PayPal Community

Only1KW · ‎Nov-01-2021

Recently when logging in, Paypal has started offering me the option of logging in with a one-time SMS code to my phone rather than a password. This seems incredibly insecure to me and I'd prefer not to have it on my account. I cannot find any way to disable this when I check my account settings. I've spoken with half a dozen agents at this point about this, and half have told me it can't be disabled and half told me they'd send me instructions on how to disabled it, but either the instructions never arrived or were not relevant. How do I go about disabling this feature on my account?

Only1KW · ‎Feb-22-2022

@Ianrm57 yes I was seeing this when paying from Groupon.

Ianrm57 · ‎Feb-22-2022

Thanks, will throw that at them if I ever have the patience to try again

adampcompton · ‎May-03-2022

I can confirm that this has nothing to do with eBay, and has nothing to do with using a trusted device. I was just prompted to receive a one-time passcode sent to my cell phone INSTEAD of my password (not alongside it) while logged into a VPN (not a recurring IP address), in an incognito window (no previous PayPal log-ins), for a website I have never purchased anything from before, and on my company-issued computer (not saved as a trusted device).

[removed]

Just tagging a few PayPal accounts here to try and get a justification for this. Even if you are just community manager employees and don't have access to decision-making on a security level at the company, someone needs to be running this issue up the chain. This is totally unacceptable.

tomblue · ‎Apr-16-2022

Just noticed this today and made sure that:

1) 2FA is activated and my phone number is not/should not be used to allow payments and/or account access (not listed as a backup).

2) Automatic access/One touch is completely disabled.

I tried several sites, such as aliexpress, steam, etc. As far as I can tell, this SECURITY FLAW can be seen while using the pop-up payment flow.

I didn't test if this access (token/cookie) can be used to gain control over the account configuration/history/data, but it's certainly possible. SIM swapping is fairly easy and recurrent nowadays, this should not be taken lightly.

I'm temporaly removing any sensitive data/credit card numbers from the site. I hope PayPal address this asap.

Ianrm57 · ‎May-10-2022

The best protection I’ve been able to come up with is to only have as much as you need for next purchase, in main account, and my backup account is a prepaid Mastercard from Austpost, which only has a minimal amount in it. Only slight problem is when I need to top up the Mastercard by bank transfer it takes 24hrs. I can go to post office to do it instantly without fees. There are instant top up options online but they come with a fee.

mfeldma3 · ‎Jul-05-2022

I agree, this morning I woke up to a text I didn't initiate with a code to log in despite having 2FA on. I didn't know PayPal had implemented this feature. This is unsafe and now I'm wondering if my account has been hacked or otherwise compromised despite not seeing anything yet. I'll remove my cards.

Nodnarb501 · ‎Jul-28-2022

I logged in here to asl say just how dumb this is on PayPal's part. This protects nothing.

I've had a PayPal account for a long time, but don't use it very often. Earlier today, I got a verification text out of the blue that wasn't initiated by me. I became concerned when I saw the text was grouped with my other legit PayPal text messages from quite a while ago. I double-checked my 2FA settings and wondered how I could have received a text as I didn't have it as an option.

The screen they present to you also reveals personal information. If someone knows your e-mail address, they can now easily get a confirmed last 4 digits of your phone number. If they have any idea where you're located it's not hard at all to guess an area code and phone prefix. Thanks for keeping our "security" in mind, PayPal...

tawtao · ‎Aug-12-2022

As up today, Aug 12,2022. Paypal still allow this insecure One-Time-Code login. It is almost a year and Paypal did not address this in any meaningful way. I remove all my link card and bank account to save myself any trouble later. I plan to close my Paypal account once I finish the last payment.

hahnice · ‎Aug-21-2022

Same here. 22/08/2022

I have password plus 2FA enabled but this stupid one-time code thing negates that security. I cannot believe in these times of cybertheft that any company providing a banking service would allow such lax security protocols.

I have removed my cards from my wallet and I will only hold a minimal amount in credit until this is fixed.

hahnice · ‎Aug-21-2022

I contacted Paypal and this is the reply I got.

How do I remove the option of one-time code from being used on my account? I am NOT referring to 2FA bt the one-time code to get access to my account without using the password. This is an ridiculous breach of customer safety

12:31 PM

SE
Hi. I understand that you want to remove the one time passcode to get access on the account.
Upon checking, I am afraid there is no option to remove the one time code to get access on the account. If the system is asking for the one time code, it needs to be entered for the accounts safety to make sure that the account holder is the one accessing the account.
Thank you for contacting PayPal and for being a valued customer. You may close the conversation by selecting End Message.

12:40 PM

- Stephanie [Removed]

If that is the case then Ill have no option but to remove all my funds fro Paypal as I am not willing to use such an insecure platform. I must say this is a fundamentally outrageous idea. Why have passwords and 2FA when someone can steal your phone and have direct access to your paypal account with no security?????

12:43 PM

Also, to not even have the option to disable it as a customer is crazy.

12:45 PM
I'm sorry to hear about it. As much as I want to disable the one time passcode to access the account, we have no option to do so. Also, in 2FA, we are sending you a one time passcode to be entered to confirm that you are the one accessing the account. For now, if the system will really ask for a one time passcode, then it needs to be entered.

Thank you for contacting PayPal and for being a valued customer. You may close the conversation by selecting End

PayPal Community

How do I disable one-time codes

Haven't Found your Answer?