I agree: providing direct login access strictly through a phone number (which have repeatedly been ported to a new, different account by social engineering) tied to a SIM card (which are easily spoofed and stolen) is a really bad security choice. Same goes for using them as part of two-factor authentication. @Only1KW: one option to reduce the risk surface here is to only tell Paypal about a phone number associated with a VoIP account (many people use Google Voice for this, others are available). That doesn't rule out the "pretend to be you, port your number to a new service" attack, but it does avoid the SIM spoofing attack.
... View more