Paypal's Security Key Protects You From Phishers - Gizmodo Comments

Paypal's Security Key Protects You From Phishers

Windhawk — Tue, 16 Jan 2007 20:44:09 EST

This helps PayPal prove that you are you -- but the token does nothing to prove to *you* that PayPal is who they claim to be. For example: A fake/spoofed site would just forward your login info right on to PayPal and impersonate you as they clean out your account.

This makes it even easier for PayPal to claim full denial of liability, since you (as proven by your token, which only you possess) were clearly the person who cleaned out your own account.

Windhawk

Paypal's Security Key Protects You From Phishers

Brian B — Tue, 16 Jan 2007 12:28:43 EST

Doesn't do much for a Man in the Middle attack, does it? Justapspfan nailed it for average PayPal customers: don't carry a balance you don't want to loose! For high-volume users, they should just offer an inexpensive biometric solution like finger scan

Brian B

Paypal's Security Key Protects You From Phishers

koftun — Tue, 16 Jan 2007 12:26:39 EST

Egads. I already have four of these things from a variety of banks I work with.

Now I have to remember umpteen logins, a gazillion passwords and where I left my token collection.

Trust me. With more than two of these things, they are *not* keyfobs. Having reached critical mass, they become, collectively, a boat anchor.

koftun

Paypal's Security Key Protects You From Phishers

kevjohn — Tue, 16 Jan 2007 11:32:47 EST

Who cares about security? For $5 this'll make a cute, inexpensive addition to my ever-growing keyfob collection.

kevjohn

Paypal's Security Key Protects You From Phishers

Hamster — Tue, 16 Jan 2007 09:46:11 EST

PayPal user name 7 Char
PayPal Password 8 Char
PayPal Security Key Password 6 Char

Writing and mailing a check is soon going to be faster!

Hamster

Paypal's Security Key Protects You From Phishers

Justapspfan — Tue, 16 Jan 2007 09:42:16 EST

How about not keeping a balence in your PP acount, problem solved.

Justapspfan

Paypal's Security Key Protects You From Phishers

felix — Tue, 16 Jan 2007 07:51:09 EST

my paypal username is hard_rocker_84 and my password is rock_on - will this increase my security??/?

felix

Paypal's Security Key Protects You From Phishers

TailsNZ — Tue, 16 Jan 2007 03:15:53 EST

Ah HSBC gives them out for their online banking too, I got mine about 2 years ago.

TailsNZ

Paypal's Security Key Protects You From Phishers

devillion — Tue, 16 Jan 2007 01:29:54 EST

My friend's dad is a broker on NYSE and has these things all over his house...obviously used in a more 'mission-critical' setting since he's dealing with millions of shares, but they're pretty standard in the industry already...this isn't that new.

devillion

Paypal's Security Key Protects You From Phishers

Lurch — Mon, 15 Jan 2007 22:33:38 EST

But who is gonna protect me from spending all my money on PayPal now??

Lurch

Paypal's Security Key Protects You From Phishers

MongoLikeCandy — Mon, 15 Jan 2007 21:08:20 EST

When I worked for a major ISP we used SecureID tokens for our internal logins (one of our screennames was bound to the token.) We would often get phishing IMs purporting to be from Data Security asking us to enter our screenname, password and token. A script would hijack the login and give the hacker access to an internal account. Employees didn't fall for it open, but someone was passing along new employee names, because I got the phishes my second day there.

MongoLikeCandy

Paypal's Security Key Protects You From Phishers

Plasmafire — Mon, 15 Jan 2007 20:31:39 EST

I think a whole lot more companies could use this technology.

Plasmafire

Paypal's Security Key Protects You From Phishers

geel — Mon, 15 Jan 2007 19:11:10 EST

It would appear that there are more of these type things on the way when you click the demo it takes you to paypalobjects.com

geel

Paypal's Security Key Protects You From Phishers

Iron Man Underoos — Mon, 15 Jan 2007 19:05:51 EST

Anyone else getting a "not available yet" message when trying to order one? Why did Paypal go through the trouble of making that page to begin with if it will bring me to an unfriendly error message that won't even let me pre-order one. That sucks.

Iron Man Underoos

Paypal's Security Key Protects You From Phishers

aec007 — Mon, 15 Jan 2007 18:53:13 EST

It's nice to have the extra layer of protection, but frankly I do not see myself carrying one of these around everytime I need to pay something.

I have used Citibank's Virtual Account number for years now... I has for every new transactions the following:
- A new CC number genereated
- A new VDC code
- A new expiration date
- A limit on the transaction (if you need to)
- Automatic Form fill features.

