Categories
Uncategorized

PayPal phasing out Symantec VIP Access

PayPal to phase out VIP Access and migrate to SMS-based one-time codes.

I tried to add a new virtual security key, provided by Symantec’s “VIP Access” smartphone app, to my PayPal account. However, it didn’t work as it used to work, by visiting this link. I only got an error message saying:

“We’re sorry. There’s been an intermittent communication problem. Please try again later.”

To me that sounds like PayPal’s portal needs to communicate with Symantec’s back-end for VIP Access, and there is something wrong.

So I wrote a message to PayPal support, and this is what I got:

“Since last year you only can use a mobilephone number for security keys. Old Keys produced by the VIP Access App still can be used but no new one can be registered. Sadly I have no timeframe how long you can use the registered app keys before they were invalid too.”

It is really very disappointing that they migrate away from this very secure and privacy-concious solution to an inferior one, because it is

  • privacy-intrusive (they require your mobile phone number to send you the one-time code) and
  • definitely less secure (mobile-phone based one-time codes have been demonstrated to be easily interceptable for skilled hackers!)

If you oppose this change, please approach PayPal and voice your concerns.

By Ralf Bergs

Geek, computer guy, licensed and certified electrical and computer engineer, husband, best daddy.

27 replies on “PayPal phasing out Symantec VIP Access”

Thanks for letting me know.

It’s indeed very interesting to learn that Symantec VIP access, when used with these one-time pins, is basically the same thing as the well-known standard solution we have all been using with Google Authenticator.

But I think you may not be getting the point.

My post is about registering new Symantec VIP keys (so it also applies to the alternative client solution you pointed to). And as the alternative client is just another client, the decommissioning of the back-end integration with Symantec’s solution will render all clients useless, regardless whether genuine Symantec VIP or alternative clients. 🙁

I have just registered my Symantec Key on PayPal and it worked fine without any issues.
I previously had another phone which I registered back at the end of 2017 and I now have a new phone which I just now registered which is also working using the Symantec App.
Now sure how yours is not working.

Interesting. Thanks very much for letting me know.

Then obviously PayPal support lied to me, and my original suspect that a maximum of 10 keys can be registered seems to be true (as I currently have already 10 keys registered, and I’m trying to add another one). Strangely, you can only “deactivate” keys, but you can’t “delete” them. Maybe I need to ask support to delete the deactivated keys…

Same here. I discovered this page while searching for a way to get VIP Access set up with PayPal on a new phone. I figure the link provided above wouldn’t get me anywhere, but I tried it anyway and it worked fine. So, thank you for that! Now I have both keys active, since I plan to keep my old iPhone 6 Plus around for a while.

Glad to hear it works for you guys — but then it seems clear that “my” problem must be due to the number of keys I’ve registered. I’ve got “10”, which is not a typical number an IT guys would choose, but maybe some UX designer defined it…

Anyway, I will continue to pester PayPal with it…

Stay stuned…

Hi Ralf, I have the same problem (and concerns as you). Did you get any further with PayPal on this issue? Regards, Clive.

Hi Clive.

PayPal Support now claimed they can’t delete security keys off my account. I’ve now asked again about the “intermittent communication problem” I’m constantly getting. Let’s see, maybe I reach a support guy with a clue…

I’ll keep you posted…

Kind regards,

Ralf

Ok, it is now clear that PayPal is not telling me the truth… 🙁

Today I received a response from their support as follows:


The only way of security verification that is still actively supported and serviced for German PayPal accounts is the security key reception via SMS.
The old security key hardware can still be used if its has already been activated – but it cannot be replaced and cit cannot added anew.

i just checked with my wife’s (GERMAN!) account that she still CAN add a new key to their account, so PayPal’s above statement is simply wrong. I’ve gotten in touch again with them, telling them about my finding, and asking them AGAIN to delete the disabled keys from my account so that I have less than 10, and can register a new key.

Let’s see how the respond. I’m ready to escalate this to the media, because I’m sick of being treated like sh*t…

I know this is not very helpful, but I just did a little experiment. I am also at 10 security keys, which includes a bunch of long-gone VIP serial numbers and a couple of mobile phone numbers. The experiment I did was to try to add another phone number.

That failed with the error message “You’ve reached the maximum number of security keys. Remove a security key to add another.” But, as is well-known, there is no option to remove a security key. So, at least in the web app, 10 is some kind of limit.

You can try this experiment yourself even if you don’t have an extra mobile number laying around. It fails before actually trying to send the security code SMS.

Bill, actually this experiment is very helpful, as it a) confirms my suspicion, and b) gives me a way to put more pressure on PayPal, because using SMS-based 2FA is what they want me to use.

FYI: I had escalated the case with PayPal (or at least I tried to do so by asking to involve a supervisor). The response I now got for the first time admits there’s a deliberate maximum of 10:

“It is still possible to register VIP access security keys. Each PayPal account has a maximum of 10 keys. We can’t delete deactivated keys. Due to that you can’t register new keys in your account.”

I’ve asked them to involve 3rd-level support to manually delete the keys from the database. Let’s see what they respond…

Very interesting development: After I filed a couple of complaints to various media, consumer protection agencies, the banking supervision authority (CSSF) in Luxemburg, and German supervision authority BaFin, PayPal finally took some action.

