Monday, October 3, 2022

Tell HN: PayPal now allows to bypass 2FA with a SMS login

Last week I started receiving SMS with PayPal security codes and then got a notification about someone adding a card to my account and withdrawing $1.5k.

2FA was disabled because it doesn't work in Safari (including logging in from their iOS app, imagine this), so I blamed myself, turned it on, reported the unauthorized transaction to PayPal… and had $1.5k more withdrawn to a newly added card two days later!

Apparently, there is an option of an SMS-based login(!!!) where they send you a 6-digit code that allows for a login without 2FA: https://ift.tt/xXPdDvo

I don't know if the SMS gateway to my Chilean number is leaky or if they just brute-forced the code, but here we are. Also, no confirmation is needed to add new cards and make withdrawals even when 2FA is enabled.

(Yes, I know keeping money at non-bank payment services isn't good, but withdrawing it from there meant a conversion to my local currency which nowadays devalues much faster than USD. Greed got me.)

You can partially switch this feature off by switching to email codes: https://ift.tt/wJDljgO


Comments URL: https://news.ycombinator.com/item?id=33072443

Points: 1

# Comments: 0



from Hacker News: Newest https://ift.tt/GpL5D9S
via IFTTT

No comments:

Post a Comment

Show HN: rtrvr.ai – AI Web Agent for Automating Workflows and Data Extraction

Hey HN, I'm excited to share rtrvr.ai, a Chrome extension that brings the power of AI agents to your everyday web browsing. It's de...