If Someone Hacks into Your PayPal Account Can They Deactivate 2 Factor Authentication?

Windows7forever on 03/11/2016 - 14:24
Last edited 03/11/2016 - 14:38

I just started using lastpass as my password manager and already had a weird occurrence so I uninstalled it.
I don't like how it embeds into the browser and on password forms and fields waiting to extract the sensitive info from it. I'm using an outdated build of W10 for various reasons, but I try to keep my anti virus and firewall updated.

Anyways, I tried logging into my pp account and for some reason I wasn't receiving the SMS security code messages from them. After a few failed attempts I called pp who said my account was locked because an incorrect password had entered too many times. This was not me because I auto save my passwords in Chrome. I also noticed that my mobile phone 2 step verification had been deactivated from within the security settings. PP couldn't give me a explanation for this but assured me my account was secure and that she did not detect any suspicious activity from their end.

This is why I like the way MS do security. You can see a list of recent log-ins to your account and clearly see the IP address, location and time of log-in. This helps me sleep at night. PP on the other hand are not as transparent as a company and their staff are not well trained. It took me about 10 minutes to explain to her that my mobile phone was deactivated through pp and not from my phone provider lol.

Her solution was for me to keep 2 factor disabled until they resolve my issue.

I think I need to change all my passwords again, in case my accounts have been compromised, especially ones with the same passwords :(

General Discussion

Related Stores

PayPal
PayPal
Marketplace

Comments

  • fruit on 03/11/2016 - 14:40

    Probably by answering some security questions or calling them.
    Allow me to offer an alternate expiation for your problems:

    Too many incorrect guesses so they lock your account (okay.. so anyone can lock anyone else out) (No need to have 2 factor yet)
    The process in which your account was unlocked and/or password reset (maybe) disabled 2 factor.
    This is just a guess though I don't know how PayPal works.

    How is disabling 2 factor a solution?

    Maybe I misunderstand you.

    I'm using an outdated build of W10

    Probably crack :P Install Gentoo!

    • Windows7forever on 03/11/2016 - 15:13

      Solution so I could access my account. Everytime she reset the login and I reactivated 2 step I could not log back in. Could be a strange glitch.

  • scrimshaw on 03/11/2016 - 15:21

    whoever implemented the 2FA system in paypal is a doofus. I have a Symantec security card that Paypal sent me a year ago (It's called the paypal security key) but it sits unused because the 2FA authentication page simply fails to load when shopping on many other websites apart from eBay.

    It got annoying since I need to disable 2FA before I can successfully check out with PP.

    • flipsahoy on 03/11/2016 - 17:31

      I have the opposite problem - mine works on most sites but rarely on Ebay! I have to disable it and enable it all the time. Frustrating as hell.

  • Windows7forever on 03/11/2016 - 17:54

    Update: I called PP again who advised me that it is a known problem and their technicians are currently working on resolving it. So it appears my account wasn't hacked after all. Still seems very strange though.

  • animal on 03/11/2016 - 18:11

    I remember reading a while back about a security issue with 2-factor authentication being circumvented if a user's PayPal and eBay credentials are known. Linking and unlinking the accounts (in eBay) enables access to PayPal without needing to confirm access with the security code. Perhaps change your eBay password for the time being if you have PayPal integrated (but they may have already fixed the issue).

    I can't comment directly on PayPal's implementation of 2-factor authentication (2FA) but knowing other 2FA software quite well, in theory it should at the very least prevent people from other countries accessing your account without confirmation. There would be lots of logs showing exactly what device was used, the location and the action (e.g. disabling 2FA).

    I recently turned it on for my Apple iCloud account (seeing that I will be implementing 2FA for my work I should really start using it myself) and that same day I stopped someone logging in from China.

    • scrimshaw on 03/11/2016 - 19:05

      you might wanna see Linus's video on what happens if you manage to lose your mobile phone number to somebody else.

      Results will not be pretty! It can be used as a single authentification method to lost / forgotten password requests.

      https://www.youtube.com/watch?v=LlcAHkjbARs

      • Windows7forever on 04/11/2016 - 19:43

        Yeah that sucks. Fortunately he got things sorted quickly. Amazon was quick to drop him though and he lost all his referral links (which is his ''bread and butter'' revenue stream).

Login or Join to leave a comment
Login Join