Does a Paypal representative read these community concerns? I am new here (never had a problem or concern like this before), but it is very surprising to me that this concern has not received a reply. However, I do not have any doubt that Paypal doesn't understand the importance of implementing FIDO 2FA ( two factor authentication.) This much is very clear. Dear Paypal representative, If you read this, then put this at the top of your list! Trust us. I am embarrassed to know that FIDO u2f & FIDO2 authentication options are not available on this platform. I am actually a bit surprised that one or the other is not MANDATORY! Paypal executives are saying we have insurance for the accounts that get hacked. That view completely ignores the financial privacy of anyone that has ever used PayPal. Shame on you PayPal for this recklessness. If you go to this website: https://fidoalliance.org/members/ , you will see that PayPal is a "Board Level Member." This is the FIDO Alliance. Yet, PayPal doesn't allow us to use these FIDO certified devices to secure our own and customers financial privacy. For your convenience, here is a photo of that page: This quote below, from the article https://www.darkreading.com/endpoint/i-hacked-my-accounts-using-my-mobile-number-heres-what-i-learned/a/d-id/1336315 , from a director at a cyber-risk investigations company and a former FBI cyber analyst destroys SMS 2FA as secure. "Lessons Learned What did I learn from hacking my accounts with my mobile phone? Mainly, if my accounts hadn't been linked to my mobile phone and were solely protected by the complex passwords I use, they would have been more secure." You may have a very secure long passphrase as your PayPal password. But, an attacker just gives $20 to a minimum wage helpdesk employee at your cell phone provider and your phone number gets transferred to a phone in Germany. This happened while you slept and all your passwords that can be reset via a cell phone, have been changed. You can't access your cell phone account because you are calling from a different number and you don't know the PIN, password or the new German address. PayPal will send you a SMS or email to reset your password. But, your email account passwords have been changed too. This is just one way it can happen. There are many other attack vectors that will result in loss of access to your PayPal account and the pilfering of the financial contents thereof. The only thing worse than using SMS for a password reset is using your Mother's maiden name. PayPal may not see this coming, but this reckless behavior is circulating among security researchers as I speak. See this for example: https://techbeacon.com/security/sim-swapping-researchers-name-shame-sms-2fa-fails It should floor everyone that a board level member of the FIDO alliance is not proactively advocating, teaching and bringing to its members this very technology. PayPal is taking this a step further by not allowing it. This technology works very well too. Google gave 85,000 employees FIDO security keys ($15 each) in early 2017, when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes (TOTP). Today, not a single account has been breached. Google it! If our customers were to know that their private financial information was NOT protected by proven and effective security measures that are very easy to implement, but are actually easier to hack than their email account... I just don't know what to say at this point. PayPal allows TOTP, but that wastes millions of person-hours a year. It is slow and it is not secure enough for my customers! Here is an article that shows one way TOTP fails: https://www.itproportal.com/features/three-ways-attackers-get-around-totp-authentication/ Yes, that was a few months ago and is still in the wild. I guess this is the size limit on a post in PayPals forum here. I only have one more line available to me. Maybe someone that cares will see this and PayPal will make a change for the betterment of everyone that uses its service.
... View more