Security management Toolkit
Story: PayPal fights fraud with password key fob
False Security
The issue with this is that it still doesn't stop a fraudulent site collecting the username and password AND the OTP number. The hacker could then still use this to log into PayPal within the next 30 seconds.
The user would just assume they'd entered something wrong and try again, this time being directed to the real site.
Once the hacker is logged in they can then do what they want.
A stronger solution would have been to add the requirement for the OTP not as an additional log on requirement but whenever a money transfer is made.
Full Talkback thread










