Your second factor is a phone call

1. Opening Claim

If your PayPal account is protected by SMS-based two-factor authentication, your second factor is a phone number. A phone number is not a credential. It is a routing decision made by a carrier customer service representative who can be social engineered, bribed, or phished. The control you trust is owned by someone who does not know you, does not verify you, and does not lose money when your account is drained.

The assumption that 2FA equals security is the most common identity failure in consumer finance. It is treated as a binary state. Enabled or disabled. Protected or exposed. That model is wrong. 2FA is a set of mechanisms with very different threat profiles, and the mechanism most users have enabled on PayPal is the weakest one available. SMS one-time passcodes were defined as deprecated for high-assurance authentication by NIST SP 800-63B in 2017. Nine years later, they remain the default for most financial accounts because they are cheap to deliver and require no user setup beyond a phone number.

The operative question is not whether you have 2FA enabled. It is which factor you have, what flow it protects, and what an attacker has to defeat to bypass it. If the answer to any of those is not specific, the control is not measurable. If it is not measurable, it is not a control. It is an assumption.

2. The Original Assumption

The deployment model for consumer 2FA was designed against a specific threat: credential reuse. The premise was that passwords leak in bulk from breached services, attackers replay those passwords against high-value accounts, and a second factor stops the replay. Against that threat, any second factor is an improvement over none. SMS, TOTP, push, hardware key. The differential is between one factor and two, not between the relative strength of the second factor.

That model assumed the attacker had stolen credentials and nothing else. It assumed the attacker could not intercept the second factor in real time. It assumed the user would only enter the second factor on the legitimate site. It assumed the carrier controlling SIM provisioning was a trusted boundary. It assumed the session token issued after successful authentication was protected. None of those assumptions hold against current attacker tooling, and most of them did not hold five years ago.

The original assumption also placed the boundary in the wrong location. It treated authentication as the boundary. Authentication is an event. The boundary is the session. Once a session token is issued, the second factor is no longer in the path. An attacker who steals the session token, or who phishes the user through a real-time proxy that captures both factors and the resulting cookie, has bypassed 2FA without ever defeating the cryptographic primitive. The control was enforced. The control was also irrelevant.

3. What Changed

Real-time phishing infrastructure is now commodity. Frameworks such as Evilginx2, Modlishka, and Muraena operate as reverse proxies between the victim and the legitimate site. The victim sees a valid TLS certificate on a lookalike domain, enters their password, receives a real OTP from the real PayPal, and enters it. The proxy forwards the credentials, completes the login, and captures the resulting session cookie. The attacker imports the cookie into their own browser and is authenticated as the victim. SMS OTP and TOTP both fail to this attack because both are shared secrets transmitted through the user. Anything the user can see and type, a proxy can capture.

SIM swap operations have industrialised. Carrier insiders are recruited through Telegram channels at fixed price points per port. The attacker does not need to convince a representative. The representative is paid. Once the number ports, every SMS-based recovery flow on every account tied to that number is available to the attacker, including PayPal password reset and 2FA delivery. Account recovery is the soft underbelly of identity systems. It is rarely tested with the same rigour as the primary authentication path, and it almost always falls back to factors weaker than the ones it is meant to recover.

Infostealer malware closes the remaining gap. Families such as RedLine, Lumma, and StealC harvest browser-stored credentials, session cookies, autofill data, and authenticator app databases from infected hosts. The logs are sold in bulk on automated marketplaces. A buyer purchases a log, imports the cookies, and lands inside an authenticated PayPal session without touching the login page. 2FA was not bypassed. It was never invoked. The session predated the attacker’s involvement, and the session was the only thing that mattered. What changed is not the strength of any individual factor. What changed is that the factor is no longer the boundary, and most users still believe it is.

