eBay is getting ready to offer its PayPal users a password-generating key fob that promises to increase the security of the online payment service.
The device displays a new one-time password in the form of a six-digit code about every 30 seconds. PayPal clients who opt to use the device will enter this password along with their regular credentials when signing into the service. The key fob is meant as another weapon in the battle against data-thieving phishing scams.
"If a fraudulent party somehow got hold of a person's username and password, they still wouldn't be able to get into the account because they don't have the six-digit code," Sara Bettencourt, a PayPal spokeswoman, said by phone on Thursday. "This by no means is a silver bullet that is going to stop fraud. This is just another layer of protection."
The "PayPal Security Key" will cost $5 (£2.56) for personal PayPal accounts, but will be free for business accounts, Bettencourt said. PayPal has been testing the device with employees for a couple of months and plans to start trials with customers in the next month or so, she said. As of 30 September, there were nearly 123 million PayPal accounts, eBay has said.
PayPal users in the US, Germany and Australia will be able to sign up for the trial through a special website, Bettencourt said. "Based on the response, we look forward to eventually rolling it out in other countries," she said.
The password-generating device is based on technology from VeriSign, with which eBay entered into a security partnership in 2005. Such key fobs are also used for added security by large corporations for access to corporate resources, and some banks and brokerage firms offer them to clients with a high net worth. Other companies that supply the password gadgets include RSA and Vasco.
eBay and PayPal are common phishing targets. These prevalent scams typically use fraudulent websites made to look like legitimate sites and spam email to trick people into giving up their personal information such as login names and passwords.
In a recent survey of Google's public blacklist of phishing sites, security researcher Michael Sutton found that nearly half of all the active phishing sites targeted either eBay or PayPal. The Google blacklist is used in Google's Toolbar for Firefox and the Firefox 2.0 browser.
Talkback
The issue with this is that it still doesn't stop a fraudulent site collecting the username and password AND the OTP number. The hacker could then still use this to log into PayPal within the next 30 seconds.
The user would just assume they'd entered something wrong and try again, this time being directed to the real site.
Once the hacker is logged in they can then do what they want.
A stronger solution would have been to add the requirement for the OTP not as an additional log on requirement but whenever a money transfer is made.
If this works the same way as the RSA system which I've used for some time, that cannot happen. If someone tries to log in twice with the same code it is logged as a security problem and log in is denied.
You can only log on using the code once, if the log on fails, you need to wait until the next code shows, and then enter using the latest code.
Can you explain how random passwords generated every 30 seconds, hundreds or even thousands of miles away, can be recognised by PayPal and associated with particular users? What would happen if users generated their own random passwords?
Geoff
I don't know how this is implemented exactly, but I imagine that PayPal knows the algorithm underlying the pseudo-random number generator in your key fob, and so can correctly predict the pass code that the key fob is generating every 30 seconds.
... and then uses it to login immediately. In the meantime, it puts a "please wait" sign on the screen to keep the user busy for 30 seconds. And if the system forbids multiple simultaneous logins for the same key fob, does that mean that the fraudsters could login before the real owner and lock the real owner out of his/her own account instead?
The algorithms are usually proprietary to the company that produces the keyfobs - Vasco, RSA, etc.
What happens is that the user has to register their keyfob by telling PayPal the serial number on the back, and sometimes syncing it by entering the next one or two numbers that are generated by the fob.
From this point on when a user logs on, PayPal can then use this information to check whether or not the OTP entered by the user matches what its back-end software provided by Vasco, RSA, etc say it should be.