Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

If true, this is borderline criminal incompetence.

However, I can't reproduce the issue described in the article.



Same.

The author says when you enter an email, an SMS is sent and number revealed.

What really happens is that it asks me for a password. Below that there's an option to get a one time code. Clicking that reveals the first digit of the area code, then the last 4 digits. You must then click yet again to make it actually send.

So in short, it didn't immediately send an SMS and never showed the full number.


But the author says a partial number is revealed?

Edit:

I just tried logging in. It's exactly as the author describes - I enter my email and get a "Log in with a one-time code" page with my partial phone number. The code is sent automatically. Must be A/B testing. (No password prompt is shown unless I click "Try another way" below the code field.)


The author never says the full number is revealed. The author says the partial number is revealed.


The article has been changed. The word partially was added in the sentence below after I commented.

> enter an email address to log into PayPal, an SMS is immediately sent and the phone number is partially revealed.

That said, below that it mentioned number guessing so I probably could have guessed that's what they'd meant to write.


Other parts still said partially though. Your comment was left at 4:40 UTC[1]. Here's a snapshot from 4:07 UTC[2]. It says

>PayPal helps them by partially revealing a significant portion of your phone number

>Remember Mat Honan, who’s digital life was destroyed when his iCloud account was wiped in a targeted attack? In that attack, the hacker used social engineering to obtain a partial credit card number from an Amazon employee which Apple then accepted as verification of identity. With PayPal no such social engineering is required; instead revealing half your phone number to anyone who merely enters your email address on the login screen.

>Of course, PayPal also allows users to log in by entering their phone number. Now armed with a partial, a bad actor needs only to enumerate the remaining digits to reveal your full phone number.

[1] https://hacker-news.firebaseio.com/v0/item/32615770.json

[2] https://web.archive.org/web/20220827040709/https://christian...


OP here - yeah that's my bad - I never intended it to be interpreted as fully revealed but a sentence taken out of context can read that way, so I tweaked the article (as well as fixing a few spelling mistakes). Apologies for the confusion.


I was able to reproduce it in incognito. I’m guessing it works only on devices I have signed on before? Someone they have a way to fingerprint me? Irrespective of it, this whole dumbing down security for UX is unacceptable. It’s not even good UX for someone like me with a password manager.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: