USD. Greed got me.)
0 comments
[ 5.2 ms ] story [ 14.2 ms ] threadNo comments yet.