Comments on: PayPal’s Security Key

By: James D. Murray

James D. Murray — Thu, 04 Oct 2007 17:34:56 +0000

Yeah, PayPal can be MITM’ed just like any SSL Web site can, but PayPal and its customers are obviously much higher-value targets than most Web site. Maybe eBay is being slow to improve security at PayPal because they’ve been dumping too much money into figuring out what to do with Skype. ;)

I just received an eBay phishing spam in my GMail account informing me that I recently made some security changes with my eBay account and that I need to click on the link in the email to correct my account information. The link is to a Web server in France. Getting that random phishing spam so soon after activating my PayPal Security Key is a really an eerie coincidence.

By: sprkymrk

sprkymrk — Thu, 04 Oct 2007 16:19:51 +0000

Thanks for the clarification JD. And also I need to point out that many of the “paypal horror stories” websites actually appear to be sponsored/hosted by front end advertising for other online financial services companies, so a grain of salt in some of those claims may be wise.

As has been pointed out, the fob is a step in the right direction and will prevent many of the phishing scams from obtaining user’s passwords. My own wife’s account was compromised in just such a way back in 2001 or 2002. This would certainly have been prevented if this new security feature had been in place then.
(Side note: since we caught the compromise early, and actually were in contact with a wise seller who thought something strange was afoot, no funds were stolen and paypal actually responded quickly and decisively to stop any damage).

I enjoyed reading your blog on this JD, thanks for writing it.

By: Keatron

Keatron — Thu, 04 Oct 2007 04:11:44 +0000

Nice stuff. I got a newsgroup report about this back in April. I do find it interesting that while this is certainly a move in the right direction, they still have not done anything to tighten up security where they are most vulnerable (and actually compromised the most). These security tokens while effective for one thing and certainly adds another layer, does nothing to prevent MITM (man-in-the-middle) attacks. As JD pointed out there are many ways to “game” here, however this does move closer to a real solution and allows us to put more pressure in a more focused way on other areas.

By: James D. Murray

James D. Murray — Wed, 03 Oct 2007 16:41:51 +0000

The PayPay Security Key is a fob, not a dongle. A fob is not connected to a computer, while a dongle is connected (usually) to a USB port. The number generated by the fob is like a second password that is only used once for each login. Without having access to the fob, there is only a 1-in-900,000 chance of guessing the correct 6-digit number.

And yes, just as with any financial service, there are many ways to “game” PayPal. This security token is just one more layer of security to help insure a successful PayPal experience.

By: sprkymrk

sprkymrk — Wed, 03 Oct 2007 15:37:57 +0000

Thanks for the review JD. I am curious how somone over the phone reading the token number works, as I assumed the token had to be plugged into the computer at the time you enter the number as with a smart card.

Also, while using a token like this is certainly a great way to secure your account against hijacking, there are other, more serious problems, with paypal than just stolen accounts. A google search for “paypal horror stories” or something similar will reveal a 100,000 strong class action lawsuit against paypal for being unresponsive to consumer complaints and also for freezing accounts for months/years/infinity without justification and all the while continuing to earn interest on that money. A typical scam starts with a friendly enough purchase on e-Bay, say for a laptop sold for $800. Paypal notifies the seller that the 800 bucks has been paid, at which time the seller ships the laptop. A week or two later the buyer claims he never received the laptop and files a complaint with paypal, who then freezes your account and may even transfer the money back to the buyer. The buyer then either keeps the laptop or sells it pocketing the money. Meanwhile you are out the money and the laptop until paypal decides to admit they made a mistake - which generally never happens, hence the class action suit.