4. Mechanism of Failure or Drift

The failure mechanism is that authentication factors are validated at a single point in time, while trust is granted for the lifetime of a session. The session token becomes a bearer credential. Anyone holding it is the user. No factor revalidation occurs unless the application explicitly demands step-up authentication, and consumer step-up triggers are predictable: new device fingerprint, new geolocation, transfers above a known threshold, recipient outside an established list. An attacker operating from a residential proxy in the victim’s region, importing the victim’s session cookie, and constraining activity below those thresholds avoids every trigger the platform exposes.

The drift is that consumer applications optimise for session longevity to reduce friction. Long-lived cookies, persistent device trust flags, refresh tokens with extended lifetimes. Each of those decisions extends the window in which a stolen session is usable. The factor was strong at issuance. The factor is absent at exploitation. The control gap is the time between those two events, and that gap is measured in days or weeks for most consumer financial products. The factor strength at minute zero is not the variable that determines outcome at day fourteen.

The deeper failure is that recovery flows operate against a different threat model than primary authentication. Primary auth assumes the user holds both factors. Recovery assumes the user has lost one. The recovery path therefore accepts weaker evidence by design: SMS to the registered number, email to the registered mailbox, knowledge-based questions sourced from data that is already public or already breached. An attacker who controls the phone number controls the recovery path. The strongest factor on the account is irrelevant if a weaker factor can reset it. The account is as strong as the weakest reset mechanism, not the strongest authentication mechanism. This is not a configuration error. This is the design.

5. Expansion into Parallel Pattern

The same mechanism appears in enterprise single sign-on. Identity providers issue SAML assertions or OIDC tokens after MFA. Downstream applications then trust those tokens for the assertion lifetime without independent factor evaluation. Attackers who compromise the IdP session, through token theft on a managed endpoint or through OAuth consent phishing, hold a credential that no downstream application will challenge. The downstream applications were never the boundary. The IdP session was. Most monitoring programmes watch the downstream applications. The actual control surface is upstream of every alert they generate.

The pattern repeats in API authentication. Long-lived API keys, personal access tokens, and OAuth refresh tokens are bearer credentials with no factor binding. They were issued after authentication. They are used without authentication. A token leaked in a public repository, a CI log, or a clipboard manager grants the same access as the original credential, with no audit signal distinguishing the legitimate holder from the attacker. Token rotation policies exist as documents. Token rotation enforcement at the platform layer is the variable that determines exposure, and that enforcement is rarely instrumented.

The pattern is identical in cloud workload identity. Instance metadata services, service account keys, and federated credentials resolve to bearer tokens that downstream services accept without revalidation. Compromise of any process with metadata access yields tokens carrying the workload’s full privilege set. The MFA on the human who deployed the workload is not in the path. The control surface is token issuance scope, token lifetime, and token binding. Every consumer 2FA failure on PayPal has a structural twin inside enterprise environments, exploited by the same threat actors operating the same infostealer infrastructure against a different population of session cookies.

6. Hard Closing Truth

2FA on PayPal is not the control. Session integrity is the control. Recovery path strength is the control. Device binding is the control. The factor at login is one input to a system that grants and maintains trust over time, and the factor is the part of that system attackers have already routed around. Treating 2FA as the security boundary is a category error. The boundary is the session. The session is a cookie. The cookie travels with whoever has the file.

Phishing-resistant authentication exists as a defined primitive. WebAuthn and FIDO2 hardware keys bind the credential to the origin and the device. Real-time proxy attacks fail because the cryptographic challenge does not validate against a lookalike domain. PayPal supports security keys. Most accounts do not have one enrolled. The factor that defeats the current attack pattern is available and not deployed. The gap between available control and deployed control is the measurement of actual exposure, and that measurement is owned by the account holder, not the platform.

Identity is the boundary. A phone number is not identity. An SMS is not identity. An OTP is not identity. A cryptographic key that signs an origin-bound assertion on a device the user physically possesses is the closest current approximation to identity in a consumer flow. Anything weaker is a routing decision presented as a control. If a system permits a routing decision to substitute for identity, it will be exploited as a routing decision. That is the condition. That is what must now be true.

See also: NordVPN for tunneled traffic when operating outside controlled networks.

---

#ad Contains an affiliate link.