Network News

X My Profile
View More Activity

Paypal Sells Anti-Fraud Token

PayPal, the online payment company owned by Internet auction giant eBay, is now selling a $5 "security key" to help customers prevent their accounts from being hijacked if someone guesses or steals their passwords.

The key is a small, oval fob that generates a random, new six-digit passcode every 30 seconds, using technology purchased from Verisign Inc. In addition to entering their user name and passwords, PayPal customers who sign up for the program will be required to enter the passcode before being permitted to log on to their account. PayPal says it will waive the one-time $5 fee for its business account customers.

Armed with one of these keys, if you were to log on to your account from an unfamiliar computer and some invisible password stealing program were resident on the machine, the bad guys would still be required to know the numbers displayed on your token, which of course changes every 30 seconds. Likewise, if someone were to guess or otherwise finagle your PayPal password.

For years, PayPal and eBay have consistently been among the top three targets of phishing attacks, online scams that use e-mail to lure people into entering their login credentials at look-alike Web sites. This technology certainly has the potential to make it tougher for phishers. According to Avivah Litan, a fraud analyst with Gartner Inc., other companies that have widely deployed similar security keys have dramatically cut down on fraud. Litan said online stock trading provider eTrade has never had an account takeover connected to a customer using one of its security keys.

Nevertheless, as last year's attack against Citibank's business customers showed, physical access tokens only work against phishing so long as the phishers don't also ask would-be victims to enter the six-digit number displayed on their personal tokens.

Litan said the token offering fulfills a key requirement of eBay's 2005 acquisition of Verisign's payment gateway system. Under the deal, PayPal agreed to deploy the tokens to between 200,000 and 300,000 of its users by the end of 2007. Still, she said, that's a small target for a company that claims to have more than 100 million users.

PayPal says even users who lose their physical token or don't have it in their possession when they want to login can still access their accounts, and that such users will be asked to confirm their account ownership (I'm guessing with answers to additional questions -- PayPal's FAQ doesn't say). And yes, this should work just as well for Windows PC users as for Mac people, and others. The company says its security key works with any computer operating system and web browser that can access the PayPal or eBay website.

This technology has the most potential to cut eBay's fraud losses among its sellers: Most of the auction giant's fraud losses relate to the hijacking of accounts that belong to sellers in good standing, Litan said. Fraudsters then typically use the credibility the seller has built up with the eBay community to set up fraudulent auctions.

I ordered one mainly to check it out and to become more familiar with it. But I wonder how many customers will pony up the five bucks for this device. What about you, Security Fix readers? Does this appeal to you, and is it worth it?

By Brian Krebs  |  February 12, 2007; 12:28 PM ET
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Perils in Parallels?
Next: Wanted: Missing FBI Laptops


I am just afraid that people just starting out with ebay and paypal are going to fall for one of these scams and then become turned off of the service permanently.

Daily, I get about a half dozen to a dozen very professional looking phishing attempts from the paypal or ebay account department, or other similar forged addresses. Luckily for me I have a webmail address I use for both, so all of the paypal/ebay/amazon/bank spam coming to my POP account is easily identifiable.

The ID token is about 3-4 years behind the curve, but I will order one just to check it out. Ebay still has a massive undertaking to fight fraudulent auctions and knock off goods. Do any search for Nikon or Canon photography equipment and you will see my point.

If you were just starting to shop or sell items with Ebay tomorrow, how could you expect them to navigate all of these problems?

Posted by: PJ | February 12, 2007 12:43 PM | Report abuse

This is a very good step, but as PJ says, it's several years late.

The biggest problem is that most users won't bother with it, since it is not mandatory. They'll still be phishing targets.

The other big problem is that the alternate entry method by answering security questions still creates a phishing target. A victim will give up the security questions, answers, and the thieves have full access to the account.

And it does nothing to answer the question for the average Joe of "Am I on the real eBay site?". The green-bar high dollar certificate is probably the next best solution for Joe.

