Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It doesn't stop incompetent dataroom operators either from forcing their users to give them their phone numbers for 2fa purposes.

And there is absolute gold in those datarooms if you know where to look.

Recent offender:

"iDeals proposes to protect your account with 2 factor authentication. It means that each time when you will be accessing the project/ changing your password/ accessing the protected versions of documents in the data room - an sms code will be sent to your cell phone. "

This after me pointing out that SMS for 2fa is not a good idea.



There’s a far worse example:

PayPal only supports SMS based 2FA, or, if you dig through their old website with archive.org, you can find a way to use one of their proprietary 2FA devices.

Support for TOTP? HOTP? Nope.


Those proprietary 2FA devices are just TOTP with a weird provisioning system.

You can use a tool such as https://github.com/dlenski/python-vipaccess to use google authenticator/freeotp etc. to access paypal.

That said... I believe you still need a mobile number enrolled to enable a token.


The direct URL is https://www.paypal.com/us/cgi-bin/webscr?cmd=_setup-security... , it's no longer accessible from their new web interface.


Wow, that actually works. I had to go through many ancient web interfaces, but it works.


Sadly you can easily and trivially bypass the VIP token by providing a credit card number or a few other identifying details. It's worse than the SMS loophole. And another reason why I'm trying to delete my Paypal account. ;-)


Thanks! I didn't realize that was possible either. I just switched my paypal account to use google authenticator instead of sms, which besides being more secure, is much more convenient since I don't get cell reception in most of my apartment and have to put my phone near a window to get the sms.


> PayPal only supports SMS based 2FA

You can still use Symantec’s VIP (Validation & ID Protection) authenticator app instead of SMS. I just set it up a few moments ago following these instructions:

https://www.eff.org/deeplinks/2016/12/how-enable-two-factor-...

then deactivated the former SMS-based Security Key.


Paypal also couldn't walk you through a 2FA payment for eBay on mobile. At all. You had to use a desktop. This was about a year or two ago. One would think that a payment company would have better security, especially given they're owned by eBay.


They aren't owned by eBay anymore. They were spun off into an independent company in 2015.


I've sometimes been instructed to login with 2fa code+password joined in the single field. It's rarely worked.


I think that your average dataroom holds stuff with value well in excess of what the average paypal account holds.


The PayPal account itself might not hold much, but most people have their bank account directly linked to PayPal, without any limits.

In my case, PayPal could take every cent from my account before I’d even get a message. And that’s why 2FA is so important.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: