- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Greetings,
I keep receiving text messages saying "Your security code is: [code] Your code expires in 5 minutes. Please don't reply."
Is someone trying to log into my account? How can I stop this?
I've already changed my password.
Thanks,
Shane.
Solved! Go to Solution.
- Labels:
-
Login Issues
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, here's another one. 2 codes sent in short succession. Got worried, removed my bank card from the account. Sent up 2-step verification.
Not much money for the rest in the account, and no suspicious transfers, so ignoring, going with the assumption someone entered wrong tel nr or email.
Account set up last year only, and not my regular email, so pretty weird and scary really.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I received 4 sms today. I think someone must be trying to hack into the account. After reading your post which makes sense, I removed 3 of my credit cards linked to my pp account. I think it is good for now. Cheers !!!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here's what's happening and why we are receiving these SMS's or emails:
- Some Person, anywhere in the world, clicks "Forgot my password"
- Paypal asks for their email address or phone
- Person types an email or phone... and here is what the PROBLEM is:
- if the person types email or phone, and if YOUR email or phone happens to be what they typed, YOU will receive the security code. Now the Person could be entering it by mistake or deliberately, that's up for debate
- This is a potentially a security hole that Paypal is ignoring, because it gives away (by confirming an account with that email or phone exists on PayPal system) your email or phone number to anyone!
Although you don't need to worry about receiving these, PayPal should NOT be doing it by default to alarm people with good accounts in order to satisfy the convenience of just about any walk-in person who demands a password reset at whim! And also, PayPal should have an option for us not to receive and be unncessesarily alarmed if our accounts are being hacked.
Thank you very much.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, they only give away partial data:
- For mobile number, they give away the country code, the first digit, and last 4 digits - leaving the attacker to guess the other 4 digits (that 10,000 mobile numbers - 0000-9999)
- For email address, they give away the 2 characters either side of @ sign and the root domain (such as .com).
The legitimate account holder can verify this is correct and proceed to get the data they need to proceed. The hacker just sits back and hopes the legitimate user will be inattentive and do the wrong thing by mistake.
As a legitimate end user, I'm happy with this. If I do not recognize the info provided, it means I may have forgotten my email to start with and can at least go back and try a different email that leaks enough information for me to know I'm on the right track.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First of all, it's not likely that your account is hacked, so relax.
Here's what's probably happening and why we are receiving these SMS's or emails:
- Some Person, anywhere in the world, clicks "Forgot my password"
- Paypal asks for their email address or phone
- Person types an email or phone... and here is what the PROBLEM is:
- if the person types email or phone, and if YOUR email or phone happens to be what they typed, YOU will receive the security code. Now the Person could be entering it by mistake or deliberately, that's up for debate
While there is no cause for concern, this is potentially a problem, because it gives away (by confirming an account with that email or phone exists on PayPal system), your email or phone number to anyone who wants to know.
Although you don't need to worry about receiving these, PayPal should NOT be doing it by default to alarm people with good accounts in order to satisfy the convenience of just about any walk-in person who demands a password reset at whim! And also, PayPal should have an option for us not to receive and be unncessesarily alarmed if our accounts are being hacked.
Hope it helps.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Haven't Found your Answer?
It happens. Hit the "Login to Ask the community" button to create a question for the PayPal community.
- Is refunding security deposits okay on an ongoing basis? in Transactions
- No place to put code to link card in Wallet
- QR Code: How to attach a single price or a menu of prices to a Paypal QR code. in Products & Services
- Hacked technical support? in Security and Fraud
- Google Play no GPA code but charged in paypal in Security and Fraud