Yes you can bypass PayPal's Security Code login

Martin Brinkmann
Oct 17, 2012
Updated • Oct 17, 2012

When I noticed an unauthorized payment done with my PayPal account in 2008, I immediately ordered a VeriSign Identity Protection device to add a second layer of protection to the login process on the site. Basically, instead of signing in to PayPal with the email address and password, I'm now asked to enter a security code generated by the device on top of that. The code that is generated by the device is valid for 30 seconds at most, after which it is automatically invalidated.

That's in theory enough to protect the account from keyloggers, trojans and even someone looking over your shoulder while you are logging in to PayPal. There are two issues here that need to be addressed. First, what happens when you lose access the protection device? How can you log in to PayPal then? Second, what happens if you forget your password?

A new article on Naked Security - great blog by the way - highlights a potential flaw in the system. When you forget your PayPal password, you can recover the account by entering two secondary passwords that you have selected during sign up. With the help of this two passwords, you can log in to your PayPal account and do everything that you can normally do, without having to supply a security token first.

paypal login security code

You could say now that this is not really an issue, since you have to enter two passwords to log in. The problem here however is that entering the two password to log in to PayPal provides attackers, through the use of a keylogger for instance, with all the information needed to access the full account.

PayPal asks for the account email address first, with options to recover that as well by typing in potential candidates if you have forgotten which email you use on PayPal. You get a link in that email that takes you to a recovery page. Depending on your account settings, you may have multiple options here. I for instance got the option to enter a credit card number associated with the account, or to answer the security questions.

Those security questions are made up of the usual "your mother's birth name, childhood friend or hospital you were born in" questions. Please note that it is highly recommended not to answer the questions correctly during setup, as it is otherwise possible to guess or social engineer those answers to gain account access.

The process bypasses the protection device completely, which is not really clear why that is happening. If you only have forgotten your password, you should still have access to the device, so that you can still generate a code as part of the login process.

The option to recover the password without having to go through a lengthy verification process over phone or by sending in documents to PayPal to verify your identity is certainly convenient, but security should be more important than that.

What's your take on the findings?


Previous Post: «
Next Post: «


  1. Morely Dotes said on October 17, 2012 at 6:02 pm

    1. Maintain proper security on your PC to avoid getting a keylogger in the first place. For example, never use Internet Explorer except to visit or to download a better browser; always use good anti-virus software (which means Norton/McAfee/Symantec products are off the table).
    2. Keep a log book with accounts in it and password reminders that will mean something to you, but no one else. Use a real paper log book; and don’t keep it with the computer, but instead in another room (ideally with a bunch of other books).

  2. John Jensen said on October 17, 2012 at 3:40 pm

    Simple actually….
    Just keep ur log-in infos a secure place like a protected file at a mem-stick or whatever ur preference, then copy/paste to log-in….. prob solved….

  3. Taomyn said on October 17, 2012 at 2:20 pm

    How about they use a software based token instead – allow me to add an account to my Google Authenticator like Dropbox did for example.

    Ironically when I worked at PayPal for IT, we began to give out software RSA tokens even when replacing hard tokens. They are always going wrong, getting broken or lost, not to forget were costing a fortune.

  4. Anonymous said on November 15, 2012 at 8:14 am

    This posts sucks. all i wanted to do was log in

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.