I was minding my own business when I received an unexpected SMS from a random number:
"PayPal: xxxxxx is your security code. Don't share your code". I receive plenty of scam/spam SMS on a daily basis, so I assumed this was just another phishing attempt and didn’t think much of it.
Later on, I took another another look at the SMS. On closer inspection I realised that it doesn’t fit the profile for a phishing attack as there’s no link to follow and no action to take. So if it isn’t a phishing attack, could it be a legitimate SMS from PayPal? And if so, what’s going on – has my PayPal password been compromised?
After a bit of searching, it turns out the SMS is legit, but my password hasn’t been compromised.
Let’s back up for a second. PayPal contains a lot of Personal Identifying Information (PII), is connected to my bank account, and contains detailed transaction history for purchases going back to the time I opened my account. With this in mind, I have both a complex password and TOTP to protect my account. These two measures should, in theory, keep my account super secure – even if someone managed to brute-force the unique random password on my account, they’d also need access to my authenticator app to complete the login. Forget these, because PayPal’s default* method of login is now passwordless with a one-time code sent via SMS. Yes, the very same medium that is generally considered unsafe for two-factor authentication is used by PayPal as the only factor; bypassing both password and TOTP. You cannot disable this method of login, and you cannot remove your phone number from your account.
To be clear, I’m not talking about 2FA over SMS, because that would still required your password. With PayPal’s new method of login, neither your password nor TOTP is required. You enter your email address or phone number, an SMS is sent to your phone, and this OTP alone grants full access to your account. It’s Single Factor Authentication over SMS with no way to opt out.
Incredibly, it gets worse. If a bad actor wanted to gain access to your account, they’d still need to know your phone number. PayPal helps them by partially revealing a significant portion of your phone number on the login screen after you’ve entered your email address.
Tested in Incognito – as soon as you enter an email address to log into PayPal, an SMS is immediately sent* and the phone number is partially revealed. Remember Mat Honan, who’s digital life was destroyed when his iCloud account was wiped in a targeted attack? In that attack, the hacker used social engineering to obtain a partial credit card number from an Amazon employee which Apple then accepted as verification of identity. With PayPal no such social engineering is required; instead revealing half your phone number to anyone who merely enters your email address on the login screen.
Of course, PayPal also allows users to log in by entering their phone number. Now armed with a partial, a bad actor needs only to enumerate the remaining digits to reveal your full phone number. It’s literally as if PayPal wants their users to get hacked.
It blows my mind that any information about an account is revealed before authentication. My personal opinion is that a login form shouldn’t even reveal the existence of an account until the user is authenticated.
What can you do about all of this? Remove as much PII from PayPal as possible. Remove your credit cards & bank accounts. Create a custom email address just for PayPal. See if you can somehow use a different phone number for PayPal. However, the absolute best thing to do is close your PayPal account. SMS is a public unencrypted medium and the recipient is not guaranteed to be the account owner. Using this as the sole factor for authentication is absolutely not sufficient to protect what is effectively a bank account.
* After writing this article, it has been noted that most users are defaulted into the password flow instead of the passwordless one-time SMS flow, so I may have been part of an A/B test. Regardless, even if you’re defaulted into the regular password + TOTP flow, you’ll still have the option to “Try another way” or “Log in with a one-off code” which will push you into the one-time SMS flow and bypass your password + TOTP.