Welcome to WebmasterWorld Guest from 18.104.22.168
Forum Moderators: buckworks
The PayPal Security Key is actually a small electronic device, designed to clip on to a keychain, that calculates a new numeric password every 30 seconds. PayPal users who sign up to use the device will need to enter their regular passwords as well as the number displayed on the key whenever they log in to the online payment service.
"The key is really going to give users one more layer of security for their accounts," said Sara Bettencourt, a PayPal spokeswoman.
Because the numeric password changes so frequently, even successful phishers will end up with obsolete numeric passwords and will be unable to empty PayPal accounts.
"If you fall for a phishing scam and give away your user name and password ... if you used the PayPal Security Key, a third party couldn't get to your account because they wouldn't have this dynamic digit," Bettencourt said.
previous thread on subject: [webmasterworld.com...]
[edited by: Brett_Tabke at 2:42 pm (utc) on Jan. 15, 2007]
Recently a very sophisticated phish got past my spam filters saying my ebay account had been suspended. As I had recently used ebay to purchase holiday gifts, I came close to falling for it until I noticed my name wasn't in the emails.
Still, this seems like overkill. I would have hoped there would be a more simple solution.
Just tried to signup & got:
"The Security Key is currently not available. Please try again later."
Really hoping it isn't US only.
Seriously, if you don't have something like this and you have a trading account, you're just plain ... nuts.
Think about how easy it is to get a keylogging virus on your computer these days? Just by looking at the wrong pic with a certain version of IE can drop viruses on your computer.
This is the future. I'm only wondering if there is a way to break this.. I suspect there probably is a way to break the rsa secure id.
[edited by: blaze at 2:24 am (utc) on Jan. 15, 2007]
I'm also really impressed with TreasuryDirect.gov, the US website to buy different US bond issues directly. They have a randomized keyboard that comes up for you to click in your password with the letters in random order.
Of course, I think my registrar has more of my money in their security lacking little fingers.
This isn't overkill, this is necessary for any financial website.
If every financial website introduces this feature my key chain won't fit into my pocket anymore.
Anyhow. I didn't really understand how this works. How do the device and Paypal synchronize? How does Paypal know which was the last valid number?
Do I have to plug the device into the USB port? Because this would be a little inconvinient on my Desktop PC - crawling on the floor under my desk, putting the device into the USB port at the back of my PC, reading the number and getting back on the keyboard again in 30 seconds.
That seems overkill to me.
I think additional keys should only be necessary for actual transactions.
What happens to multi user accounts?! I can restrict their access already - now they will need a key as well?
A key should only be required for sending or transferring money. I get logged out often enough as is ..
[edited by: mifi601 at 1:26 pm (utc) on Jan. 15, 2007]
As someone mentioned previously, the only problem with all online financial institutions going this route is that eventually we'd have as many keyfobs as we have keys! Although I suppose we wouldn't really need to carry them around all the time.
All a phishing site has to do is to add an extra field for the security code and to manage to log into the Paypal account within 30 seconds. This should be not much of a problem.
Also it might be a lot easier to scam people with this device because they have a wrong feeling of security. After all if the website asks for the security code, it must be Paypal - right?
It is an algo based number generator. They produce a number/character combo password/number based on an algo. There are millions of possible keys or password numbers the key fob can generate. The website runs that same algo and can validate that key (this is very similar to the way HTTPS/certificates work with an independent key. In this case, the key is the key fob. Additionally, the key may include auto-advancement techniques, where the algo automatically advances or shifts after every, or every X number of uses. The algo is so complex, that hacking it is extremly next-to-impossible to do.
joined:Mar 8, 2002
All a phishing site has to do is to add an extra field for the security code and to manage to log into the Paypal account within 30 seconds.
That's a toughie. But in any event, (and I haven't read the stuff) there's no reason whatsoever why the paypal system can't authenticate with the key before and after login (and every few minutes during the session I would guess). In other words. without the key itself, you are pretty much locked out.
>>> USB sticks under your desk >>> get a usb extension cable... or a google fancified USB port mouse mat.
>>> My keyring won't be big enough >>>> That's going to be the biggest problem with this. Who of you here has less than 100 passwords? I don't need a USB key for all of them, but no doubt if this takes off you'll get one for Paypal, Your bank account (personal and buisiness), your pension fund, your credit cards (business and Personal), your mortgage.... All these and more depending on your personal circumstances. Will this will result in all your USB keys sitting in a drawer next to the passwords? :)
It's true, though, that if you add all of your financial relationships together, that's quite a keyring.
It's rather wishful thinking to consider this an end to spam, though. All this will be is a decline in the (current) most-popular phishing targets. PayPal & eBay won't be as big of targets anymore, and as new institutions (banks, mutual fund / investment houses, insurance companies, etc) sign on, there will be fewer targets.
It means there will be fewer scammers & phishers, which's good, but the ones that are left will be the most-sophisticated ones. They'd have to have well-developed profiles on people (they'd have to know which bank you use, as opposed to send the phishing scam for the same bank to 5000 people).
Their life would be difficult, but not impossible. But, that's at least a step forward from where we are now ...
1. I get an email from scammer asking me for login details due to my account being jeopardized.
2. I begin to reply and fill in my personal code and then look at my FOB and enter the given code.
3. I send the email
4. Scammer gets info and immediately logs in to begin damage
Is there anyway all this is done within 5 - 10 seconds before the fobs value changed?
I think this is a great idea and should make a immediate and huge impact against phishers!