Ok, now I understand how I got money stolen from my account last week. I started receiving SMS with PayPal security codes and then got an email notification about someone adding a card to my account and withdrawing $1.5k. 2FA was disabled because it doesn't work in Safari (including logging in from the PayPal iOS app, imagine this), so I blamed myself, turned it on, reported the unauthorized transaction to PayPal… and had $1.5k more withdrawn to a newly added card two days later! Still waiting for PayPal to investigate this case, I wonder if I'll get my money back at all. I don't know if the SMS gateway to my non-US number is leaky or if the attacker just brute-forced the code, but here we are. I work in IT and was absolutely puzzled how someone could have accessed my account: checked my email, connected services, etc. for hacks. Now when I know how it was done, it's absolutely crazy. How something like this could be allowed to be implemented in the first place?
... View more