Having just completed a transaction on PayPal I realised that it was using SMS as a second factor of authentication (2FA). This has been shown to be insecure so I was looking to see how to change it to a time based token eg Google Authenticator App or use my UbiKey.
The option does not exist.
After searching – PayPal prompted me to complete a survey which I duly completed.
How likely are you to recommend PayPal (0 to 10) – I scored a 5.
How surprised was I when “The survey could not be submitted”.
Cynical? Just a little bit!
Yes I’m a geek, I like to know how things work. I also know that the best way to understand things is to look at them when they are broken.
Brian’s site Krebs On Security gives a detailed view of any security issues are are prevalent. I don’t pretend to understand all the details but I at least like to understand that “something” is happening!
I use a password manager.
I have a different password for every site.
My passwords are as long and as random as they can be.
I’m extra wary about online banking setup due to the impact of any breach.
I was setting up a new account with a well known high street bank last night and was amazed that:
The password can only be a maximum of 12 characters.
The password can only contain alphanumeric characters – no punctuation allowed.
There is a secondary question (and two questions for password resets) – these questions are pre-defined and there is no option to choose your own question. (Is my mothers maiden name or my first employer really a secret?)
Don’t answer the questions that are being asked. Store (in the password manager) a long random password that DOES include all available characters against the questions being asked.
Another pet peeve – don’t ask me to provide a subset of characters from my password unless you can explain to me how you can resolve this by only storing a salted hash of my password rather than storing it in plain text.