Title. I was trying to reset my password the other day for my Paypal account and I noticed that Paypal gives you the option to reset a forgotten password with just security questions. This would be okay if, after providing the answers to the security questions, it prompts you to then select another form of authentication that requires you to either enter a code from an e-mail, send a text message, or confirm a credit card number on your account. But it doesn't do this. I see a situation why this would be very problematic.
Imagine you have an account with a local branch bank. This bank allows its customers to have online access to their bank accounts. During the account setup process, the local bank asks customers to setup security questions. Mary decides she really likes two particular security questions that shes seen before on her Paypal.com account and has a common answer to put for it. Mary selects those questions and puts in the answer to complete the account. Fast forward 6 months later, the local bank has a security breach, and criminals have stolen Mary's account secrets, which included her email address and the security questions from her local bank. Unfortunately, the security question answers from the local branch bank were the same on Mary's Paypal.com account. With just the email and security question answers from the local bank, the criminals can successfully reset Mary's Paypal.com password as well, since Paypal.com does not require a token code for further protection when you choose to verify via security questions.
Mary was smart and enabled Two-factor authentication on her Paypal.com account, well before the local bank breach, but because Paypal.com doesn't ask for more than security questions to get in, two-factor authentication fails for Mary and criminals get into her account.
So... how can I disable security questions so this scenario doesn't happen? I want to only verify with email, credit card confirm and text message.