You can install an applet in your taskbar that detects a payment process in the webpage so it pops by itself or you can do it from a web applet.
Either way, you log in, and generate the numbers as needed. You track your CC numbers on their applet and close numbers at will when not needed.
I all gets billed to my "real" CC number with the entry of the Virtual CC number.

This one is nice, but if you forget the key at home you are screwed.

Citibank's solution works anywhere you have a browser available and it's free.
Very smart, very safe. I recommend it highly.

aec007

Paypal's Security Key Protects You From Phishers

nweaver — Mon, 15 Jan 2007 18:24:33 EST

That 30 seconds is enough for a phisher to drain the account. 2-factor like that makes phishing a little harder, but not hard enough.

nweaver

Paypal's Security Key Protects You From Phishers

lightshow — Mon, 15 Jan 2007 18:21:34 EST

A phisher wouldn't have to sit around at his database console in order to catch the 30 second window. With a clever script, the phishing site can pull a username/pass and current securID from the victim and use it to immediately log in to paypal on another remote server. As long as paypal is automatically refreshed every so often it will stay logged in and the phisher can check every few hours and have several logged in paypal accounts to exploit waiting for him. Adding the hardware token is still a step in the right direction as it makes it that much harder to get into other peoples' accounts in the first place.

lightshow

Paypal's Security Key Protects You From Phishers

Manuel — Mon, 15 Jan 2007 18:14:04 EST

Sanx:

You're misunderstanding what Jason wrote. The code is never used when the victim puts it into a phishing site, because the phishing site isn't real. Thus, if the site uses it in the next 30 seconds, it would still work.

I wonder, too, if this is just for logging in, or if one must do this for every transaction. If the former, the phisher can automatically log in (thus beating the clock) and just stay logged in (PayPal keeps you logged in for that browser session). So in that case (when the token is used just for logging in the first time per browser session), this is nearly useless.

As for algorithmic vulnerabilities, it doesn't really matter if the algorithm is known so long as the seed value isn't. This can be done securely, and no doubt eBay can afford to do so.

Manuel

Paypal's Security Key Protects You From Phishers

djdare — Mon, 15 Jan 2007 17:50:42 EST

Psh, well I've got one code, 123456, way to show it on the screen paypal... some security... psh

djdare

Paypal's Security Key Protects You From Phishers

Sanx — Mon, 15 Jan 2007 17:48:02 EST

Whilst it sounds like a SecurID key, I don't think it is. Verisign (see the logo on the bottom of the pic) have their own form of two-factor authentication system, but I didn't think it was an elapsed time-based system. RSA have the patent on time-based code generation that the SecurID tokens use.

If it is indeed SecurID, the scenario outlined by Mr Chen where the bad guys would have 30 seconds to capture and use your token code would be cancelled. Once a SecurID token code is used once, it can't be re-used.

Sanx

Paypal's Security Key Protects You From Phishers

buurin — Mon, 15 Jan 2007 17:47:09 EST

My sister works at a company that makes jet engines for the military... They use these same things, so I'm pretty confident its plenty secure

buurin

Paypal's Security Key Protects You From Phishers

Monty — Mon, 15 Jan 2007 17:43:58 EST

Security wise - it is excellent. We use these for a number of business acounts, and they are quite secure. However, they are a hassle compared to having IE just remember your login and password to get into sites. In any case, this makes perfect sense for big PayPal users. For your average Joe (like me), there would be no point since the most they could get to would be a few bucks.

Monty

Paypal's Security Key Protects You From Phishers

blue_94_trooper — Mon, 15 Jan 2007 17:39:46 EST

I used to resell these as part of a service offering my company provided. We also use them on our inhouse VPN solution. Our cost on a 4-year token (they expire before the battery can die) was around $70/ea. This would be quite an investment on PayPal's part to eat all of these tokens plus setup the SecureID infrastructure on their end.

The algorithms are pretty much bulletproof.

blue_94_trooper

Paypal's Security Key Protects You From Phishers

Mr. Black @ Sanctuary93.com — Mon, 15 Jan 2007 17:30:09 EST

Anyone else on a Business Account able to order one? When clicking on the order page it says "The Security Key is currently unavailable. Try again later." (BTW, the $5 fee is waived on Business Accounts)

Mr. Black @ Sanctuary93.com

Paypal's Security Key Protects You From Phishers

Sockatume — Mon, 15 Jan 2007 17:26:02 EST

They're known as SecurID tokens, they're well established and very reliable. A breach would reply on the phisher sitting around watching his database for a new code, otherwise he's got no chance of using it in the 30s it's valid.

Sockatume

Paypal's Security Key Protects You From Phishers

Azndude51 — Mon, 15 Jan 2007 17:21:29 EST

Interesting idea, but probably not for someone like me who is already very careful when logging into Paypal. Also, I only use PP about 1-2 times a month; if it was free I would get one.

Azndude51