Account Security

Two-factor authentication (2FA) via SMS will no longer be supported starting November 14th, 2022. To secure your account, we highly recommend setting your 2FA up with Google Authenticator (GA) or Authy. Alternatively, although it’s less secure than GA or Authy, you can enable 2FA via email. 

If you don’t get the chance to change your settings, starting on November 10, we’ll be sending your codes to your email instead of SMS. For those who use a combination of 2FA via SMS and Google Authenticator or Authy, your codes will be redirected to Google Authenticator or Authy instead.

Two Factor Authentication (2FA) is an additional layer of security where the user must verify that they own the account with a code. 2FA is often used to protect the user’s credentials, information, and any resources within the system. Only the user can access their specific 2FA alert, which is sent via Authy, Google Authenticator, or email. 

2FA is a secondary layer of security used to safehold your account. With an authenticator, you receive a code you will need to input to log in to your account or complete any trades. 

There are several different types of authenticators or 2FA methods you can use. The three options are:

• Google Authenticator
• Twilio Authy
• Email

To set up 2FA, you’ll need to first set up your security questions in your account settings. 

Google Authenticator is an application that implements two-step verification services for our users as an added layer of security. It uses a time-based one-time password algorithm and HMAC-based one-time password algorithm for authenticating users of mobile applications by Google.

To set up 2FA with Google Authenticator (GA) follow the steps below:

Google Authenticator Requirements:

• Download the GA app for Android or iOS

Setting up Google Authenticator:

1. Once the GA app is installed, login into your Paxful account on a different device.
   
2.  Hover over your username on the top right corner of the page and click Settings from the menu.
   
   
3. On the settings menu, click Security.
   
   
4. On the security page, under Two-factor authentication (2FA) settings, choose Google Authenticator.
   
   
5. Click Activate now and a QR code appears.
   
6. Scan the QR code with your phone by using the Google Authenticator app. A 6-digit code will appear on the app or you can copy the code for manual setup.
   
   
7. Enter the 6-digit code into the field below the QR code. Your code will be automatically submitted once you input the code.
8. Once your code is automatically submitted, a menu will appear.
   To verify that 2FA via GA is turned on, make sure it says Activated. For more security, check all the toggles under the Enable 2FA column.
   
9. When all toggles are blue, you’re done! 2FA via Google Authenticator is set up. 

Enabling Two-Factor Authentication (2FA) can greatly enhance your account security. We recommend using Authy as it's more secure. To set up 2FA with Twilio Authy follow the steps below: 

Twilio Authy Requirements:

• Download the Authy app

Setting up Authy:

1. Login to your Paxful account on a different device. 
2.  Hover over your username on the top right of the page and click    Settings from the menu.
   
   
3. On the settings menu, click Security
   
4.  On the security page, under Two-factor authentication (2FA) settings, choose Authy.
   
   

5. Click Activate now and a QR code appears.
   
   

6. Scan the QR code with your phone by using the Authy app. A 6-digit code will appear on the app or you can copy the code for manual setup.
   
7. Enter the 6-digit code into the field next to the QR code. Your code will be automatically submitted once you input the code.
8. Once your code is automatically submitted, a menu will appear.
   To verify that 2FA via Twilio Authy is turned on, make sure it says Activated. For more security, check all the toggles under the Enable 2FA column.
   
   
9. When all toggles are blue, you’re done! 2FA via Twilio Authy is set up.
    
   

   Note:

   To troubleshoot 2FA with Authy, visit our help center page.
   
   

    

To set up 2FA with email, follow the steps below:

Setting up 2FA with email:

1. Login to your Paxful account.

2. Hover over your username on the top right of the page and click on the    Settings button.

3. In the Settings menu, click on  Security.

4. On the Security page, under Two-factor authentication (2FA) settings, choose Email.

5. Click Activate now.

6. Click on Enable 2FA via email and a menu will appear. 

To verify that 2FA via email is turned on, make sure it says Activated. For more security, check all the toggles under the Enable 2FA column.