Posted by: Moike | February 12, 2007 1:44 PM | Report abuse

It is a good idea. An old idea, but still a good one. The threshold of pain for paypal's losses was finally triggered enough to justify subsidizing the token

I've intentionally not linked my paypal to any accounts out of lack of trust (I transact enough back and forth to carry a small balance that does not require external cash injections). This additional layer would make me more apt to have some more faith in paypal. The trustworthiness of ebay sellers on the other hand is a different issue

I think that alot of users would get this if it could be made compatible with other banking systems and/or system/email login. A user does not want to keep track of 16 different tokens during their day.

Posted by: RenderMan | February 12, 2007 2:11 PM | Report abuse

Good Idea, Bad Implementation!!!

As per normal eBay,PayPal tag everything with their names.

Verisign/RSA make a generic version so the 'finder' has no idea where to look when finding a lost one.

Rest 'ass'ured some twit somewhere will carve his or her userid & password on to the back of one these plastic tags just before they lose it. And then scream rip-off and sue.

Posted by: Dougw | February 12, 2007 2:50 PM | Report abuse

My company used to use these things. They're a pain - people keep loosing them and they're not all that hard to crack.

Say someone installs a key logger on your machine - happens to 1000's of people every day (and maybe every hour). Now you go to paypal, type in your user name and password, and then the number on the tag. You would need a new number every time you went to paypal and the person who installed the key logger would get every number. With enough numbers from enough users and knowing the timing of the entries it's possible to figure out the mathmatical formula used to generate the keys and therefore be able to predict what the number would be at any point in the future. You could make this very difficult or impossible by using different formulas in different tags - but that would be expensive. Even then if the key logger was on the machine of a frequent paypal user you could get enough information to crack it.

Posted by: AV | February 12, 2007 3:21 PM | Report abuse

You are correct. But, outside of a verified, key encoded National ID to supply two form authenticty, this is the best way to reach a weak level 2 for transaction security. Most theives won't waste the time to do all the tracking you listed. They want a quick fix. You don't mug a guy who is clearly ex-Special Forces, and you don't rob a house that is hard to break into. You look for the weakest, easiest target. That's why credit card and ATM scams usually don't involve someone hacking in to the system. They simply use cards captured in the mail, stolen from pockets, or secured at ATM scams. Even theives follow the KISS principle. I congratulate E-bay and PayPal for at least thinking about their customers. That seems to happen far too infrequently lately.

Posted by: waterloom | February 12, 2007 3:43 PM | Report abuse

As deployed these key generators don't solve the big problem: authenticating the server I'm interacting with. Before I could not be sure whether I was accessing the "real" Ebay or a phishing site. Now, even though I'm supposed to type in a number from my keychain, I still don't know whether I'm giving that number to the real Ebay. How am I better off?

Posted by: Mark Seecof | February 12, 2007 4:26 PM | Report abuse

Mine is on the way, it's about time companies started issuing these.

Posted by: Kyle | February 12, 2007 6:16 PM | Report abuse

As I only use text-based email via three different Unix systems I find myself completely unaffected by phishing scams. There is no way for me to click on a link and go to a phishing website when hyperlinks do not function in my mailreader program. If a phishing email were every persuasive enough for me to fall for it, I'd realize my mistake as soon as I copied and pasted the (incorrect) URL into my web browser.

Posted by: Andrew Parker | February 12, 2007 6:44 PM | Report abuse

You can try using a fake number and if it works, you know you are on a phishing site. This is not an anti-phishing tool, it's a tool to protect your account (not protect you from going to a phishing site) so I think if you keep that context you will see that this has real value to you.

"Now, even though I'm supposed to type in a number from my keychain, I still don't know whether I'm giving that number to the real Ebay. How am I better off?"

Posted by: Michael | February 12, 2007 7:07 PM | Report abuse

Pay Pal is free but if I want to have security, it costs $5.00. Pay Pal always advertised that their service was free. I think these keys should be sent out to customers for free.

