How to protect your PayPal account with two-step verification (2SV)

Strengthen your online accounts by enabling 2SV.

Paypal 2sv

Two-step verification (2SV) is incredibly useful as an additional layer of account security.

As we have already discussed, you can use it to protect your Google and Apple accounts as well as your Twitter and Facebook profiles.

Who knew a simple SMS code (or verification code generated by Google Authenticator) could go such a long way towards strengthening your digital security?

But I must ask: why stop there?

Information is power in today's technological age, so computer criminals are always on the lookout for new ways to access people's data. One obvious target is payment card or banking details. With that type of information, bad actors can flip users' account details on dark web markets for a profit or use them to make their own fraudulent purchases. Either route spells trouble for the victim whose account has been compromised.

Given those threats, it is important that users protect any and all web accounts containing financial information with a strong password and 2SV, if available.

Let's begin with one of the most well-known and obvious choices: PayPal.

In this guide, I will walk through the steps on how you can protect your PayPal account via two-step verification.

1. Log into your PayPal account.

2. When you first created your profile, PayPal likely prompted you to enter in a mobile phone number. You need to have PayPal verify that number if you are to activate 2SV on your accounts.

With that in mind, you need to go to your account settings. At the top right-hand corner of your PayPal home page, you will see a gear-shaped icon situated left of the "Log out" button. Click on that icon.

Paypal 1

3. You will find yourself on your "Account" page. Scroll down to the bottom, where you will see all of your connected email addresses and mobile phone numbers displayed. Assuming that you have not already confirmed the number for which you would like to activate 2SV, you will see the text "Unconfirmed" presented beneath the phone number, with a hyperlinked "Confirm" option located to the right of that number. Click on "Confirm."

Paypal 2

4. PayPal will display a new page stating it has sent a verification code to your phone number. Enter in the code and click the blue "Validate" button.

Paypal 3

5. If you entered in the code correctly, PayPal will display a new page announcing that you have successfully confirmed your phone number and that you can now use that number to login.

Paypal 4

You should also receive a text to your phone and a message to your email address saying the same thing.

At the top right corner of the page, you will see an "X." Click on it to return to your "Account" page.

6. At the top of the page, you will see a blue ribbon with several clickable options available. "Account" should be highlighted, with "Security," "Payments," and "Notifications" displayed next to it. Click on "Security."

Paypal 5

7. On the "Security" page, you will see the option to specify a "Security Key." That feature should be located directly under "Mobile PIN" and should have a hyperlinked "Edit" option located next to it. Click "Edit."

Paypal 6

8. You will be redirected to a page that displays all available security keys currently activated on your account. You want to generate a new key, so click on "Get security key" located under the "Order or activate a security key" sub-heading.

Paypal 7

9. You will find yourself on another page where you will be prompted to register your mobile phone number as a security key. That page includes important information regarding the use of a SMS-based key. Please read over the page carefully.

When you fully understand and consent to the Terms and Conditions, enter in your phone number twice into the provided text fields and click on the "Agree and Register" button at the bottom of the page.

Paypal 8

10. At this point, PayPal will send a verification code to your mobile device. Enter in the code and click "Enter."

11. You're all set! From now on, every time you attempt to log into your PayPal account, you'll be directed to this screen after entering in your username and password:

Paypal 9

Simply enter in the code, click on the "Continue" button, and you'll be redirected to your PayPal Summary page, where you can manage your recent transactions.

Tags: ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episodes:

,

17 Responses

  1. SlipperyJim

    May 6, 2016 at 12:50 pm #

    Just set this up today thanks. Now my Paypal, Facebook, email and Linkedin accounts are secured. I decided to do this after I received an email from Facebook saying "Sorry to hear that you've been having trouble logging into your account," when I hadn't!

    Some of the accounts only require the verification when logging in from a new device or browser, which is a bit more user friendly.

  2. Jono

    May 6, 2016 at 1:01 pm #

    Looks like this is only available for accounts of nationality "United States" :-(

  3. Joe Gill

    May 6, 2016 at 3:11 pm #

    Which is a better approach? This or the use of a PayPal physical security key?