7. You’ll receive a code in the email you used to create your Paxful account.

8. Input the 6-digit code found in the email.

9. When all the toggles are blue, you’re done! 2FA via email is set up.

Have problems with your two-factor authentication (2FA)? Here's how to troubleshoot 2FA via SMS, Authy, or Google Authenticator.

Google Authenticator and Authy

If your GA codes don’t work, it might be because the time on your Google Authenticator app is not synced correctly with your device. Make sure to check the clock and set it to the correct time zone. An incorrect clock can cause codes to be out of sync.

Email

If you’re having issues receiving a 2FA via email code, please check the following:

• Make sure your inbox is not full. 
• Make sure emails from Paxful are not going into your spam folder. 
• Make sure your email is verified on your Paxful account.

SMS

2FA via SMS is no longer supported on Paxful. If you had 2FA via SMS enabled, we’ll be sending your codes to your email instead. 

For those who use a combination of 2FA via SMS and Google Authenticator or Authy, your codes will be redirected to Google Authenticator or Authy instead. 

If you haven’t been using 2FA via Google Authenticator or Authy or your email is not verified on your Paxful account, please contact our support team to reset your 2FA. 

Setting 2FA on your account significantly improves your cryptocurrency wallet security. But sometimes you may lose 2FA due to:

• Your phone is lost or damaged.
• The authentication app is deleted.
• You switch to a new device, and the app with all the codes cannot be transferred to your new device.

If this happens, click "Trouble logging in?" when you're asked to enter your 2FA code. From there, we'll ask you some questions and we'll see how we can help.

Your safety is a big priority for us at Paxful, so we’ve put together this list of tips and tricks to help keep your account safe.

Protect yourself in the trade

1. Stay in the trade chat.

• Although there are times when you might need to exit the chat to finish, try not to click on suspicious links that you aren’t familiar with, especially phishing links. 
• Be cautious of users asking you to cancel a trade or switch over to a different offer link. Keep an eye out for users not following offer guidelines. 
• Don’t chat outside of Paxful’s trade chat. If your trade ends up in a dispute, our team can’t help resolve the issue since it happened outside of Paxful. 
• Check if the address on your browser matches https://paxful.com before entering any account details.
  
  

2. Don’t share your personal information. 

• Don’t share any contact or personal information on the trade chat—users may try to scam you on off-site trades, impersonate you, or show that you have traded with them off-escrow.
  
  

3. Learn how to identify the real Paxful moderators. 

• It’s important to know that our moderators have specific chat bubbles and signatures to let you know that it’s really us. Here’s what a message from a real Paxful moderator will look like:
  

Protecting your Paxful account

1. Two-factor authentication

• We highly recommend setting up 2FA as soon as you create your Paxful account. You can set this up in your account settings. Although we recommend using Authy or Google Authenticator for more security, you can also use your email for 2FA.
  

2. Security questions

• We highly recommend setting up your security questions when you create your Paxful account, but you can set them up at any time in your account settings. Be sure to pick questions and answers you won’t forget!

3. Active sessions

• We recommend frequently checking all the devices you’re currently logged into. You can check this in the Security tab of your Paxful account. If you don’t recognize a device, click on the “X” to log your account out of that device. If this happens, we recommend changing your password immediately.
  

Protection measures outside of your Paxful account

Even when you’re not logged in and actively trading, it’s important to keep your Paxful account and systems safe. 

1. Email and passwords

• Creating passwords. When creating a password, make sure to use a combination of upper and lower case letters, numbers, and special characters.
• Don’t use the same passwords. It’s essential to have different passwords for your email and your Paxful account. This is because hackers usually target your emails. In a worst-case scenario, if a hacker gets access to your email, they’ll be able to access the funds in your Paxful Wallet.
• Never share your password. Be cautious of users asking for sensitive information like your password in the trade chat. The Paxful team will NEVER ask for your password or other sensitive account information. If you’re in a dispute and our moderators ask you to provide a screenshot or a video as proof, make sure your passwords are not visible. 
• Protect your email address. Make sure you protect the email address connected to your Paxful account and don’t share it in a trade chat. Your email is a gateway to your account so be sure to keep it to yourself.
• Be cautious of SMS messages and emails from unfamiliar senders. Don’t interact with suspicious emails, give away sensitive data, or click on any links that seem suspicious. For additional information see: I have received a suspicious email. Is it from Paxful?

