3

I'm by now means an expert in this field, or even well versed, but if it's possible to do this, I can't comprehend how Paypal allows it.

Say you have 2 factor authentication on, with your phone setup as the Device.

You lose your phone and someone finds it. They quickly open the email, they see you have a Paypal account, they decide to access it.

They go on Paypal, click "forgot password". Paypal gives a few options to confirm you're the owner:

  • have them call you
  • answer security questions
  • receive an SMS text with a confirmation Code

The person already has your phone, they go for the SMS option. They get the SMS text with the code, reset the password, and they're in.

Really? That's it? Losing the phone you use for 2 Factor Authentication basically means you can have a stranger quickly go into your account if they find it?

This is so blatantly stupid...In case one wants to reset the password, questions should always be asked, no matter if they got the 2 FA device or not.

Anders
  • 64,406
  • 24
  • 178
  • 215
Alex
  • 31
  • 1
  • 2
  • 6
    Is this just a rant or do you actually have a question? – Lie Ryan Apr 06 '18 at 11:45
  • 2
    `I can't comprehend how Paypal allows it.` The security of your account is a **shared** responsibility. When you choose to have your phone as your recovery option, you assume the responsibility to keep your phone secure. This usually means you should set a sufficiently strong lock screen to your device. Your money is your responsibility. You are ultimately responsible for choosing the security that suits your own situations, not Paypal. – Lie Ryan Apr 06 '18 at 12:01
  • The real problem with their 2FA as far as I can see is that it's not 2FA. You can just click "answer security questions instead", and it becomes 1FA. Password + first pet + mother's maiden name is NOT 2FA, so the whole thing is pointless. Makes me sad. And I wish they'd use google authenticator rather than a tedious SMS. – Codemonkey Aug 17 '18 at 11:05

2 Answers2

5

Yes it is. If you have your emails unprotected on your phone and use your phone as the second factor, actually your phone becomes the only factor. So use a PIN to protect your phone and encrypt it - or do not use the phone at all.

Or you should have pre-defined certain measures for the case if loosing your phone (like resetting your email password, so that your phone will not receive any emails anymore).

Many years ago paypal provided a hardware token as 2fa. I have one for one account and it is fine. The problem is: they do not anymore. The next problem is, that paypal obviously has a bad SMS gateway. Sometimes it takes ages for the text message to arrieve. To bad, if you want to "quickly" send some money.

Anders
  • 64,406
  • 24
  • 178
  • 215
cornelinux
  • 1,993
  • 8
  • 11
2

Really? That's it? Losing the phone you use for 2 Factor Authentication basically means you can have a stranger quickly go into your account if they find it?

The phone is both the second factor and has access to the other factors.

Not having some kind of PIN, password, face ID, touch ID, or other lock mechanism on the phone is the problem you're actually faced with. If you're going to use your phone as a security device, treat it like a security device. Use a lock.

Even without PayPal 2FA (and any other), you've got many and varied problems if someone can find your phone, unlock it easily (or not have a lock at all), and retrieve your email: every site which allows email-based password reset is now available to the finder, and a shopping spree on Amazon or similar would be an easy next step.

TristanK
  • 423
  • 2
  • 8