  4. Kate

    May 6, 2016 at 3:32 pm #

    Where we live we have no mobile signal in the house so we can't use it – technology is great when it works

  5. J. Farren

    May 6, 2016 at 3:34 pm #

    But what about all the people who do not have mobile phones, only landlines? Already some web site log-in pages seem to hint that a mobile number may be required in the future.

  6. S.O.

    May 6, 2016 at 4:00 pm #

    How about people who travel overseas and do not use their cell when there (I insert "local" SIM when traveling across the pond)? Any ideas?

  7. Pete

    May 6, 2016 at 4:19 pm #

    I think the PayPal security key is gone… anyone confirm?

    • Pavel Pěnkava in reply to Pete.

      September 11, 2016 at 9:27 pm #

      I have this feature activated from the past, but I also do not see "Security key" option under Security tab and other new users as well :(

  8. Frank White

    May 6, 2016 at 4:56 pm #

    Can someone explain why so many companies choose to use their own (unknown) 2FA/2SV implementation, instead of TOTP or HOTP security tokens from RFC 6238 ?

    SMS is horribly insecure, in the north, SVR RF simply disables your phone for an hour, gets your code and bye bye.

  9. EyeR

    May 6, 2016 at 5:56 pm #

    Amusingly, That could only be considered secure if SMS didn't run across the traditional SMTP network and pass the code across a few hundred machines in plaintext. There's going to be at least one additional copy retained.

    Sure it raises the complexity of a feasible attack – but the attack is more than feasible, and cost effective. From packet sniffers to cloning the phone on the network, it's all too easy.

    Consider further the data you can push via SMS, without the user being aware, and I don't think it too wise to make it really easy to target yourself.

  10. SteveP

    May 6, 2016 at 6:21 pm #

    PayPal certainly uses mobile-based 2PA in the UK. They also offer a Vasco Secure ID "dongle" code generator. If you use eBay mobile, it seems only to accept the dongle 2PA, despite running as an app on iOS, it seems unable to generate and accept SMS-based 2PA. eBay (former owners of PayPal) do have issues confusing their US and UK sites – many links from UK eBay messages revert to .com addresses. So if you have accounts in both the US and UK, it gets messy as a UK message links back to a US account if you are signed in. You'd think they could afford to do better.

    If you want to be able to complete eBay auctions on your mobile, you will need the dongle. There is a procedure to order one. Of course, the mobile would be a much better way, and is already the 2PA key for desktop use. It's a mystery.

    And let me repeat, the only company who does this horribly is Apple. Just too complex with their multi-device universe of iCloud, etc and propensity to call a password a code or key of whatever the focus group came up with that week. Just a shambles. Google ad Dropbox and Yahoo – all work fine.

  11. Derek P.

    May 6, 2016 at 8:10 pm #

    Thanks for a straightforward explanation of setting up extra security on PayPal. I always worried about the weakness of a single security check done on PayPal accounts, bearing in mind how crucial paypal transactions can be to purchases and sales. There is so much of your financial info stored on PayPal!!

    Works a treat, and I don't understand why Paypal are not pushing this additional security check procedure on all its users!!

  12. Sander G.

    May 7, 2016 at 1:17 pm #

    Those who don't see this option available can activate it via https://www.paypal.com/au/cgi-bin/webscr?cmd=xpt/Marketing_CommandDriven/securitycenter/PayPalSecurityKey-outside

    Yes, also those outside the US.

    • Pavel Pěnkava in reply to Sander G..

      September 11, 2016 at 9:30 pm #

      You've just saved my day – thank you :)

  13. Simon

    May 9, 2016 at 2:27 pm #

    Hi guys

    I set this up successfully, but it doesn't work in the most common situation I use PayPal for. I often buy vinyl records from a website. I get a message from the seller with a link to pay by PayPal. I get an error message when I try to log-in saying I have to do it via my computer, not my phone.

    I can access it from my laptop OK. I can also get in from the PayPal app, but I don't know the e-mail of the seller, so can't input it to send money.

    Does seem a bit of a pain.

  14. Andym

    May 25, 2016 at 10:11 pm #

    Doesn't work in the UK. I can click on the link to send a confirmation code to my mobile number, but I never receive the message on my phone.

  15. Luke

    December 30, 2016 at 10:54 pm #

    Working fine in the UK for me. Just wish they let me us Google Authenticator like all my other websites.

Leave a Reply