PayPal and ebay are what I get phished on more than anything else, combined.
Recently a very sophisticated phish got past my spam filters saying my ebay account had been suspended. As I had recently used ebay to purchase holiday gifts, I came close to falling for it until I noticed my name wasn't in the emails.
Still, this seems like overkill. I would have hoped there would be a more simple solution.
We use something similar at work for Windows authentication - RSA SecurID. It really works well. It's a fantastic idea... a really good idea on the part of paypal.
Just tried to signup & got:
|"The Security Key is currently not available. Please try again later." |
Really hoping it isn't US only.
This isn't overkill, this is necessary for any financial website.
Seriously, if you don't have something like this and you have a trading account, you're just plain ... nuts.
Think about how easy it is to get a keylogging virus on your computer these days? Just by looking at the wrong pic with a certain version of IE can drop viruses on your computer.
This is the future. I'm only wondering if there is a way to break this.. I suspect there probably is a way to break the rsa secure id.
[edited by: blaze at 2:24 am (utc) on Jan. 15, 2007]
It's US and then Australia/Germany/Japan with rollouts for other countries to come.
I think it's terrific.
Having an RSA FOB is the reason I switched my banking to E*Trade. It's a really nice feature.
I'm also really impressed with TreasuryDirect.gov, the US website to buy different US bond issues directly. They have a randomized keyboard that comes up for you to click in your password with the letters in random order.
Of course, I think my registrar has more of my money in their security lacking little fingers.
> This isn't overkill, this is necessary for any financial website.
agreed. The best I can calc in the sea of spam that is my spam folder - I get over 200 phish emails a day aimed at paypal and ebay.
What if somebody looses their key? :S
Seems too secure
|This isn't overkill, this is necessary for any financial website. |
If every financial website introduces this feature my key chain won't fit into my pocket anymore.
Anyhow. I didn't really understand how this works. How do the device and Paypal synchronize? How does Paypal know which was the last valid number?
Do I have to plug the device into the USB port? Because this would be a little inconvinient on my Desktop PC - crawling on the floor under my desk, putting the device into the USB port at the back of my PC, reading the number and getting back on the keyboard again in 30 seconds.
jecasc you need to start watching more bond films!
|smells so good|
It's a great idea from PayPal. Finally, an end to the spam is in sight. The key is currently unavailable when I attempted to sign up. There is a nominal $5.00 one-time fee for the service, for personal accounts. The demo doesn't address what happens if the key is lost, stolen, or misplaced. Should I assume they have operators standing by?
does this mean entering a new code EVERY time you log into the account?!
That seems overkill to me.
I think additional keys should only be necessary for actual transactions.
What happens to multi user accounts?! I can restrict their access already - now they will need a key as well?
A key should only be required for sending or transferring money. I get logged out often enough as is ..
[edited by: mifi601 at 1:26 pm (utc) on Jan. 15, 2007]
Banks in South Africa have been using this system for a few years to combat online banking fraud. My own internet banking doesn't use it, but I believe it works quite well.
As someone mentioned previously, the only problem with all online financial institutions going this route is that eventually we'd have as many keyfobs as we have keys! Although I suppose we wouldn't really need to carry them around all the time.
After looking at the device description a second time I wonder in which way this provides security.
All a phishing site has to do is to add an extra field for the security code and to manage to log into the Paypal account within 30 seconds. This should be not much of a problem.
Also it might be a lot easier to scam people with this device because they have a wrong feeling of security. After all if the website asks for the security code, it must be Paypal - right?
|smells so good|
I'd bet my last dollar (have it right here) that phishers are not working in real time, although this could signal a need for a change in the business model for some of them. To be honest, I still don't completely understand the technology behind this - particularly as to how the codes are kept in synch. Is there a possibility that bogus fobs can bypass the security or collect information?
It exposes phishers to a lot more risk of being caught to work in real time. I think the typical MO is to be as disconnected as possible from the site that actually collects the information.
> How does Paypal know which was the last valid number?
It is an algo based number generator. They produce a number/character combo password/number based on an algo. There are millions of possible keys or password numbers the key fob can generate. The website runs that same algo and can validate that key (this is very similar to the way HTTPS/certificates work with an independent key. In this case, the key is the key fob. Additionally, the key may include auto-advancement techniques, where the algo automatically advances or shifts after every, or every X number of uses. The algo is so complex, that hacking it is extremly next-to-impossible to do.
|All a phishing site has to do is to add an extra field for the security code and to manage to log into the Paypal account within 30 seconds. |
That's a toughie. But in any event, (and I haven't read the stuff) there's no reason whatsoever why the paypal system can't authenticate with the key before and after login (and every few minutes during the session I would guess). In other words. without the key itself, you are pretty much locked out.
>>> USB sticks under your desk >>> get a usb extension cable... or a google fancified USB port mouse mat.
>>> My keyring won't be big enough >>>> That's going to be the biggest problem with this. Who of you here has less than 100 passwords? I don't need a USB key for all of them, but no doubt if this takes off you'll get one for Paypal, Your bank account (personal and buisiness), your pension fund, your credit cards (business and Personal), your mortgage.... All these and more depending on your personal circumstances. Will this will result in all your USB keys sitting in a drawer next to the passwords? :)
Bring on the retinal scans!
My roommate has to have three of them due to his job. It might be a bit overkill but it is a great marketing gimmick.
Seems like a good enough idea, and rather secure. I agree that it would make phishers need to work in near real-time, and that would make life more difficult for them.
It's true, though, that if you add all of your financial relationships together, that's quite a keyring.
It's rather wishful thinking to consider this an end to spam, though. All this will be is a decline in the (current) most-popular phishing targets. PayPal & eBay won't be as big of targets anymore, and as new institutions (banks, mutual fund / investment houses, insurance companies, etc) sign on, there will be fewer targets.
It means there will be fewer scammers & phishers, which's good, but the ones that are left will be the most-sophisticated ones. They'd have to have well-developed profiles on people (they'd have to know which bank you use, as opposed to send the phishing scam for the same bank to 5000 people).
Their life would be difficult, but not impossible. But, that's at least a step forward from where we are now ...
I like this idea!
Am I missing something? How could a anyone pull off a phishing scam against a institution that uses key fobs?
1. I get an email from scammer asking me for login details due to my account being jeopardized.
2. I begin to reply and fill in my personal code and then look at my FOB and enter the given code.
3. I send the email
4. Scammer gets info and immediately logs in to begin damage
Is there anyway all this is done within 5 - 10 seconds before the fobs value changed?
I think this is a great idea and should make a immediate and huge impact against phishers!