PayPal’s Security Key
October 2nd, 2007 by James D. MurrayPayPal is a great service for enabling both businesses and consumers to buy and sell goods and services online without exposing private financial information to the other parties in a transaction. As a consumer, you can safely purchase goods and services online without exposing your credit or debit card information to be recorded and possibly misused. As a business, you can be paid for your goods or services using the Web or email without the need of storing your customer’s private financial information.
A big concern with PayPal is that anyone who knows the password of your PayPal account can access the financial services that you have authorized to be used with PayPal. For consumers, this means that unauthorized purchases or cash transfer may be performed from your credit cards and bank accounts. As a business, unauthorized PayPal access can be a source of fraudulent purchases. Password security is always the responsibility of the PayPal account holder; but now PayPal has a service to make the disclosure of your PayPal password an almost insignificant threat.
In February 2007, PayPal introduced an optional security key system for users to access their PayPal accounts. The security key does not replace your PayPal password; instead, it adds an extra layer of security by requiring an additional security code be entered with your password when you log into your PayPal account. What makes this security code so different from a password is that it randomly generated by a small, electronic device called a security token, which is a key fob that easily fits in the palm of your hand.
The PayPal Security Key is used when a user logs into their PayPal account. The user presses the token’s activation button, causing a 6-digit number to be displayed by the key for about 32 seconds. The user then enters this number with his or her PayPal account password to gain access to the PayPal account. Without both the account password and the number generated by a specific PayPal Security Key token, the PayPal account is useless.
The PayPal Security Key provides a form of two-factor authentication. One factor is the PayPal account password (the what you know), and the second factor is the random number displayed on the PayPal security token (the what you have). The PayPal authentication server verifies that number was generated by the token registered with that account; it is assumed that only the authorized account owner has physical access to the account’s PayPal Security Key.
The security key device itself is a VASCO Digipass GO 3 security token branded with the PayPal and VeriSign Identity Protection service logos. It is VeriSign that provides that actual security key authentication service for PayPal using the VeriSign Labs OpenID (PIP Personal Identity Provider) platform. In fact, the PayPal Security Key can be registered with the VeriSign Labs OpenID provider as a VeriSign Identity Protection (VIP) Credential.
PayPal users do not need to understand how the security key’s number works with their PayPal password to provide secure login authentication. However, if you are studying for any IT security certifications, you should familiarize yourself with all types of security tokens, cryptographic hashes, single sign-on methods, and Public Key Infrastructure systems for identity management.
Giving it a try…
Being concerned with who might gain access to my PayPal account, I decided to order a PayPal Security Key for myself on PayPal’s Web site and give it a try.
My key arrived five days after I ordered, sealed in a cardboard mailing envelope. It came with instructions on how to activate and use the key, and included the usage instruction on a handy, wallet-sized card as well. There was also a nicely laminated card with the PayPal Top 10 Safety Tips for password, phishing, and using your PayPal account wisely.
The security key cannot be used until it is activated with your PayPal account. I did this by navigating to PayPal’s Web site, clicking on the Activate It link, and securely logging into my PayPal account. On the next screen, I followed the instructions to verify that the serial number displayed on the Web page was the same as the one printed on the back of my key (you can enter the serial number if it is not present). I then pressed the button on the key and entered the code into the Web page. I then waited 30 seconds for the key’s display to clear, pressed the button again, and entered the new code and clicked the activate button on the Web page.
After a few seconds, I was taken to the “PayPal Security Key Activation Successful!” page where presented were the simple instructions for logging on to PayPal using the token. After clicking the continue button, my Web browser navigated to my PayPal My Account Profile screen, where I clicked the Activate on eBay button. The same procedure is used to activate the token on eBay, although I did need to enter the token’s serial number this time. On eBay, my Account Personal Information pages showed a successful activation and the last four digits of my security key’s serial number.
Testing the PayPal Security Key is as easy as logging into your PayPal and eBay accounts. The initial login screen is the same, where you enter your email address and password. But the Log In button takes you to a second screen where you enters the number from your security token. It works! I celebrated by successfully making a PayPal donation to my favorite podcasts network.
This is Great! What could go Wrong?
No form of authentication is fool-proof, and this includes the PayPal Security Key. Here are some issues that you should consider when determining if the PayPal Security Key is right for you:
You must have physical access to the token to login to your PayPal (or eBay) account. If you need to login and the key is not physically accessible to you, PayPal can assist with interactively logging into your account by supplying you a one-time password via email or SMS. The token number can also be safely read to you over the phone by someone who has physical access to the token without compromising your account.
The PayPal Security Key is only usable with PayPal and eBay. It is not possible to use PayPal’s key with other services that use similar security tokens, such as RSA Security’s SecurID. If you are already carrying one or more security tokens that you use for logging into a online bank account or your company’s VPN, plan on carrying the PayPal Security Key in your pocket too.
