After twenty years, I deleted my PayPal account last Monday morning.
You’ve heard my thoughts on user responsibility as it relates to Zelle fraud. But the reality is that responsibility is a two-way street. Even though we are responsible for ensuring that who we send money to is who they say they are, it’s equally important for these applications to ensure they are avoiding preventable security holes, and that they have made it easy for you, the user, to be responsible with your security.
This is where PayPal has missed the mark. Without revealing the threat vector, let’s talk about the importance of multifactor authentication, and how to keep your online information secure.
There is a difference between two-factor authentication and multi-factor authentication. Two-factor has only one additional point necessary to get into an account. Often, we choose to have a code texted to our phones to access an account. As much as using SMS for two-factor authentication is a step in the right direction, the significantly (though still not perfect) better choice is to use an authenticator app (a multi-factor authentication). In the event of a SIM swap, hackers gain access to your phone number (including authentication text messages with PayPal, your bank, or anything else that may use your phone as a two-factor authenticator). An authenticator app, on the other hand, provides an extra buffer and is not nearly as vulnerable. After attempting to log into your desired account (or change key recovery data for your account, which is where PayPal missed the mark), a request is sent to the app. You then log in to the app and use the generated code to complete your login to the account. It’s simple but effective.
Evan Francen, owner of FRSecure and SecurityStudio, constantly reiterates one of the most fundamental truths of cybersecurity: complexity is the enemy of cybersecurity. Applications like PayPal or Zelle have made it incredibly hard to secure our accounts. I deleted my PayPal account because setting up multi-factor authentication was near impossible, even after searching the on-line help, videos, and even reaching out to two executives I know there, and I’m not the only one who has found this to be the case. The more complex it is for people to secure their accounts, the less secure that account will ultimately be.
At the end of the day, remember these two simple ways to help protect your accounts:
- Use unique account names and passwords for every account. Password managers are great for this!
- Set up true multi-factor authentication. If it’s not using a SIM card to authenticate, you won’t fall prey to a SIM swap attack, or smishing attacks (SMS/text related phishing attacks).
After all this time, it’s still surprising to me to find major security gaps in major platforms like PayPal and Zelle. Stay aware, stay secure, and keep implementing reasonable and prudent measures to keep your data safe.