Posted by: Southern Girl | February 12, 2007 7:48 PM | Report abuse

This token is issued by VASCO (vdis:nasdaq)
named Go3

Posted by: Ronald | February 12, 2007 8:07 PM | Report abuse

Isn't IPv6 (or 7 or 8?) supposed to take care of URL spoofing, which would then render phishing sites useless? Where is that new protocol anyway?

Back on topic... I'll get one and use the 'give them the wrong number first' test (that Micheal pointed out above), which actually is the perfect solution to the problems this presents.

Posted by: Raoul | February 12, 2007 8:11 PM | Report abuse

If I was an active PayPal user then I'd pay the 5$.

Posted by: Ozzy | February 12, 2007 8:14 PM | Report abuse

>Back on topic... I'll get one and use the 'give them the wrong number first' test (that Micheal pointed out above), which actually is the perfect solution to the problems this presents.

That does nothing to verify that you are on the correct site. A man-in-the-middle phish can pass your fake numbers to the real site and return the same error message to you from the site. You might proceed, and they can still do damage - even for that session only.

Posted by: Moike | February 12, 2007 9:14 PM | Report abuse

Moike is correct, Raoul -- If you read the story I linked to on the Citibusiness phish, you'll see:

The site asks for your user name and password, as well as the token-generated key. If you visit the site and enter bogus information to test whether the site is legit -- a tactic used by some security-savvy people -- you might be fooled. That's because this site acts as the "man in the middle" -- it submits data provided by the user to the actual Citibusiness login site. If that data generates an error, so does the phishing site, thus making it look more real.

Posted by: Bk | February 12, 2007 10:58 PM | Report abuse

I stopped using PayPal-it wasn't worth the hassle and when they raised rates AGAIN after raking in their biggest profits ever it was just the last straw. The greed thing bothers me more than the security problems ever did.

Posted by: Mary | February 12, 2007 10:58 PM | Report abuse

PayPal's selling a physical passcode device for people who fall for phishing scams?

Oh brother.

Posted by: Bill | February 12, 2007 11:58 PM | Report abuse

It will do nothing to stop the scams on ebay.

I think they really need to clean up the front end of their enterprise also.

Posted by: Larry | February 13, 2007 6:39 AM | Report abuse

First, a Synchronized OTP Token is 20 year old technology with known problems, like what happened at Citibank and therefore they are not secure for use on the Internet.

Secondly, they are an administrative nightmare to register each user and manage each user when the clock in the token and the clock in the server get out of sync.

Third, they are cumbersome for the users especially within a 30 second window to type in your random number. Many of these types of Tokens have had to allow an overlap in time, which makes them even more susceptible to being hacked.

I'd rather use the OnhandID Smart Key Token that has you enter your PIN code and push a button on the Token and you are in securely. By the way it's cheaper too! The OnhandID Token was $5 when it first came out a few years ago and connects directly into your microphone jack on any computer, with Patent Pending protection against Man-in-the-Middle attacks. This is simple and secure.

Posted by: Mike | February 13, 2007 12:45 PM | Report abuse

Like all security approaches, tokens are a trade-off.

For PayPal - operational costs are high, but this may be a reasonable trade-off for fraud costs. I saw a news report recently that suggested they have 0.35% fraud.

For customers - tokens are cheap and are more convenient than many of the alternatives.

As for security - they provide improved protection against a number of attacks, although this depends on the implementation (e.g. will PayPal require a token code only at logon, or also for transactions?)

I've also ordered one; at this price it was an easy decision.

Posted by: Pete | February 14, 2007 12:25 AM | Report abuse

Had to use one of these years ago when I worked for a broadband provider. Slow, also they don't like being dipped into coffee cups or dropped too often.

Posted by: Roy | February 16, 2007 12:27 PM | Report abuse

Posted by: Steve | February 22, 2007 7:39 PM | Report abuse

Great idea for enhanced security!! Though as a website we cant expect every customer to carry their tokens everywhere they go.. If there are 5 major websites providing 5 different tokens.. every customer's keychains will have more secure tokens rather than keys... :)

Posted by: Sathish Kumar | March 2, 2007 1:32 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company