PayPal Community

noelmage · ‎Aug-01-2018

Why on earth would PayPal still be using SMS authentication as a second factor? It was deprecated as an acceptable security standard in July of 2016 by NIST. Reddit was recently compromised due to its reliance on SMS as a second factor on their internal servers and lost password databases and source code to hackers. Our PayPal accounts hold vast amounts of purchasing power, but we rely on a second factor authentication that hasn't been considered secure for more than two years by one of the slowest-moving government organizations in existence!

We have to demand better as a community. There is too much at stake.

Sources:

https://www.reddit.com/r/announcements/comments/93qnm5/we_had_a_security_incident_heres_what_you_nee...

https://www.theregister.co.uk/2016/07/24/nist_says_sms_no_good_for_authentication

https://www.theregister.co.uk/2016/12/06/2fa_missed_warning/

https://www.theverge.com/2017/9/18/16328172/sms-two-factor-authentication-hack-password-bitcoin

Oregon11 · ‎Aug-02-2018

@noelmage

PayPal does offer an additional security setup for some accounts. If you see an option for Verisign Vip in the following PayPal link, then it should be available to you. https://www.paypal.com/us/cgi-bin/webscr?cmd=_setup-security-key

For PayPal's Verisign 2FA setup, you'll need these two links.

https://vipmobile.verisign.com/

https://www.paypal.com/us/cgi-bin/webscr?cmd=_setup-security-key

When activating Verisign 2FA, you'll need your Access app Credential ID (enter your entire Credential ID in the serial number box) and two unique security codes (the second security code will be the code that follows the first after 30 seconds). You'll be able to deactivate Verisign 2FA from the security tab in your PayPal profile.

You wont be able to log into the PayPal app if using Verisign 2FA.

noelmage · ‎Aug-02-2018

Unfortunately, this is the SMS solution I was talking about. The only hardware token solution PayPal offers is for PayPal business customers. For consumer accounts, it is not available.

volans- · ‎Aug-05-2018

Although the interface is very confusing, this worked for me. When you are at the page:

https://www.paypal.com/us/cgi-bin/webscr?cmd=_setup-security-key

you need to click on the right box link that brings you to:

https://www.paypal.com/it/cgi-bin/webscr?cmd=_activate-security-key-any

and treat the VIP Access application as it was a physical key. Insert the Credential ID reported by the VIP Access application into the Serial number field and then put two consecutively-generated security codes.

p3ter · ‎Sep-16-2018

Came here trying to figure out the same thing, and was disappointed.

My opinion is that any site begging for your mobile phone number "to secure your account" wants your mobile phone number much more than they want to give you additional security. The promise of additional security is just a great way to persuade you to hand it over.

With all the independent, cross-platform, free of charge mobile phone apps available to perform 2 factor authentication (freeOTP, Authy, Google Authenticator etc) there is no excuse for Paypal not implementing something better, apart from "WE WANT YOUR MOBILE NUMBER"

In the light of GDPR, it is also worth noting that Paypal's privacy policy allows them to share pretty much everything with pretty much anyone:

"5. Do We Share Personal Data?

We may share your Personal Data or other information about you with others in a variety of ways.."

...so I guess I will just stick with a password for now, and Paypal can continue to bear the cost of any disputes caused by my account being hacked...

PayPal Community

Why is SMS our 2nd factor?

Haven't Found your Answer?