New PayPal key to help thwart phishers

Over the next few months, Ebay will be offering its PayPal users a new tool in the fight against phishers: a $5 security key. The security key is actually a small electronic device, designed to clip on to a keychain, that calculates a new numeric password every 30 seconds. PayPal users who sign up to use the device will need to enter their regular passwords as well as the number displayed on the key whenever they log in to the online payment service. "The key is really going to give users one more layer of security for their accounts," said Sara Bettencourt, a PayPal spokeswoman.

Because the numeric password changes so frequently, even successful phishers will end up with obsolete numeric passwords and will be unable to empty PayPal accounts. "If you fall for a phishing scam and give away your user name and password...if you used the PayPal Security Key, a third party couldn't get to your account because they wouldn't have this dynamic digit," Bettencourt said. The Security Key could be an important tool for PayPal, whose Web site is frequently spoofed by phishers looking to steal user account information.

View: The full story
News source: InfoWorld

Report a problem with article
Previous Story

Microsoft Releases Titan Code to Select Partners

Next Story

Nvidia Readies GeForce 8800 for $299 - $349 – Rumour

14 Comments

Commenting is disabled on this article.

Sounds like a really good idea. Although depending on how long the key is and how quick it changes it might be tough to get the internet page loaded and input the key before it has changed.

If it is only $5 forever, I will most likely buy it for my dad. If it costs $5 a month there is no way I'd buy it. I might do it for $5 a year.

Holy crap, just $5? This is an awesome idea. I used to have SecurID at work and it was great.

I wish the banks and credit card companies would take notice and implement this as well. It's not perfect, of course, but it's an extra security step. it also beats phishing because even if someone ripped off your information they'd need to use it within a couple minutes of retrieving it for it to still work.

So is that $5 a one time up front fee or is it another monthly fee added on top? I bet the second! Lame, should be free!

I'm not wurried about phishers, but more about trojans or keyloggers that steal your password. With the security key, this would end

I have an RSA SecureID that I use for work, I would certainly use something similar for Paypal, be great Idea for online banking also.

I have to bring my Secure ID token with me everytime I travel by plane for work, and I haven't had any issues with the security check over it.

for $5. it's worth it , I get a lot of phising mails for eBay & Paypal, I've always ignored them , but must admit I got caught off guard once for my eBay, but I quickly changed my password about a minute later, once I realized it was a scam.

But if everybody used this it would put an end to phising for Paypal.

HSBC Bank Australia already uses this method to secure users from phishing. Their device is pretty much free, however they do warn that if you bring it on a plane, you risk getting it confiscated due to the new flying rules.

This sounds like a good idea but I cannot understand how this device will communicate with teh Paypal servers to ensure correct validation of the dynamic password. Can someone try and clear this up?

This is the same method available from RSA Security - SecurID.

The key and the authentication servers are time-synchronized so that, based on the mathematical algorythmn created for said key, the number generated by the key will be the same as required by the server...with said number changing every 60 seconds.

It doesn't

the decie generates a number based on certain algorithm, combined with a personal number thingie stored in the device. also the timecode is somewhat involed I believe, but it may not be because of the unreliability of electronics to stay at the correct time.

the sam algorithm as well as your personal code is stored at Amazon, so they compare what number shoudl come.

I suppose instead of time the vevice used a sequental generator. that's what they used before(many web banks used them in the form of code cards before where the numbers where pre generated, and you had to remember what was the next number yourself).

in this way the device generated a number where the number of times it has been used is part of the algorithm as well.

The bank, or in this case ebay, then calculates the next 3 or so numbers, and sees ifthe number is the same as one of them, if it is it resyncs to that number and accepts.
That's how they did it before and thus you allways got a warning not to genrate numbers when you wheren't asked to, because more than so or so generations would unsync you. and you would need to resync at the bank.

however with the latest 1 button to generate the number devices you get from banks now, or with Bank ID(e-ID anyway)(wich i guess this is the same thing as what PayPal will use) they do not give these warnings, so I'm not sure how they sync, they may just have a bigger buff, but that seems unsecure somehow

These things are pretty good ive used them before for something else, wish all the banks would adopt them for online banking, would make things much more secure.

Not a bad idea. It doesn't matter how secure their website is, if a false phishing site sends you and
email and you are stupid enough to give them your name & password.
5 bucks is a nominal fee to recover the cost of the dongle & shipping.

So it's Paypals fault that people are too dumb to realise they are on a fake site and hand over their logon details without question?