Cybersecurity

PayPal, Venmo, and Amazon are still vulnerable to SIM-swapping hackers

More than a dozen other companies were warned months ago about the limits of their 2FA.

Multi-factor authentication (MFA) SMS code password. Man sitting at desktop and getting access to th...
Shutterstock

Earlier this year, Princeton researchers found that 17 companies allowed passwords to be reset using an SMS text message. Combined with two-factor authentication (2FA) using SMS, this creates an opportunity for SIM swappers to gain access to user accounts. Motherboard reports that despite being warned earlier this year, many of the companies have not patched the vulnerability.

What’s the issue? — SIM swappers convince carriers to move your phone number over to a SIM in their possession. Once successful, they can use text-based authentication and password recovery tools to access anything from your social media to finance apps. The better way to go about 2FA would be to use an app or have codes sent to an email, so nothing’s tied to your carrier.

Who was and still is vulnerable? — Researchers reached out to Adobe, Amazon, PayPal, Microsoft, Venmo, Mailchimp, Snapchat, Blizzard, eBay, TaxAct, Wordpress.com, Yahoo, Finnair, Zoho Mail, Gaijin Entertainment, and AOL. As of March 25, 60 days after it was initially reported, Adobe, eBay, and Snapchat swiftly patched the vulnerability. Blizzard, Microsoft, and TaxAct didn’t provide responses indicating they understood the issue, but also got around to fixing it (without reporting back to the research team).

AOL, Finnair, Mailchimp, Venmo, and Wordpress.com never responded or addressed the problem. Amazon and Zoho closed the issue with no intention of fixing it. Yahoo, Gaijin, and PayPal didn’t understand the vulnerability, and PayPal pawned off the responsibility to phone carriers.

PayPal told the team: “the vulnerability is not in Paypal, as you mentioned this is an issue with the carriers and they need to fix it on their side.” PayPal can also be infiltrated in a way where its suspicious log-in algorithm isn’t triggered.

What about your money? — With Venmo, PayPal, and Amazon sitting on their hands, there’s a way around SMS vulnerabilities. If you link your accounts to a digital number, a VoIP like Google Voice, it’s harder for hijackers to target you since there’s no connected SIM. You can also use an authenticator app like Google Authenticator or Authy, if you want cross-device protection.