Interesting idea, but probably not for someone like me who is already very careful when logging into Paypal. Also, I only use PP about 1-2 times a month; if it was free I would get one.

They're known as SecurID tokens, they're well established and very reliable. A breach would reply on the phisher sitting around watching his database for a new code, otherwise he's got no chance of using it in the 30s it's valid.

Anyone else on a Business Account able to order one? When clicking on the order page it says "The Security Key is currently unavailable. Try again later." (BTW, the $5 fee is waived on Business Accounts)

I used to resell these as part of a service offering my company provided. We also use them on our inhouse VPN solution. Our cost on a 4-year token (they expire before the battery can die) was around $70/ea. This would be quite an investment on PayPal's part to eat all of these tokens plus setup the SecureID infrastructure on their end.

The algorithms are pretty much bulletproof.

Security wise - it is excellent. We use these for a number of business acounts, and they are quite secure. However, they are a hassle compared to having IE just remember your login and password to get into sites. In any case, this makes perfect sense for big PayPal users. For your average Joe (like me), there would be no point since the most they could get to would be a few bucks.

My sister works at a company that makes jet engines for the military... They use these same things, so I'm pretty confident its plenty secure

Whilst it sounds like a SecurID key, I don't think it is. Verisign (see the logo on the bottom of the pic) have their own form of two-factor authentication system, but I didn't think it was an elapsed time-based system. RSA have the patent on time-based code generation that the SecurID tokens use.

If it is indeed SecurID, the scenario outlined by Mr Chen where the bad guys would have 30 seconds to capture and use your token code would be cancelled. Once a SecurID token code is used once, it can't be re-used.

Psh, well I've got one code, 123456, way to show it on the screen paypal... some security... psh

Sanx:

You're misunderstanding what Jason wrote. The code is never used when the victim puts it into a phishing site, because the phishing site isn't real. Thus, if the site uses it in the next 30 seconds, it would still work.

I wonder, too, if this is just for logging in, or if one must do this for every transaction. If the former, the phisher can automatically log in (thus beating the clock) and just stay logged in (PayPal keeps you logged in for that browser session). So in that case (when the token is used just for logging in the first time per browser session), this is nearly useless.

As for algorithmic vulnerabilities, it doesn't really matter if the algorithm is known so long as the seed value isn't. This can be done securely, and no doubt eBay can afford to do so.

A phisher wouldn't have to sit around at his database console in order to catch the 30 second window. With a clever script, the phishing site can pull a username/pass and current securID from the victim and use it to immediately log in to paypal on another remote server. As long as paypal is automatically refreshed every so often it will stay logged in and the phisher can check every few hours and have several logged in paypal accounts to exploit waiting for him. Adding the hardware token is still a step in the right direction as it makes it that much harder to get into other peoples' accounts in the first place.

That 30 seconds is enough for a phisher to drain the account. 2-factor like that makes phishing a little harder, but not hard enough.

It's nice to have the extra layer of protection, but frankly I do not see myself carrying one of these around everytime I need to pay something.

I have used Citibank's Virtual Account number for years now... I has for every new transactions the following:
- A new CC number genereated
- A new VDC code
- A new expiration date
- A limit on the transaction (if you need to)
- Automatic Form fill features.

You can install an applet in your taskbar that detects a payment process in the webpage so it pops by itself or you can do it from a web applet.
Either way, you log in, and generate the numbers as needed. You track your CC numbers on their applet and close numbers at will when not needed.
I all gets billed to my "real" CC number with the entry of the Virtual CC number.

This one is nice, but if you forget the key at home you are screwed.

Citibank's solution works anywhere you have a browser available and it's free.
Very smart, very safe. I recommend it highly.

Anyone else getting a "not available yet" message when trying to order one? Why did Paypal go through the trouble of making that page to begin with if it will bring me to an unfriendly error message that won't even let me pre-order one. That sucks.

It would appear that there are more of these type things on the way when you click the demo it takes you to paypalobjects.com

I think a whole lot more companies could use this technology.

When I worked for a major ISP we used SecureID tokens for our internal logins (one of our screennames was bound to the token.) We would often get phishing IMs purporting to be from Data Security asking us to enter our screenname, password and token. A script would hijack the login and give the hacker access to an internal account. Employees didn't fall for it open, but someone was passing along new employee names, because I got the phishes my second day there.

But who is gonna protect me from spending all my money on PayPal now??

My friend's dad is a broker on NYSE and has these things all over his house...obviously used in a more 'mission-critical' setting since he's dealing with millions of shares, but they're pretty standard in the industry already...this isn't that new.

Ah HSBC gives them out for their online banking too, I got mine about 2 years ago.

my paypal username is hard_rocker_84 and my password is rock_on - will this increase my security??/?

How about not keeping a balence in your PP acount, problem solved.

PayPal user name 7 Char
PayPal Password 8 Char
PayPal Security Key Password 6 Char

Writing and mailing a check is soon going to be faster!

Who cares about security? For $5 this'll make a cute, inexpensive addition to my ever-growing keyfob collection.

Egads. I already have four of these things from a variety of banks I work with.

Now I have to remember umpteen logins, a gazillion passwords and where I left my token collection.

Trust me. With more than two of these things, they are *not* keyfobs. Having reached critical mass, they become, collectively, a boat anchor.

Doesn't do much for a Man in the Middle attack, does it? Justapspfan nailed it for average PayPal customers: don't carry a balance you don't want to loose! For high-volume users, they should just offer an inexpensive biometric solution like finger scan

This helps PayPal prove that you are you -- but the token does nothing to prove to *you* that PayPal is who they claim to be. For example: A fake/spoofed site would just forward your login info right on to PayPal and impersonate you as they clean out your account.

This makes it even easier for PayPal to claim full denial of liability, since you (as proven by your token, which only you possess) were clearly the person who cleaned out your own account.