Written by Nick Heer.

SMS Two-Factor Authentication Doesn’t Protect Against Human Error

Some asshole switched Justin Williams’ cell number to a different SIM card and used that to bypass the two-factor authentication for his PayPal account:

I have spent the morning trying to evaluate my security practices and there’s not much I can think about that I’d do otherwise. Twitter tells me I shouldn’t use SMS-based 2 factor authentication and should use app-based 2 factor instead. I agree! The problem is that some sites like PayPal don’t offer the better security. The alternative is to just go back to single factor, which I am not so sure is the best solution either.

Williams’ security setup is similar to mine: unique passwords generated by a password manager, two-factor authentication switched on everywhere I can, encrypted everything — the usual. But all these barriers seem like they’re simply a minor inconvenience to someone who is intent on breaching my accounts.


I don’t even place blame on PayPal for this directly. The fault lies with the AT&T call center representative who let someone manipulate my account without knowing my passcode.

The security questions and secondary authentication mechanisms that users set should prevent anyone from accessing the account without a correct answer, including customer service representatives; a policy like that, however, will likely get pushback from anyone not sufficiently technically-inclined. It’s hard to balance customer service with security, but changes to actual service functionality — cancelling an account, changing the SIM card, updating the address, and so on — should always require a greater level of authentication or be done in person.