I've used PayPal for years - it provides a payment platform which means I don't have to share my bank or card details with every organisation. It has - until recently - been good at maintaining an appropriate level of security on the account, and allows use of my preferred 2FA authentication apps.
However recently I've noticed a privacy-hostile attitude which is driving me away from the platform altogether.
One of the key benefits PayPal has created in recent years was linking to bank accounts directly, rather than using cards. This meant that when cards were replaced I would no longer need to update PayPal. If your PayPal account is compromised the attacker would be able to access your verified payment methods and make a load of purchases. If you noticed the hack you might cancel the cards - or cancel the direct debit on the bank account for PayPal.
Card issuers usually apply stronger anti-fraud than direct debit agreements, so it would be easier to make fraudulent payments through PayPal linked to bank accounts - which is why 2FA is really necessary.
If you notice issues, you could get in touch with PayPal and ask them to suspend the account until the issue can be verified.
So far so good.
However as I discovered towards the end of summer this year, and whilst overseas in the US recently, PayPal have become hostile to the kinds of privacy tools I use ... such as the VPN. If I tried to access my account whilst using a VPN that could be identified by PayPal, they would instantly lock my account.
I have MFA set up, and a verification phone number. That means that once I've entered the correct username and password the platform asks for a six digit number generated by an authentication app on one of my devices. That number sequence is unique to that device and cannot be moved to another device. The key (six digit number) is rotated every 30 seconds.
Occasionally I've seen them send me an OTP (one-time password) via SMS too, I would assume they do this both periodically to ensure the method continues to work, and if a string of transactions are unusual - but not totally suspect. However if someone has stolen your phone and unlocked it - don't use patterns, fingerprints or facepalm ID - they'll have access to your MFA key apps and SMS.
This is a standard approach - if you don't use one of these apps I'd recommend FreeOTP, which implements open standards and is open source (published by Red Hat).
I generally use a good level opsec across a number of different topics, and this is largely to remove my traffic data e.g. web and DNS, from access by companies monetising or filtering / traffic-shaping that data. A lot of the security work I do means that I want to reduce the information surface area as much as possible to prevent counter-investigation or intrusion.
When this PayPal account lockout happened the first time I phoned them and went through the security checks to get my account unlocked. Non-SMS MFA was part of that process which I was glad to see. Whilst the call handler was waiting for responses from the security team I asked why the account had been locked to start with.
I was told that the authentication platform had probably detected VPN use and assumed illicit access was being attempted. Although I pointed out that MFA was enabled and that an attacker would have to compromise four distributed devices to get to the information needed, the answer was that "...VPNs are an indicator of dangerous activity.". I've never heard anything so ridiculous.
Some months later I tried to login to PayPal to use a local food ordering service in the US, and again the account was initially blocked. Using a VoiP number for the UK I again spoke to PayPal and this time asked if my account could be marked to allow non-standard access, seeing that MFA was enabled. The call handler claimed that they couldn't do that, and that unless I accessed the website from my own country this would always happen.
Turns out the Android app does something similar and is thus effectively useless. Google also drives a lot of it's app infrastructure to get their permissions and access via Google Play Services, which means many apps no longer need to ask for specific permissions. I'm not 100% clear on whether that means that an app can access Body Sensors on-device via the Play Services service without explicit permission or not.
I've noticed that when using a safe DNS provider (either our own corporate network which strips malvertising or a public anti-ad DoH DNS provider), a number of apps fail authentication with errors. On initial inspection this appears to be because the tracking tools used are embedded in the authentication mechanism, and therefore disabled at a network level. PayPal appeared to have done this for a while as have TSB. Not sure tracking app usage during login is a good idea, especially if the tracking platform is somehow compromised. Tracking is not authentication or authorisation.
None of the security reasons given by PayPal for these approaches seemed to hold any water - why discriminate against VPN or Tor users? PayPal has historically been hack and breach free, it's still possible to get caught by phishing attacks. I don't open any emails alleging to be from PayPal (even payment receipts) as I would normally check the app on a regular basis.
Some configurations and bug bounties paid do make you wonder though.
To solve the problem at the time, I simply used a VPN through an existing tunnel to remote back to the UK and log in to PayPal. Although this time it was to cancel recurring payments and try and remove payment methods.
Despite removing all recurring payments associated with them, I was not allowed to remove any of the payment methods I'd asked to remove. I'll speak to the bank and cancel the direct debits instead - the first stage of replacing PayPal with something more privacy-friendly.