2. Computer health checklist

• Keep your systems up to date. This includes your computer, smartphone, browser, and other software.
• Don’t download anything unnecessary. Additionally, if you don’t know the developer or aren’t sure if you trust it, don’t download the software or program.
• Use officially-licensed software. Make sure you’re using software that is trusted and licensed. Remember to keep these programs up to date as well. This includes antivirus, anti-malware, personal firewall programs, etc.

3. Use secure networks

• Make sure you’re using trusted and secure Wi-Fi and networks—preferably a wired connection or a network with a password.
  

Security questions help protect your account and restore access in case you lose it. Follow these steps to configure your questions.

1. Log in to your Paxful account, hover over your username on the top right of the page and click Settings from the context menu that appears.

The Settings page appears.
2. On the menu on the left, click SET SECURITY QUESTIONS.

Set your security questions dialog box appears.
3. Click the Set answers link.

The Set answers dialog box appears.
4. Select 3 security questions from drop-down lists. Type the corresponding answers into the fields under the questions.

 5. Click Save.

Your security questions are set. You are redirected to return to the Account settings page.

For additional information on how to secure your account, check our security guide.

If you think someone has gained access to your account or suspect that login details have been compromised, here’s what you can do:

If someone logged into your account but you still have access to it.

Do one of the following:

1. Usually, whenever there is a new or unexpected login on your account, we immediately notify you via email with a link to report to lock your account if you suspect intrusion. So just click the link in the email. Your account is locked immediately and all sessions are terminated. The faster you act, the higher the chances of saving your BTC. Next, contact support to restore access to your account. After, take steps to protect your account. 
2. Alternatively, while logged in to your account, simply proceed with the following steps.

Steps to protect your account:

1. Change your password to something secure (a password that you have NOT USED on other sites or emails). Try to make your password as complex as possible, but at the same time be sure to remember it.
2. Check to ensure that none of your other settings such as your email or phone number were changed. If they were changed to something you don’t recognize, change them back.
3. Go to your active sessions (Settings > Security > Active Sessions) and log out all sessions by clicking the Close icon next to them.
4. Log out of your account.
5. Log back in using your new password.
6. Download Google Authenticator(iPhone/Android) or Authy (Mac/Windows).
7. Turn on 2FA on Paxful and scan the code with your phone. Remember to turn 2FA on for BOTH login and sending out as it will make your transactions more secure. We recommend using Google Authenticator or Authy over SMS 2FA as it is more secure. Just bring up the app and get the code every time you want to log in or send crypto.
8. Set your security questions and write them somewhere. You’ll need them if you ever lose your phone and need to reset your 2FA.

If you can’t log in to your account:

1. Contact support and provide all the information required by our support agents. Once it’s verified that you are the account owner, inform support that you need an ACCOUNT LOCKDOWN. Support Team will see if there is enough data to prove you are not a hacker (and will try to give you access to your own account). Once it is verified that you are the victim and rightful account owner, account access will be restored.
2. Once you log in, secure your account immediately.

How did this happen and how can I prevent it from happening again?

To prevent this from happening again, we suggest that you don’t use the same password across websites and that you have 2FA with Google Authenticator enabled.

At Paxful, we are constantly improving our security processes to keep your funds as safe as possible.

So where did the cryptocurrency go?

• Check your account activity to see who logged into your account. Take note of their IP address.
• Check your wallet ledger to see the cryptocurrency address they sent your coins to.

