FYI: 2FA of PayPal is actually just 1FA.
You can reset your password using your 2FA phone number.
In conclusion your money is vulnerable to SMS interception attacks. It has been like that for years.

So, why is 2FA or account recovery via SMS a really bad idea, you ask?

Most obvious attack vector: Someone could steal your phone. That's why you should enable the pin lock of your sim card. Also adjust your phones privacy settings to hide text message content on your lock screen.

More advanced attacks include SIM Swapping or even SS7 spoofing.
Both are harder nowadays, but still feasible to anyone with social engineering skills or a tor browser and some bitcoins, respectively.

SIM Swapping is when the attacker impersonates you to convince your mobile network operator to mail them another sim card that's attached to your contract. (And that's even easier nowadays, thanks to eSim!)

SS7 is a protocol from the 1970s that allows your mobile provider to know where to route a call, similar to BGP for the Internet.
It's also the technology which allows you to relocate your mobile phone number to a different provider.

SS7 Spoofing is when an attacker who has access to phone backbones registers your MSISDN (mobile number) to their phone network. This allows them to borrow your number. If they do it fast enough, you can't even notice it.
Attacks like that happen all the time.

PSA to all the website operators:
2FA relies on a secret "you have". You don't "have" a phone number, you rely on a third party to protect it.

Please implement real 2FA standards like U2F/FIDO or OATH (the protocol behind Google Authenticator).

Another PayPal gem: Your password is limited to 20 characters. Wouldn't surprise me if they store it plaintext...

@vidister I noticed the password length problem too...
Thankfully PayPal allows TOTP too for real 2FA

@jakob Yeah, TOTP which is useless since you can bypass it using..... SMS.

@vidister @jakob I have TOTP on my paypal-account without a phone number. Opened it before they requiered one, so it's probably not possibleto set up like that anymore, though

@tercean @vidister yeah I don't have my phone number set either in paypal. I didn't know that it would also allow to bypass totp using just the phone number... >.>
There was a genious at work while designing the system :P

@jakob @vidister well, the rationale is simple, if a user is locked out of their account they can't spend money and paypal can't have that, can they? So better make sure it's always easy to recover your password/token.

@vidister you can actually use TOTP for PayPal - it is totally hidden and as you already mentioned it might even be possible to reset it over SMS (which would obviously invalidate everything). But I haven't checked that yet - see for details

@sqozz @vidister I just checked, you simply click on "Problems logging in" when PayPal asks for the TOTP code and you get an SMS instead. Yikes.

@L12C @vidister *sigh* I feared that this would be the case :/

@sqozz @vidister Pretty funny that you can explicitly enable or disable using your phone as an alternative method for getting a code, but if it's diasabled you can still use your phone to get a code, the menu option is just labeled differently...

@vidister Actually 0FA, since you don't need a password, and you don't own your phone number.

Sign in to participate in the conversation – a Fediverse instance for & by the Chaos community