PayPal Community

Only1KW · ‎Nov-01-2021

Recently when logging in, Paypal has started offering me the option of logging in with a one-time SMS code to my phone rather than a password. This seems incredibly insecure to me and I'd prefer not to have it on my account. I cannot find any way to disable this when I check my account settings. I've spoken with half a dozen agents at this point about this, and half have told me it can't be disabled and half told me they'd send me instructions on how to disabled it, but either the instructions never arrived or were not relevant. How do I go about disabling this feature on my account?

veedub99 · ‎Sep-20-2022

Thanks Exe, that helps. Doesn't solve the problem but I will definitely do this.

Only1KW · ‎Sep-22-2022

I logged in to Paypal to try this and was once again asked if I wanted to log in just with SMS code. Once I logged in, I followed the instructions @Executor32 suggested and found that "Send you text messages" was already unchecked on my account. So at least for me, having it unchecked doesn't stop the option to login just with an SMS code.

mdpap · ‎Sep-21-2022

Adding my voice here too. I honestly can't believe that Paypal thinks this is a security feature. This is a convenience feature at best and it should be disabled by default. They are handling our credit card numbers and other bank / personal info. It's all just a SIM swap away from being taken over. My god. I wish Brian Krebs would write an article on this. Why PayPal?? Why?? Who is advising you on security best practices??? This is crazy. SIM Swapping is a very real problem and you've just opened the door wide open to it. I'm going to spend one week from today trying to get this disabled. if it can't be done there's no choice but to delete my account. Sucks.. I actually use PayPal and have liked it ... up until now.

jlariviere · ‎Sep-23-2022

I'm deeply disturbed with the lack of concern for security and poor security design choices PayPal has.

They offer this way to login.
- SMS should never be offered, and if they insist on making it available, allow it to be turned off.
- One Time Code to log in should never be offered at all. It defeats the purpose of 2FA entirely.
A user cannot disable Mobile PIN or In-Store Pin
- The user cannot use More than 8 numbers either
When a user adds 2FA, it defaults to SMS
They offer "automatic login" and keep asking a user to enable it.
For me, I tried to revoke trusted devices repeatedly, and got an error

Jlhuugbn · ‎Sep-24-2022

Has anyone thought about sending a tip to the media? This is such a shocking mistake from a payments company that I'm sure there would be wider interest in this.

ivmm · ‎Oct-03-2022

Ok, now I understand how I got money stolen from my account last week. I started receiving SMS with PayPal security codes and then got an email notification about someone adding a card to my account and withdrawing $1.5k.

2FA was disabled because it doesn't work in Safari (including logging in from the PayPal iOS app, imagine this), so I blamed myself, turned it on, reported the unauthorized transaction to PayPal… and had $1.5k more withdrawn to a newly added card two days later! Still waiting for PayPal to investigate this case, I wonder if I'll get my money back at all.

I don't know if the SMS gateway to my non-US number is leaky or if the attacker just brute-forced the code, but here we are. I work in IT and was absolutely puzzled how someone could have accessed my account: checked my email, connected services, etc. for hacks. Now when I know how it was done, it's absolutely crazy. How something like this could be allowed to be implemented in the first place?

Lers780 · ‎Oct-04-2022

My wife just started getting spammed with 1 time codes to log in with…obviously someone trying to access her account. Just closed off her Paypal account now. Ridiculous that this was implemented by PayPal and that there is no way to disable it.

Executor32 · ‎Oct-04-2022

@Lers780 This is exactly what happened to me and what led me to this thread after some Googling. For what it's worth, disallowing PayPal to send me text messages—as described in my reply on the previous page—stopped those constant OTP messages and also switched them to come by email instead, which isn't ideal but it's a lot better than the default setting.

ivmm · ‎Oct-04-2022

I got both unauthorized transactions refunded, but I'd rather avoid keeping any significant sums at PayPal until this login method can be disabled.

TheCyberQuake · ‎Oct-04-2022

You don't have to have a background in digital security to know how asinine it is to be forced to have one time passcode via SMS is an option. 2FA via SMS is not great as is, but in every other site I've ever seen, it's a second factor. With how paypal does it, it's an SMS as a single factor. In short, when you enable 2FA, you increase your security if using a password to sign in, but overall actually reduce security because you go from requiring a password that hopefully only you know and is different from other sites, to instead being susceptible to a multitude of attacks that would give access to your SMS, and thus give easy access to your paypal account.

PayPal, how do you not understand how this works? Your forced inclusion of one-time passcode after enabling 2FA introduces a new option that doesn't need 2 factors, and entirely defeats the purpose of what 2FA is supposed to do. I'm just a low-tier IT admin and even I know how completely backwards this is, how does a massive company like yourself not have anyone working there questioning how absolutely stupid this is in terms of security?

PayPal Community

How do I disable one-time codes

Haven't Found your Answer?