Last week I started receiving SMS with PayPal security codes and then got a notification about someone adding a card to my account and withdrawing $1.5k.
2FA was disabled because it doesn't work in Safari (including logging in from their iOS app, imagine this), so I blamed myself, turned it on, reported the unauthorized transaction to PayPal… and had $1.5k more withdrawn to a newly added card two days later!
Apparently, there is an option of an SMS-based login(!!!) where they send you a 6-digit code that allows for a login without 2FA: https://ift.tt/xXPdDvo
I don't know if the SMS gateway to my Chilean number is leaky or if they just brute-forced the code, but here we are. Also, no confirmation is needed to add new cards and make withdrawals even when 2FA is enabled.
(Yes, I know keeping money at non-bank payment services isn't good, but withdrawing it from there meant a conversion to my local currency which nowadays devalues much faster than USD. Greed got me.)
You can partially switch this feature off by switching to email codes: https://ift.tt/wJDljgO
Comments URL: https://news.ycombinator.com/item?id=33072443
Points: 1
# Comments: 0
from Hacker News: Newest https://ift.tt/GpL5D9S
via IFTTT
No comments:
Post a Comment