back to article Reported malfunction in PayPal Security Key

When eBay rolled out the PayPal Security Key earlier this year, its executives hailed it as an important measure that would make users more secure. And it was. By generating a random, six-digit number every 30 seconds that users needed to authenticate themselves online, the small electronic token provided an additional layer of …

COMMENTS

This topic is closed for new posts.
  1. Brett Brennan
    Pirate

    Is this JUST PayPal?

    I'll bet that the PayPal security key is the same SecureID key fob that is in general use throughout the business world. If so, is there a possible problem with SecureID validation software elsewhere? Now THAT would be a story, Dan...

  2. R.E.H.

    Barn door is open?

    Will have to test this next time I use Paypal (I have a Paypal fob). If this is really true then one has to wonder what exactly the programmers at PayPal are smoking. A validation function that returns success regardless of input? Awesome coding guys!

    I'm not sure how exactly a security vulnerability this wide slips through the cracks. Testing, wonder if they've heard of it?

    On a tangent, why the hell does Paypal make me answer a security question after I have successfully (1) provided my user ID, (2) provided my password, AND (3) provided my key fob number thing? It's beginning to get on my nerves, and I'm not sure I understand what additional security it is generating. If they've stolen my password AND my fob, then congrats, they probably deserve access to my account already.

  3. Anonymous Coward
    Anonymous Coward

    Not SecurID

    Whatever monkeyshines Paypal is using, it's not SecurID.

    SecurID tokens are registered on an authentication server. The SecurID auth server validates all of the following before approving the login:

    1) username AND

    2) user PIN AND

    3) currently displayed code on token assigned to username AND

    4) account status (could be disabled from too many failed login attempts, etc)

    Unless the login request matches all of the above, you're turned away. And yes, the server has enough information to "know" what token code should be displayed on your token in any given minute.

  4. Chris Romero

    Only PayPal AFAIK

    Yes, I have only seen it with PayPal. And only in the way I described where you enter the PayPal site via a vendor link to pay for an item or service.

    Also, the general code on the PayPal site still forces you to enter a full six-digit key. The error shown on the top of the page in the screen shot was left over from testing a four-digit code to check the overall reaction of the page. The code was then changed to the invalid six-digit code as shown on the screen shot.

    I also have an RSA security fob used with another account. No problems with that account yet. Though you know I will be looking now.

    BTW, I did not mean to imply that any wife or brother is unscrupulous. It was just an example and has nothing to do with real life.

  5. Chris Romero

    Web site to security key fob vendor list.

    PayPal sends their user the Vasco DigiPass Go3 key. (http://www.vasco.com/).

    eBay sends their user the Vasco DigiPass Go3 key. (http://www.vasco.com/).

    E*TRADE sends their user the RSA SecurID key (http://www.rsa.com/) RSA is a part of EMC.

    This has nothing to do with the implementation of the software or key into the site. It is just a short list of what the user will get. Never would have cared to look up the manufacturer names if the PayPal issue was not there.

  6. yeah, right.

    False sense of security???

    Since when did anyone using Paypal have any sense of security, other than one based on misplaced trust? I wouldn't trust Paypal "security" to secure a piece of cheese, let alone any money.

    If I have to (as in it's the only option available) I'll provide them with a credit card number - but only the one with a very small limit and good refund policy for internet fraud. I certainly wouldn't give them the keys to any account with money in it. Fob or no fob.

    Paypal security? Yeah, right.

  7. Kev K
    Paris Hilton

    Gosh

    Gaypal / Fleabay security error - what a shock!!!

    Pfft - I presume this is from the Daily Express "Diana's still dead and Maddys still mising" dept

  8. Nick Leach

    Seen this before..

    This is pretty standard stuff. I'd guess that this 'vulnerability' is designed-in.

    The problem with any hardware based 2 factor authentication is that you need a back-up mechanism in case the user loses, breaks or forgets their hardware token. Using memorable data as the back up is pretty typical of companies that shy away from (heaven forbid) putting a real, expensive, human in the loop.

    Several large banks I could name use exactly the same kind of back up for their '2 factor' systems. There are plenty of better (but more expensive) alternatives, but Paypal aren't the first and won't be the last to use this particular method. A security method is only as strong as it's weakest link, and this is poor.

  9. Anonymous Coward
    Anonymous Coward

    RE: Seen this before..

    I, too, have seen something similar. In the place I work, if someone looses their token, locks it, or can't be bothered using one -- we give them a password instead, usually a short word like their first name.

    I have given up pointing out that it would be simpler just to scrap the tokens and go back to password authentication, seeing as this is so widespread. Still, I suppose paying £80 per user for a false sense of security makes sense in a world where one is forced to refer to users as "customers" and "customer service" trumps security every time.

    IT security, I've heard of it...

  10. Anonymous Coward
    Anonymous Coward

    ebay using SecureID

    LOL Granted they could probably afford to, they're too goddamn cheap to extend real security to their patrons... That would cut into profit margins...

This topic is closed for new posts.