Remember when PayPal was a cool new company dedicated to radically improving online payments? Seems like it was ages ago. Now PayPal is little better than then bloated banks it sought to overthrow. Arcane bureaucracy, impenetrable fees, and a lamentable approach to security.
I was minded recently to switch on 2-Factor-Authentication (2FA) for all my accounts. Whenever I want to log in, I give my username and password - then I receive a text message which can only be used once.
With help from a third-party site, I found out how to turn it on. Minus five points for Hufflepuff there.
Now, when I try to log in via the web, PayPal will send me a text message - a welcome measure of security!
Unless, of course, I try logging in via the mobile web.
What band of chuckle-fucks thought that this was an acceptable solution? There's no technological reason not to have this page trigger an SMS - indeed some other mobile pages are quite happy to let me use 2FA.
I switched my mobile browser into desktop mode and was able to complete the transaction. What a farce.
PayPal is now a twisted nest of technologies - some of which can never be updated for fear of bringing the whole crumbling edifice crashing to the ground. If PayPal really cared about your security then they'd make switching on and using 2FA as easy as possible. Instead, they've done the bare minimum to tick a box in the product feature list and not bothered to test it thoroughly.
There is currently no way to report security issues like this to PayPal - their page at https://www.paypal.com/webapps/mpp/security/reporting-security-issues has been broken for months.
I eventually found an email address for them and, after some toing-and-froing, I got this response:
PayPal needs to make the usability of its security a priority. At the moment, it is failing.