I already know about Paypal's so-called "Security Key", i.e. SMS login system. But as a security system, it is well out-of-date, as SMS messages are vulnerable to man-in-the-middle interception attacks, due to the SMS system using old Signalling System No 7 (SS7) technology. Better account security is needed: One-Time Passwords?
See one explanation source (of hundreds), here: https://www.theguardian.com/technology/2016/apr/19/ss7-hack-explained-mobile-phone-vulnerability-sno...
This has been known about for several years, and is why most large tech companies use more secure systems now. Companies including Amazon, Google, etc. use a 6-digit "One-Time Password" system, that refreshes every 30 seconds. Each user sets this up on the company's website via a simple QR Code.
See picture here of usage: https://imgur.com/a/XpLey
Given my account was just yesterday subject to a case of attempted fraud on an £1575 Ebay sale of mine, which Paypal had to refund both me the seller and the user who's account was compromised to make the purchase through, this is of top concern to me – and likely a great deal of other users, with even a modicum of technical knowledge.
As such, I won't be using such a system as the current Security Key, as it's hopelessly outdated.
Paypal deals with financial matters as it's core function, so can you explain to me why Paypal still rely on this outdated system as the only additional option for users login security?
Please pass this email on to Paypal security team, customer relations, or whoever relevant, as you see fit.
(I don't suppose this will go anywhere, given the blasé answer I got on emailing Paypal, but still, I thought it should be raised publically at least somewhere!)
