Throughout the week, I frequently work from various cafes around my neighborhood. It's a great way to vary up my scenery and keep my brain on task — and, let's be honest, drink many delicious beverages.
But it also means that cafe Wi-Fi networks, even when accessed through a VPN, can trigger various website security measures. I got one such measure today, when trying to log in to PayPal to check my balance. Unlike many of my accounts, I hadn't turned on two-step authentication for PayPal yet, so all I use to access to my account is a username and password. Instead of seeing PayPal's welcome screen, however, I got this:
"Serenity, we're looking out for you," the page read after I entered my credentials. Unusual log in, change your security details — not an abnormal warning to get when using a new Wi-Fi network.
What followed, however, was as abnormal a security measure as I'd seen: Rather than have me confirm my identity with a security question, phone call, text message, or emailed link, I was given an immediate password reset form.
If you know anything about social engineering attacks, your face at this point might look as horrified as mine certainly was upon looking at that form. Contrary to PayPal's goals, this is perhaps the worst way to secure a person's account I can think of: To prompt an immediate password reset — with no secondary identification confirmation — gives a potential attacker an immediate way to cut off access from your account.
Say someone used a social engineering hack to gain access to my PayPal credentials, then logged in with them in a public café: They might get PayPal's note, and then instantly be offered to change my password; my only warning would be a password reset email, and only recourse to call PayPal's consumer support number.
There are many, many better ways to do this: PayPal could ask users to confirm their identity with a second factor of identification, like another device, email account, or phone number; the company could ask you to answer a security question; or it could simply lock the account until you click on a link in your email or text message. None of these options are completely foolproof, but they're a damn sight better than just throwing up a password reset form upon suspicion of malicious activity.
Yes, PayPal does offer two-step authentication for users — which would theoretically save you from this warning and password reset —but two-step turns off the service's OneTouch feature; it's also hidden under the label "Security key" and not prominently advertised to its users. And potentially punishing the average person for not turning on two-step isn't fair.
PayPal, let me put it bluntly: This is a crazy, horrifying way to try and secure someone's account. I hope you change it soon; until then, I'm activating two-step on my PayPal account and encourage everyone else to do so ASAP.
How to turn on two-step authentication for PayPal
- Log in to PayPal.
Click on the Settings gear icon in the upper right corner.
- Select the Security tab.
Click on the Update link next to Security Key.
- Register a new phone number.
- Enter the six-digit security code sent to your mobile number.
- Press Done.
Now, whenever you log into PayPal, you'll need a six-digit key from your iPhone to proceed. This will also turn off PayPal's OneTouch feature.
I put in a request to the company's media relations line to find out why PayPal does security in this manner, and will update this story as I find out more.
We may earn a commission for purchases using our links. Learn more.
Apple releases iPadOS 13.5.1
Apple has released iPadOS 13.5.1, which fixes some security bugs.
Apple might be giving people a reason to upgrade their 2012 MacBook Pro
Anyone who still uses a 2012 MacBook Pro should probably look to upgrade it sooner rather than later following a report that claims Apple will label it "obsolete" this month.
New report backs up claims that we'll wait until October for iPhone 12
Apple would normally announce its new iPhones in September, but the coronavirus situation seems to have put paid to that. All eyes are now on October instead.
If you have run an Airbnb, you might need one of these smart locks
These smart locks provide both convenience and security for you and your guests at your Airbnb rental. Make managing things easier by assigning codes and app access with the best smart locks around.