Maybe I'll go back to the protections of credit cards for online transactions, despite having to be concerned that organisations are not fully PCI-DSS compliant (or get hacked themselves).
However recently I've noticed a privacy-hostile attitude which is driving me away from the platform altogether.
One of the key benefits PayPal has created in recent years was linking to bank accounts directly, rather than using cards. This meant that when cards were replaced I would no longer need to update PayPal. If your PayPal account is compromised the attacker would be able to access your verified payment methods and make a load of purchases. If you noticed the hack you might cancel the cards - or cancel the direct debit on the bank account for PayPal.
Card issuers usually apply stronger anti-fraud than direct debit agreements, so it would be easier to make fraudulent payments through PayPal linked to bank accounts - which is why 2FA is really necessary.
If you notice issues, you could get in touch with PayPal and ask them to suspend the account until the issue can be verified.
So far so good.
However as I discovered towards the end of summer this year, and whilst overseas in the US recently, PayPal have become hostile to the kinds of privacy tools I use ... such as the VPN. If I tried to access my account whilst using a VPN that could be identified by PayPal, they would instantly lock my account.
I have MFA set up, and a verification phone number. That means that once I've entered the correct username and password the platform asks for a six digit number generated by an authentication app on one of my devices. That number sequence is unique to that device and cannot be moved to another device. The key (six digit number) is rotated every 30 seconds.
Occasionally I've seen them send me an OTP (one-time password) via SMS too, I would assume they do this both periodically to ensure the method continues to work, and if a string of transactions are unusual - but not totally suspect. However if someone has stolen your phone and unlocked it - don't use patterns, fingerprints or face
This is a standard approach - if you don't use one of these apps I'd recommend FreeOTP, which implements open standards and is open source (published by Red Hat).
I generally use a good level opsec across a number of different topics, and this is largely to remove my traffic data e.g. web and DNS, from access by companies monetising or filtering / traffic-shaping that data. A lot of the security work I do means that I want to reduce the information surface area as much as possible to prevent counter-investigation or intrusion.
When this PayPal account lockout happened the first time I phoned them and went through the security checks to get my account unlocked. Non-SMS MFA was part of that process which I was glad to see. Whilst the call handler was waiting for responses from the security team I asked why the account had been locked to start with.
I was told that the authentication platform had probably detected VPN use and assumed illicit access was being attempted. Although I pointed out that MFA was enabled and that an attacker would have to compromise four distributed devices to get to the information needed, the answer was that "...VPNs are an indicator of dangerous activity.". I've never heard anything so ridiculous.
Some months later I tried to login to PayPal to use a local food ordering service in the US, and again the account was initially blocked. Using a VoiP number for the UK I again spoke to PayPal and this time asked if my account could be marked to allow non-standard access, seeing that MFA was enabled. The call handler claimed that they couldn't do that, and that unless I accessed the website from my own country this would always happen.
Turns out the Android app does something similar and is thus effectively useless. Google also drives a lot of it's app infrastructure to get their permissions and access via Google Play Services, which means many apps no longer need to ask for specific permissions. I'm not 100% clear on whether that means that an app can access Body Sensors on-device via the Play Services service without explicit permission or not.
I've noticed that when using a safe DNS provider (either our own corporate network which strips malvertising or a public anti-ad DoH DNS provider), a number of apps fail authentication with errors. On initial inspection this appears to be because the tracking tools used are embedded in the authentication mechanism, and therefore disabled at a network level. PayPal appeared to have done this for a while as have TSB. Not sure tracking app usage during login is a good idea, especially if the tracking platform is somehow compromised. Tracking is not authentication or authorisation.
None of the security reasons given by PayPal for these approaches seemed to hold any water - why discriminate against VPN or Tor users? PayPal has historically been hack and breach free, it's still possible to get caught by phishing attacks. I don't open any emails alleging to be from PayPal (even payment receipts) as I would normally check the app on a regular basis.
Some configurations and bug bounties paid do make you wonder though.
To solve the problem at the time, I simply used a VPN through an existing tunnel to remote back to the UK and log in to PayPal. Although this time it was to cancel recurring payments and try and remove payment methods.
Despite removing all recurring payments associated with them, I was not allowed to remove any of the payment methods I'd asked to remove. I'll speak to the bank and cancel the direct debits instead - the first stage of replacing PayPal with something more privacy-friendly.
Maybe I'll go back to the protections of credit cards for online transactions, despite having to be concerned that organisations are not fully PCI-DSS compliant (or get hacked themselves).
