PayPal Community

Dear PayPal-Community and Team,

I like PayPal and been using it for years but I'm absolutely shocked right now as (i spelled my password wrong due to a keyboard problem) and it was
waaaay-to-eaaasy to Reset my Password

I didnt need anything but

- my E-mail-address (as login - this is kind of public information)

- and access to my Phone

a single SMS is absolutely not Safe enough to Protect a Payment-Service that has DIRECT and UNLIMITED (2.5k+) access to my Bank-account.

• 1st because SMS/SIMs/Phone-Numbers do get hijacked:
  company-that-routes-billions-of-text-messages-quietly-says-it-was-hacked
  STS10 about hijacked Phone-Numbers and SMS-Account-Recovery in PayPal 

• 2nd because Phones do get stolen and a thief may thus gain direct access to corresponding E-mail AND Phone-number (receiving SMS on dumb-phone might even work without any PIN)

Many Users may have insecure Passwords in the first place.

But for Users who take some effort to be kind of secure with a decent and unique Password,

PayPal offers a way cheaper backdoor for attackers. The Password-Recovery as of today is downgrading security below 1FA with a good password.

Looking for ways to close this Gap I found out that:

1. - I cannot just delete my Phone-Number.

2. - I can setup 2FA for LOGIN but it's ignored on Password reset. Less comfort, no security.This is ridiculous!

3. - I can save multiple E-mail-addresses in PayPal but I cannot decide which one should be available for account-recovery.
   So attackers can be sure the E-mail which needs to be (publicly) shared for payments will also work for account-recovery.

4. - I can save security-questions, but I cant delete them. (Like for the Phone Number (#1) this means no control about my data, without any advantage in security. Security Questions are another downgrade in Security)

5. - Next thing I wanted to do is set a daily limit for PayPal transactions. Not Possible. Only PayPal decides to limit some users (to 2.500€) to motivate them to fully validate and link their bank account to PayPal

6. - Next I tried to unlink PayPal-Account and Bank-Account and send Money to PayPal to use it in a PrePaid-Style. Turns out you CAN Send money to PayPal-Account but ONLY with and from a linked Bank-Account. (Dont know why I should send money to PayPal then but very funny as PayPal doesn't even care whether its your Bank Account or someone else's you register PayPal Fraud - Attacker Using Someone Elses Bank Account for PayPal )

This is so many security Issues. Thinking of using PayPal for the past years feels like I've been attaching my Wallet on a string and pulling it over the ground behind my back. PayPal seems to be a backdoor to my onlinebanking-account avoiding all securitymechanisms the bank installed. It's really hard to believe a global Payment-Provider offers no better security than Entertainment-Players like TikTok, Netflix, YouTube...

• I dont even want 100% security (hardly possible, never convenient)

• I want a daily-payment-limit that I can set by myself and THAT should be secured with 2FA (and delay?!)

• Í want to be able to use PayPal in a PrePaid-Way, to choose the risk I take.

• I want to be able to choose the E-mail for Account-Recovery (and IF I want to use E-mail)

• I want to choose if I use SMS and Security questions

• I want recovery Codes that I can put physically in a safe place. To be able to avoid all other Account-Recoveries

• I want to choose whether Customer Support is allowed to do Account-Recovery by Phone

• Beyond-the-usual security-functions like lowering the daily limit for some days after a Password-Reset. Thus gaining time to Block the PayPal-Account / Contact Support after being informed of unauthorized access by mail.

• I want to choose limits for single-click-payments, authorized payments, 2FA-authorized Payments

Theres so many ways to do it better than it is now.

Please make a change.

So many People put their trust in your Service