This is jut something really, really dumb. If you log in from an unfamiliar location, it will offer to send a code to your phone, among other things.
But the very screen that does that allows you to add a new phone number! And there is apparently no way to tell it not to allow new phone numbers.
Any scammer could just add some burner number. It adds no extra security at all with such an option.
It used to at least offer to send it to an email, IIRC. And it did not let you add a new email.
My paypal was compromised last year… I was getting odd email notifications, “your account has changed…” on which I did not open/click. They somehow changed everything in the account, but were not able to transfer funds/pay for anything. I called and had everything restored, and implemented a yubikey 2F authorization, etc.
My paypal was compromised (locked b/c of suspicious activity, same “your account has changed” notifications) again this year.
It still stands with the “locked due to suspicious activity” or whatever it’s called. I haven’t used it since.
My Paypal sends a code to my Authenticator app.
The only alternative way to log in (I checked) is to text my phone number, or to verify identity via photo ID. There is no option to add a new phone number at any point.
That’s because you have two factor enabled, I would presume. You had to set it up to use an authenticator app, as it can’t do that automatically.
This is just base PayPal. A lot of sites have this sort of partial two-factor where, if you use an unfamiliar browser, it forces you to get a code on your phone or email.
But no other site I’ve ever seen lets you add a new phone number, and then receive the code there! That makes the whole thing pointless. Might as well ignore that you used an unfamiliar browser.
If that is true, that is a joke. However, using SMS as your MFA method is also a joke. Assume anyone can read your text messages since it is almost true. Change to using better methods like auth apps. Also, fuck my bank that only allows SMS.
Of course I did. Not doing so is stupid. You should be Pitting people who choose awful security measures.
Again, I’m not seeing this. I don’t know what you did to enable that. I don’t have such an option.
This is like Pitting lock manufacturers because people might leave their doors unlocked.
FWIW, I tried it. I used a private window, logged into paypal, with my username and password, then when it wanted to send a code to my phone, I had the option of adding a new phone number. I don’t have a spare cell phone to see what happens, but I did enter an old disconnected landline number. While I did have to switch back to my cell phone number so I could actually log in, that landline number now appears to be on my account.
This was the screen I got after entering my email/password but before being fully logged in yet (since this is the 2FA part).
Next to my redacted phone number is a link that says “change”, clicking that makes the part on the right pop up, with an option to add a number. That second number is the one I added from this screen.
It does seem…odd.
If anyone has another cell phone they can use, I’d be interested to see if there’s any additional security checks. Otherwise it seems like a waste of resources to implement 2FA if anyone with the basic login credentials can choose the second factor.
I see… So to get there you need to submit your email but no password and ask for password help. I didn’t realize that was the process that leads to that, as that wasn’t described in the OP.
You said you couldn’t actually test what happens if you tried it. I’m curious as well. I wonder if there’s another obstacle to make this not actually function as a way to hack into an account.
I technically have 2 numbers since I have a work cell, but for some reason it said it couldn’t use my work number (it’s a Verizon cell phone number) so I couldn’t test either.
Nevermind
No, this screen appeared after correctly entering my username and password. But the problem is that it renders the 2FA useless.
It would be like hitting ‘forgot my password’ and them asking for an email address you’d like them to send the password reset info to.
But, again, I didn’t actually go past that screen. Maybe, hopefully, there’s some additional information required to verify you’re you.
No, it’s pitting a company for a bad practice. The fact that they also offer a higher security option that you can opt into doesn’t change that they are doing something extremely bad.
The proper analogy would be a lock company providing a bad lock. You can pop in and attack everyone for not buying the good lock. But it doesn’t change that they provide the bad lock.
And this lock is really bad. It lets you set the combination without opening it first. It’s that fucking stupid. It literally shouldn’t exist, as it’s functionally not a lock.
That hasn’t been proven to be true yet though. It looks like it would allow someone who knows your email address to hack you, but nobody has actually tested it yet.