With the cryptocurrency address and the IP address of the thief, you have some information but it is often impossible to track them down. Our support team does not have the resources to help you investigate further because hackers often use VPNs and also due to the general anonymity of cryptocurrency. It is nearly impossible to track them down, so try your best to make your account as secure as possible.

Enabling 2-Factor Authentication is a good way to prevent any of these from ever happening.

If you received a suspicious link or message from any entity claiming to be associated with us, report it ASAP to our support team. You may be a target of phishing, a cybercrime where someone poses as a legitimate company or government entity to obtain victims' personal information. 

The most important thing is that you do not click on any links or download any attachments from the message that you received. These links and attachments can damage your device, and your data can potentially be exposed to thieves. 

First and foremost, you'll want to report the message to our Support team. When you reach out to us, be sure to include all of the information from the emails or messages to help us investigate where it originated from. Reporting it in detail will also help us prevent other members from being targeted by these attempts.

Information Paxful will never request

We will never request the following information:

• Your full credit card number, banking information, or other financial details
• Your Paxful password
• Your one-time two-factor authentication (2FA) code
• Click a link to receive funds, verify info, and release or cancel the trade when you are already logged in (you can do that yourself on Paxful)

We also won't send you links asking you to click to receive funds, verify your information, or release or cancel a trade when you're already logged in.

Please report it to us immediately if you receive a message requesting any of the above information.

How to spot a phishing link:

While scammers change their tactics frequently, look for these classic signs of a phishing or spoofing attempt:

• Make sure there are no spaces in the link provided.
• There are no URLs inside pictures.
• There are no links with/attached to QR codes 
• We recommend you be very cautious with file-sharing links. These can lead to malware or hacking.
• There is no ‘Whatsapp’ or other messengers inside pictures.
• You receive emails or messages with .html attachments.
• Also, keep your trades in Paxful. These links can be shared off-escrow without detection.

How to spot a phishing email or chat message:

While scammers change their tactics frequently, look for these classic signs of a phishing or spoofing attempt:

• The user requests for your bank account, username, password, social security number, or identity. 
• A claim is made that your account is compromised. In such cases, we may send only automated messages from “no-reply” email addresses.
• You receive an unsolicited email with a link to verify your account information.
• There are typos in the email address. It’s common to see something like support@ppaxful.com.
• You receive suspicious links that don’t lead to www.paxful.com. Before you enter your login information or click on a link, double-check the URL by copying it into your address bar without pressing Enter.
• You receive emails that mimic our design. These emails aim to distract you from any typos in the email address or website links by using pictures and colors similar to our platform.

Ways to Protect Yourself from Phishing Scams: 

• Always report any suspicious activity to our Support team.
• Check that a link, email, or message is actually from Paxful.com. We communicate using several social channels:
  • Instagram
  • Twitter
  • Facebook
  • YouTube
  • Reddit
• Do not click on any links, downloads, or attachments from questionable messages and emails.

For more information on how to protect your account see our security guide.

If you forgot your password and can't sign in to your Paxful account, follow these steps to reset and request a new password:

1. Click Log in button on the home page

2. Click “Forgot password?”

3. Enter your phone number or email address and then click Request new password

From there, you'll receive an email from us with a link to reset your password. If you have 2FA enabled, you will be asked to input the 2FA code to complete your password reset request.

Note: 

See our security guide for additional information on improving the safety of your account. You can also check how to change the password in your profile settings.

If you know your current password and can access your account, you can reset your password right from your account security settings.

To change your password while logged into your Paxful account on the website:

1. Hover over your username at the top right of the page and click Settings from the menu that appears.
2. On the Settings page, click Security in the menu on the left side of the page.
3. In the Change password section, complete the following fields:

4. Click Change password.
Your password reset is complete. You'll be logged out of the website and any other active sessions you're using. You'll also be logged out of the app. You'll need to log in again with your new password. You'll also receive an email from help@paxful.com confirming your password change.

See our security guide for additional information on improving the safety of your account. If you do not remember your password, click here.