The PayPal Security Key is a battery-powered device, and the battery is not user-replaceable. When the battery dies, a replacement key fob will need to be ordered from PayPal. Because the key is only active for a few seconds each time you use it to login, it should have many years of battery-life.
If you lose or break your security key token, or the battery needs replacement, you will only be able to log into your PayPal account with direct assistance from PayPal until you receive and activate a replacement security key taken.
PayPal will only issue one security key token for each PayPal account. You therefore cannot have one token for home and another for the office.
The security token’s display is not back-lit. Although the light from the PayPal login screen on your Web browser may be bright, the numbers on the token’s display may be difficult for visually-impaired users to read in a dark room.
Just as you are responsible for keeping your password secret, you are also responsible for keeping your PayPal Security Key token physically secure. If someone has both your password and access to your token then your PayPal account may be compromised
Finally, if you find that the PayPal Security Key does not fit into your life-style, you can deactivate it using the Profile tab on your PayPal Account page. Your PayPal account will then revert to using the original password-only login. You will need to revert your eBay account using a separate procedure.
References
PayPal Security Key
http://www.paypal.com/securitykey
PayPal Security Center
http://www.paypal.com/cgi-bin/webscr?cmd=_security-center-outside
Digipass Products: Digipass Go 3
http://www.vasco.com/products/product.html?product=47
VeriSign Identity Protection (VIP) Credential
https://idprotect.verisign.com/
The following podcasts discuss the PayPal Security Key token and VeriSign Labs PIP:
Security Now!, Episode #103, PayPal Security Key
Security Now!, Episode #106, Listener Mailbag #2
Security Now!, Episode #107, PIP & Even More Perfect Passwords
| Views: 2,713 | Tags: eBay, OpenID, PayPal, security |  Print This Post
|
October 3rd, 2007 at 10:37 am
Thanks for the review JD. I am curious how somone over the phone reading the token number works, as I assumed the token had to be plugged into the computer at the time you enter the number as with a smart card.
Also, while using a token like this is certainly a great way to secure your account against hijacking, there are other, more serious problems, with paypal than just stolen accounts. A google search for “paypal horror stories” or something similar will reveal a 100,000 strong class action lawsuit against paypal for being unresponsive to consumer complaints and also for freezing accounts for months/years/infinity without justification and all the while continuing to earn interest on that money. A typical scam starts with a friendly enough purchase on e-Bay, say for a laptop sold for $800. Paypal notifies the seller that the 800 bucks has been paid, at which time the seller ships the laptop. A week or two later the buyer claims he never received the laptop and files a complaint with paypal, who then freezes your account and may even transfer the money back to the buyer. The buyer then either keeps the laptop or sells it pocketing the money. Meanwhile you are out the money and the laptop until paypal decides to admit they made a mistake - which generally never happens, hence the class action suit.
October 3rd, 2007 at 11:41 am
The PayPay Security Key is a fob, not a dongle. A fob is not connected to a computer, while a dongle is connected (usually) to a USB port. The number generated by the fob is like a second password that is only used once for each login. Without having access to the fob, there is only a 1-in-900,000 chance of guessing the correct 6-digit number.
And yes, just as with any financial service, there are many ways to “game” PayPal. This security token is just one more layer of security to help insure a successful PayPal experience.
October 3rd, 2007 at 11:11 pm
Nice stuff. I got a newsgroup report about this back in April. I do find it interesting that while this is certainly a move in the right direction, they still have not done anything to tighten up security where they are most vulnerable (and actually compromised the most). These security tokens while effective for one thing and certainly adds another layer, does nothing to prevent MITM (man-in-the-middle) attacks. As JD pointed out there are many ways to “game” here, however this does move closer to a real solution and allows us to put more pressure in a more focused way on other areas.
KE
October 4th, 2007 at 11:19 am
Thanks for the clarification JD. And also I need to point out that many of the “paypal horror stories” websites actually appear to be sponsored/hosted by front end advertising for other online financial services companies, so a grain of salt in some of those claims may be wise.
As has been pointed out, the fob is a step in the right direction and will prevent many of the phishing scams from obtaining user’s passwords. My own wife’s account was compromised in just such a way back in 2001 or 2002. This would certainly have been prevented if this new security feature had been in place then.
(Side note: since we caught the compromise early, and actually were in contact with a wise seller who thought something strange was afoot, no funds were stolen and paypal actually responded quickly and decisively to stop any damage).
I enjoyed reading your blog on this JD, thanks for writing it.
October 4th, 2007 at 12:34 pm
Yeah, PayPal can be MITM’ed just like any SSL Web site can, but PayPal and its customers are obviously much higher-value targets than most Web site. Maybe eBay is being slow to improve security at PayPal because they’ve been dumping too much money into figuring out what to do with Skype. ;)
I just received an eBay phishing spam in my GMail account informing me that I recently made some security changes with my eBay account and that I need to click on the link in the email to correct my account information. The link is to a Web server in France. Getting that random phishing spam so soon after activating my PayPal Security Key is a really an eerie coincidence.