PayPal, this is the wrong way to do password security

Throughout the week, I frequently work from various cafes around my neighborhood. It's a great way to vary up my scenery and keep my brain on task — and, let's be honest, drink many delicious beverages.

But it also means that cafe Wi-Fi networks, even when accessed through a VPN, can trigger various website security measures. I got one such measure today, when trying to log in to PayPal to check my balance. Unlike many of my accounts, I hadn't turned on two-step authentication for PayPal yet, so all I use to access to my account is a username and password. Instead of seeing PayPal's welcome screen, however, I got this:

"Serenity, we're looking out for you," the page read after I entered my credentials. Unusual log in, change your security details — not an abnormal warning to get when using a new Wi-Fi network.

What followed, however, was as abnormal a security measure as I'd seen: Rather than have me confirm my identity with a security question, phone call, text message, or emailed link, I was given an immediate password reset form.

If you know anything about social engineering attacks, your face at this point might look as horrified as mine certainly was upon looking at that form. Contrary to PayPal's goals, this is perhaps the worst way to secure a person's account I can think of: To prompt an immediate password reset — with no secondary identification confirmation — gives a potential attacker an immediate way to cut off access from your account.

Say someone used a social engineering hack to gain access to my PayPal credentials, then logged in with them in a public café: They might get PayPal's note, and then instantly be offered to change my password; my only warning would be a password reset email, and only recourse to call PayPal's consumer support number.

There are many, many better ways to do this: PayPal could ask users to confirm their identity with a second factor of identification, like another device, email account, or phone number; the company could ask you to answer a security question; or it could simply lock the account until you click on a link in your email or text message. None of these options are completely foolproof, but they're a damn sight better than just throwing up a password reset form upon suspicion of malicious activity.

Yes, PayPal does offer two-step authentication for users — which would theoretically save you from this warning and password reset —but two-step turns off the service's OneTouch feature; it's also hidden under the label "Security key" and not prominently advertised to its users. And potentially punishing the average person for not turning on two-step isn't fair.

PayPal, let me put it bluntly: This is a crazy, horrifying way to try and secure someone's account. I hope you change it soon; until then, I'm activating two-step on my PayPal account and encourage everyone else to do so ASAP.

How to turn on two-step authentication for PayPal

  1. Log in to PayPal.
  2. Click on the Settings gear icon in the upper right corner.

  1. Select the Security tab.
  2. Click on the Update link next to Security Key.

  1. Register a new phone number.
  2. Enter the six-digit security code sent to your mobile number.
  3. Press Done.

Now, whenever you log into PayPal, you'll need a six-digit key from your iPhone to proceed. This will also turn off PayPal's OneTouch feature.

I put in a request to the company's media relations line to find out why PayPal does security in this manner, and will update this story as I find out more.

Serenity was formerly the Managing Editor at iMore, and now works for Apple. She's been talking, writing about, and tinkering with Apple products since she was old enough to double-click. In her spare time, she sketches, sings, and in her secret superhero life, plays roller derby. Follow her on Twitter @settern.

  • Wow, now that is insane! I would never log into my PayPal account using public Wi-Fi, though. Thanks for the tip.
  • I think you missed an important point. She was using a VPN; an encrypted connection. Your home IP address is *not* static, meaning this prompt could, theoretically, pop up randomly at home.
  • I'd normally use 2FA on my important/sensitive accounts, but weirdly I don't use it on my PayPal account (forgot what reason). But I guess it's time to ensure my PayPal's 2FA is activated as this is rather worrying. Thanks for bringing this to readers' attention!
  • Are you sure this isn't a phishing scam? Sent from the iMore App
  • Certificate looks good from the screenshot. ✓
  • I may get flack on this. Never, and I mean never check any bank, credit card, PayPal, or any secure information on a cafe wifi system. It can wait until your home, or if you trust your carrier, and just need to know, turn off wifi. It is not worth the risk, and two step can be a pain, but turn it on. Sent from the iMore App
  • Absolutely true. She was using a VPN, though. Her connection, in theory, was encrypted.
  • Yes... and no. She's "safe" (who is totally anyway!) when actually on the VPN transport. The danger lies in that small window of time between her mac being connected to the WiFi and when she's actually connected to the VPN. In this critical small window, your mac can be fooled and be connected to a rogue WiFi in a van nearby using the same SSID as the cafe.. So between the initial connection and the activation of the VPN, critical non encrypted information can be available to the "bad guys"..
  • Which probably was not when she was on PayPal. Plus the VPN and PayPal need to be verified via certificates.
  • PayPal needs to fix a lot of issues with their site. That 2FA should really give you the option to use Authy or Google Authenticator or the token generator of your choice and not just have a text message for 2FA, and the way they implement 2FA is that you have to enter that 2FA code everytime you login, with no option to "remember this device". Very poor implementation of password security & 2FA.
  • I totally agree I have been very frustrated with their security processes. Sometimes locking fund transfer for days. It's a waste of time having a phone authenticated when you are travelling and changing phones numbers around the world. As stated needs to be Google Authenticator or equivalent.
  • Agreed 100%. SMS for 2FA is so 2013. ;)
  • Gross negligence. Also a law suit waiting to happen. Be care careful with 2FA. LinkedIn uses your phone number for 2FA, but also adds it to their profile on you. That said, indead, use set up Authy or a similar service now.
  • I never trust Paypal with anything but my credit card, and that has a low credit limit.
  • I don't work for PayPal, nor am I super-sympathetic to them, but some important details are missing from the original post, and I suspect that what PayPal did here wasn't actually wrong, at least not from a technical/security perspective. For example, let's assume the poster was logging in from a machine she'd used frequently with PayPal, from a location at or near where she'd used PayPal in the past (seems consistent with what few details are given in her post, i.e., public IP address would match recent activity due to VPN). Let's also assume that someone in a totally different location had entered the correct username and password for her account just a few minutes or hours earlier. PayPal wasn't sure a few minutes ago that the other-location login was illegitimate, especially since the poster mentions that she travels a fair amount, but when they suddenly saw her show up again in her usual location, they suspected something was wrong with the login from the other location, and wanted to give her a way to keep the bad guy out - by resetting her password. It also doesn't say whether or not the "other" login was allowed to do anything on her account, which of course the original poster couldn't know. PayPal may have thwarted those efforts based on risk assessment, but nonetheless prompted the poster to change her password, to further mitigate the risk of future attacks. The poster's assertion that this specific UI makes it easier for the attacker to change the account password and lock out the legitimate user is silly. If the attacker wants to do that, knows the current password, and is allowed to proceed to the site authenticated in the context of that account, it's trivial for him to go into account settings right after login and change the password. Where I think PayPal probably did go wrong here was in being too specific about the reason for requesting the change, which in this case caused the customer undue alarm, per original post. Sites are becoming more sophisticated in how they protect accounts, which means that we should expect the security mechanisms we encounter to be less intuitive over time. However, it doesn't (necessarily) mean that they're wrong.
  • ^This... We're assuming that it's the session at the time that was prompting this, where it could just as easily have been a previous session (naughty person?) that was flagged (and stopped?) for which PayPal is asking you now to change your password after you have successfully logged in. Just an option until you get a reply from their media team.