Paypal Sells Anti-Fraud Token. PayPal, the online payment company owned by Internet auction giant eBay, is now selling a $5 "security key" to help customers prevent their accounts from being hijacked if someone guesses or steals their passwords.
The key is a small, oval fob that generates a random, new six-digit passcode every 30 seconds, using technology purchased from Verisign Inc. In addition to entering their user name and passwords, PayPal customers who sign up for the program will be required to enter the passcode before being permitted to log on to their account. PayPal says it will waive the one-time $5 fee for its business account customers.
Armed with one of these keys, if you were to log on to your account from an unfamiliar computer and some invisible password stealing program were resident on the machine, the bad guys would still be required to know the numbers displayed on your token, which of course changes every 30 seconds. Likewise, if someone were to guess or otherwise finagle your PayPal password.
For years, PayPal and eBay have consistently been among the top three targets of phishing attacks, online scams that use e-mail to lure people into entering their login credentials at look-alike Web sites. This technology certainly has the potential to make it tougher for phishers. According to Avivah Litan, a fraud analyst with Gartner Inc., other companies that have widely deployed similar security keys have dramatically cut down on fraud. Litan said online stock trading provider eTrade has never had an account takeover connected to a customer using one of its security keys.
Nevertheless, as last year's attack against Citibank's business customers showed, physical access tokens only work against phishing so long as the phishers don't also ask would-be victims to enter the six-digit number displayed on their personal tokens.
Litan said the token offering fulfills a key requirement of eBay's 2005 acquisition of Verisign's payment gateway system. Under the deal, PayPal agreed to deploy the tokens to between 200,000 and 300,000 of its users by the end of 2007. Still, she said, that's a small target for a company that claims to have more than 100 million users.
PayPal says even users who lose their physical token or don't have it in their possession when they want to login can still access their accounts, and that such users will be asked to confirm their account ownership (I'm guessing with answers to additional questions -- PayPal's FAQ doesn't say). And yes, this should work just as well for Windows PC users as for Mac people, and others. The company says its security key works with any computer operating system and web browser that can access the PayPal or eBay website.
This technology has the most potential to cut eBay's fraud losses among its sellers: Most of the auction giant's fraud losses relate to the hijacking of accounts that belong to sellers in good standing, Litan said. Fraudsters then typically use the credibility the seller has built up with the eBay community to set up fraudulent auctions.
I ordered one mainly to check it out and to become more familiar with it. But I wonder how many customers will pony up the five bucks for this device. What about you, Security Fix readers? Does this appeal to you, and is it worth it? [Security Fix]
2:42:06 PM  PermaLink /
|
