[Geeks are Sexy] technology news





Monday, January 15, 2007

Paypal Authentication Gets a Security Boost

PayPal Security KeyPaypal users rejoice! Ebay's online payment platform should soon allow you to authenticate to their service via a secureID-like password generator.

The way the device works is simple. First, users will have to enter their username and password on sites accepting paypal payments. Then, they'll have to look at their password generator and input underneath the other information the 6-character numeric key they see displayed on its screen. This number will change every 30 seconds, preventing villains that are trying to get in the victim's account from successfully logging in, even if they are already in possession of the user's login information. The device will be completely platform and browser independant, so it will work anywhere you are, whether it is at the office, at home or on a $100 laptop in a school in the middle of the third-world.

For those of you who wish to learn more about the "Key" and are knowledgeable about computer security, you'll be pleased to learn that the device operates on
Verisign's two-factor authentication system (PDF), a relatively new and very secure OTP technology.

The PayPal security key will cost $5 for common users and will be free for business users. There will be no recurring charges after that; the extra layer of protection is completely free. It will first be available in February 2007 to people in the US, Australia and Germany. If we consider the extra security this thing will bring you, I don't think anyone who uses paypal should ignore this offer. It may actually save you quite a bit of money if you ever are gullible enough to follow the instructions in a phishing email.



2 Comments:

  • This is still vulnerable to man-in-the-middle attacks if you don't make sure you're at https://www.paypal.com.

    If that phishing email linked you to, say, https://www.paypal-secure-login.com and you logged in via that without noticing, they can log into paypal with your credentials.

    There are even phishing kits that can do this automatically, see this article at money.cnn.com

    The moral? Verify the URL and verify it's secure. Even http://www.paypal.com would be suspicious, because it should always be https

    By Anonymous Anonymous, at 2:14 AM  

  • "I don't think anyone who uses paypal should ignore this offer. It may actually save you quite a bit of money if you ever are gullible enough to follow the instructions in a phishing email."

    Therein lies the problem. Paypal needs to send these free to all users who do more than $X worth of transactions for it to be very effective.

    People rarely pay for security voluntarily, it's insurance, and these things get old fast. I find it inconvenient to keep the token for my company's VPN, why would I remember my one for paypal?

    By Anonymous Staunch, at 8:59 AM  

Post a Comment

Links to this post:

Create a Link

<< Home