PayPal’s reference to standard security checks refers to when its system, leveraging behavioral analytics, flags a customer interaction as potentially fraudulent based on factors such as transaction size or deviation from historic patterns.
Still, Grajek finds PayPal’s decision to keep SMS in use for fraud checks to be odd. When the system flags a potential problem, he says, “you want to do a higher level [of authentication]. Why would you de-escalate [to a lower level of authentication]?”
PayPal’s customer email said the company would “start removing” SMS in March, but how long that process will take is unclear. Logistics is one factor, as these communications are going to a global customer base of roughly 439 million people and businesses. PayPal will batch those messages over an extended time.