You won’t believe what they did, though. :-(((

They DELETED the only still working (and ACTIVE!) security key from my account, so that login without security key was possible.

Can you believe that??? Totally insane, if you ask me… Claim to take security very serious, and then THAT happens…

In total they deleted 3 keys from my 10 keys (I asked to delete ONLY DISABLED keys!), so that I was now able to register a new key.

Still my account is in a limited state, with no reason given yet.

Just as someone who was also going through this process, I tried to add a security key in the same way and hit the same issues. I raised a ticket to Paypal as follows:
“Hi, I’m attempting to activate a security key on my account and am getting the following error:

We’re sorry. There’s been an intermittent communication problem. Please try again later.

I am able to register the security key, as it’s in a registered state in my account, but I cannot activate it, even though I put in two correct successive 6 digit codes. Can you assist? ”

The response I got from Paypal was:
“I understand that you wanted to set up your Security Key. I checked on your account and saw that the key was already activated.

I do not see any reason why you are receiving an error. Here’s what I did, I deactivated the security key so that you can set it up again.

I recommend for you to clear the cache and cookies of your browser first before setting it up.”

Following on from this, I chose to try again, so I generated a new security key using VIPACCESS and then went through the process of adding the serial number along with two successive 6 digit codes. This time it went through successfully and I now have 2FA with the Symantec Security Key system.

I’ve added the serial number to my Microsoft Authenticator and it works like any of my other 2FAs.

So it looks like it does work, just no way to guarantee it?

Thank you for your comments, although I must admit that I don’t fully understand all of them.

The problem I (and one of my readers had/have) is that we had already 10 software keys registered, and there is a deliberate limit of 10 keys which you can add to your account. If in such a case you want to add another key, you get the error message you also encountered. After PayPal removed some keys from my account, I could register a new key just fine.

Coming back to your comments: I personally can’t confirm that you can “register” a software security key without activating it. For me, that was always one atomic action.

Also, I’m not sure I understand your comment with regards to Microsoft Authenticator. Are you saying instead of Symantec VIP Access, you’re using an alternative TOTP generator (Microsoft Authenticator in your case), as pointed to by one of my readers, “otpfreak,” who pointed to the below URL:
https://medium.com/@dubistkomisch/set-up-2fa-two-factor-authentication-for-paypal-with-google-authenticator-or-other-totp-client-60fee63bfa4f

Sure, this you can do, but it won’t help at all if you encounter the hard limit of 10 security keys…

Maybe I misunderstood you, in which case I would kindly ask you to elaborate. Thanks very much.

Yeah I’m just adding confusion here 🙂 I found your blog as I couldn’t register my first security key as I was getting the intermittent connection error. This appeared to be happening to lots of people, even if they hadn’t hit the 10 limit you are experiencing.
I was just happy finally be able to register a key and stop using the SMS method for 2fa.

Hope Paypal increase your limit!

It seems that their Hardware Tokens still work.

I tried a purchased Hardware token and could add that successfully in 09/2018. That isn’t one in the card format…
Seems that PayPal is phasing out Serial numbers they know of – meaning the app ones and the card-ones. But it seems that they thankfully left out some of the battery-exchangeable Symantec hardware tokens. (I won’t say their Serial number letters here as then paypal would read it and block it for new ones)

Does anyone know if Symantec still actively produces the Hardware Tokens? They’re hard to find nowadays – for consumer markets at least…

Hi Konstantin.

Do you have any indications that PayPal are phasing out individual serial numbers? I don’t have any such indications so far…

Did you maybe misunderstand anything written here on my blog? “My” problem and that of at least one of my readers is that you can’t add more than 10 security keys, regardless of whether software or hardware.

So far it seems you can add ANY key, provided that you have less than 10 keys registered to your account…

Kind regards,

Ralf

[…] Dieser Beitrag ist auf dem Stand September 2018. Ich übernehme keine Gewähr für nicht funktionierende Tokens und dessen finanzielle Folgen wenn diese zum ausprobieren bestellt wurden, da PayPal diese jederzeit für neue Nutzer deaktivieren kann.Aktuellere Informationen (auf Englisch) findet man in den Kommentaren auf dieser Seite. […]

Dies geht momentan nicht mit der Symantec VIP App

Das muss ein Missverständnis sein. Ich habe das noch vor ca. zwei Wochen erfolgreich durchgeführt…

I just found out that you can finally register standard TOTP authenticators (like FreeOTP(+) or Google Authenticator) with PayPal — you don’t have to use Symantec VIP Access anymore.

Just go to My Account -> Settings -> Security

https://www.paypal.com/myaccount/security/

and in section “2-step verification” click on Enable/Activate/Update.

Pro-Tip: Create a PDF from the QR code using your browser’s “Print” function when you register your TOTP token, like Google Authenticator, and then you will be able to register multiple devices to your PayPal account. This way you never have to fiddle with 2FA again in PayPal, regardless how often you change your mobile phone, or how many you use. 🙂

Here’s an interesting update:

A few months ago I noticed that you can finally — in addition to a “Security key” — also configure an “Authenticator App, Third-party code generator.”

And this is, in my view, finally a break-through, because it uses a standardized TOTP algorithm to generate time-based one-time codes.

This mechanism can be used with standard apps, like Google Authenticator, or the app I prefer on Android, FreeOTP+.

Leave a Reply

Your email address will not be published. Required fields are marked *