New to the community? Welcome! Please read our Community Rules and Guidelines
Pay, shop, and do even more on the PayPal appGet the App
I can confirm that this has nothing to do with eBay, and has nothing to do with using a trusted device. I was just prompted to receive a one-time passcode sent to my cell phone INSTEAD of my password (not alongside it) while logged into a VPN (not a recurring IP address), in an incognito window (no previous PayPal log-ins), for a website I have never purchased anything from before, and on my company-issued computer (not saved as a trusted device).
Just tagging a few PayPal accounts here to try and get a justification for this. Even if you are just community manager employees and don't have access to decision-making on a security level at the company, someone needs to be running this issue up the chain. This is totally unacceptable.
Just noticed this today and made sure that:
1) 2FA is activated and my phone number is not/should not be used to allow payments and/or account access (not listed as a backup).
2) Automatic access/One touch is completely disabled.
I tried several sites, such as aliexpress, steam, etc. As far as I can tell, this SECURITY FLAW can be seen while using the pop-up payment flow.
I didn't test if this access (token/cookie) can be used to gain control over the account configuration/history/data, but it's certainly possible. SIM swapping is fairly easy and recurrent nowadays, this should not be taken lightly.
I'm temporaly removing any sensitive data/credit card numbers from the site. I hope PayPal address this asap.
I agree, this morning I woke up to a text I didn't initiate with a code to log in despite having 2FA on. I didn't know PayPal had implemented this feature. This is unsafe and now I'm wondering if my account has been hacked or otherwise compromised despite not seeing anything yet. I'll remove my cards.
I logged in here to asl say just how dumb this is on PayPal's part. This protects nothing.
I've had a PayPal account for a long time, but don't use it very often. Earlier today, I got a verification text out of the blue that wasn't initiated by me. I became concerned when I saw the text was grouped with my other legit PayPal text messages from quite a while ago. I double-checked my 2FA settings and wondered how I could have received a text as I didn't have it as an option.
The screen they present to you also reveals personal information. If someone knows your e-mail address, they can now easily get a confirmed last 4 digits of your phone number. If they have any idea where you're located it's not hard at all to guess an area code and phone prefix. Thanks for keeping our "security" in mind, PayPal...
As up today, Aug 12,2022. Paypal still allow this insecure One-Time-Code login. It is almost a year and Paypal did not address this in any meaningful way. I remove all my link card and bank account to save myself any trouble later. I plan to close my Paypal account once I finish the last payment.
Same here. 22/08/2022
I have password plus 2FA enabled but this stupid one-time code thing negates that security. I cannot believe in these times of cybertheft that any company providing a banking service would allow such lax security protocols.
I have removed my cards from my wallet and I will only hold a minimal amount in credit until this is fixed.
I contacted Paypal and this is the reply I got.
How do I remove the option of one-time code from being used on my account? I am NOT referring to 2FA bt the one-time code to get access to my account without using the password. This is an ridiculous breach of customer safety
Hi. I understand that you want to remove the one time passcode to get access on the account.
Upon checking, I am afraid there is no option to remove the one time code to get access on the account. If the system is asking for the one time code, it needs to be entered for the accounts safety to make sure that the account holder is the one accessing the account.
Thank you for contacting PayPal and for being a valued customer. You may close the conversation by selecting End Message.
- Stephanie [Removed]
If that is the case then Ill have no option but to remove all my funds fro Paypal as I am not willing to use such an insecure platform. I must say this is a fundamentally outrageous idea. Why have passwords and 2FA when someone can steal your phone and have direct access to your paypal account with no security?????
Also, to not even have the option to disable it as a customer is crazy.
I'm sorry to hear about it. As much as I want to disable the one time passcode to access the account, we have no option to do so. Also, in 2FA, we are sending you a one time passcode to be entered to confirm that you are the one accessing the account. For now, if the system will really ask for a one time passcode, then it needs to be entered.
Thank you for contacting PayPal and for being a valued customer. You may close the conversation by selecting End
I messaged Paypal through the website about removing this and all they did was remove 2FA! Unbelievable that this security issue has been ignored, and none of their support team seem to understand the implications of using a mobile phone number in 2FA.
We as users should have the option to remove this one-time code option sent via SMS. A one-time code used via an authenticator app would be much more secure.