I was minding my own business when I received an SMS from a random number: “PayPal: xxxxxx is your security code. Don’t share your code”. I receive plenty of scam/spam SMS on a daily basis, so at first glance I assumed this was just another phishing attempt.
However, on closer inspection, the attack vector isn’t clear – there’s no link to follow and no action to take. So I started to think the SMS might be legit. Microsoft, for example, will send a 2FA code before validating the password (whyyy?). Or perhaps my PayPal password is in fact compromised.
After a bit of searching, it turns out the SMS is legit, but for neither of the reasons above.
PayPal contains a lot of PII, is connected to my bank account, and contains detailed transaction history. So I have a complex password and TOTP to protect my account. Forget these, because PayPal’s default* method of login is now passwordless with a one-time code sent via SMS. Yes, the very same medium that is generally considered unsafe for two-factor authentication is used by PayPal as the only factor; bypassing both password and TOTP. You cannot disable this method of login, and you cannot remove your phone number from your account.
To be clear, I’m not talking about 2FA over SMS, because your password isn’t required. The SMS OTP alone grants (what appears to be) full access to your account. It’s SFA over SMS with no way to opt out.
Incredibly, it gets worse. If a bad actor wanted to gain access to your account, they’d still need to know your phone number, and PayPal helps them by partially revealing a significant portion of your phone number on the login screen.
Tested in Incognito – as soon as you enter an email address to log into PayPal, an SMS is immediately sent* and the phone number is partially revealed. Remember Mat Honan, who’s digital life was destroyed when his iCloud account was wiped in a targeted attack? In that attack, the hacker used social engineering to obtain a partial credit card number from an Amazon employee which Apple then accepted as verification of identity. With PayPal no such social engineering is required; instead revealing half your phone number to anyone who merely enters your email address on the login screen.
Of course, PayPal also allows users to log in by entering their phone number. Now armed with a partial, a bad actor needs only to enumerate the remaining digits to reveal your full phone number. It’s literally as if PayPal wants their users to get hacked.
It blows my mind that any information about an account is revealed before authentication. My personal opinion is that a login form shouldn’t even reveal the existence of an account until the user is authenticated.
What can you do about all of this? Remove as much PII from PayPal as possible. Remove your credit cards & bank accounts. Create a custom email address just for PayPal. See if you can somehow use a different number for PayPal. However, the absolute best thing to do is close your PayPal account. SMS is a public medium and the recipient is not guaranteed to be the account owner. Using this as the sole factor for authentication is absolutely not sufficient to protect what is effectively a bank account.
* After writing this article, it has been noted that most users are defaulted into the password flow instead of the passwordless one-time SMS flow, so I may have been part of an A/B test. Regardless, even if you’re defaulted into the regular password + TOTP flow, you’ll still have the option to “Try another way” or “Log in with a one-off code” which will push you into the one-time SMS flow and bypass your password + TOTP.