PayPal doesn't care about 2FA security


Remember when PayPal was a cool new company dedicated to radically improving online payments? Seems like it was ages ago. Now PayPal is little better than then bloated banks it sought to overthrow. Arcane bureaucracy, impenetrable fees, and a lamentable approach to security.

I was minded recently to switch on 2-Factor-Authentication (2FA) for all my accounts. Whenever I want to log in, I give my username and password - then I receive a text message which can only be used once.

Searching for 2FA on PayPal doesn't return any results - nor does searching for SMS. *sigh* Ah! Wait! They call it "Security Key" - perhaps if I search for that… Nope. Nothing.

With help from a third-party site, I found out how to turn it on. Minus five points for Hufflepuff there.

Now, when I try to log in via the web, PayPal will send me a text message - a welcome measure of security!
Receive a Text from PayPal

Unless, of course, I try logging in via the mobile web.
PayPal doesn't accept 2FA-
What band of chuckle-fucks thought that this was an acceptable solution? There's no technological reason not to have this page trigger an SMS - indeed some other mobile pages are quite happy to let me use 2FA.

I switched my mobile browser into desktop mode and was able to complete the transaction. What a farce.

PayPal is now a twisted nest of technologies - some of which can never be updated for fear of bringing the whole crumbling edifice crashing to the ground. If PayPal really cared about your security then they'd make switching on and using 2FA as easy as possible. Instead, they've done the bare minimum to tick a box in the product feature list and not bothered to test it thoroughly.

There is currently no way to report security issues like this to PayPal - their page at https://www.paypal.com/webapps/mpp/security/reporting-security-issues has been broken for months.

I eventually found an email address for them and, after some toing-and-froing, I got this response:

If a customer has setup 2FA and it will not work they are directed to use the desktop version for their own protection. This is not a security issue.   We take pride in keeping PayPal the safer place for online payment.   Thanks, PayPal Bug Bounty Team

PayPal needs to make the usability of its security a priority. At the moment, it is failing.

3 thoughts on “PayPal doesn't care about 2FA security

  1. I suppose the justification is that if the a purchase is being made from a mobile device, it is probably the device which is configured for SMS. Therefore is somebody has stolen your phone and is trying to make a purchase (and the mobile web browser has remembered your password), then the 2FA system becomes moot/insecure. I'm not necessarily agreeing with the policy, but I can see how it could make some sense...

    1. It *would* make sense, if it worked consistently. One some mobile pages I'm able to get my 2FA code sent to me - on others it just doesn't work.

      And, as I found out, you can switch your mobile browser to desktop mode and get the code sent anyway.

  2. That's crazy, you can easily send special user agent strings and choose mobile URLs; therefore being able to totally avoid 2FA. Stupid!

What do you reckon?