$5 PayPal security key gives false hope to stop phishers
Like many financial institutions, eBay and PayPal are late adopters of security devices for one time passwords. A security device (costing $5 in the US) gives a different security code each time you log into your account. PayPal say it “generates a unique six-digit security code about every 30 seconds. You enter that code when you log in to your PayPal or eBay account with your regular user name and password. Then the code expires – no-one else can use it.” Or can they??
These devices have been around for almost twenty years with Security Dynamics (RSA Security) and Vasco being the earliest to market solutions. The eBay PayPal key has been developed in conjunction with VeriSign.
The biggest concern is are the tokens effective in preventing phishing attacks? Well firstly it’s not what they were designed for. They were designed originally for remote access solutions where an employee would dial into a company workplace over a telephone line. Rather than a password that could be written down the token ensured hackers couldn’t dial in to the network with a compromised password. There was little chance of anyone intercepting the dial up phone call. The tokens were then deployed for use internally for all users on a network. Later they migrated outside the network as the Internet became more common for remote users connecting to corporate networks, for online banking, and now for eBay and PayPal.
It’s important to realise they weren’t designed for use on the Internet in the first place, and that hackers have had decades to develop ways to combat the tokens. The actual keys generated are still secure, there is still no effective way to compromise the security codes generated. This doesn’t deter the phishers though – they have other tools in their arsenal.
Man in the middle attack
We’ve all seen phishing emails where a hacker tries to get you to click to a fake eBay or PayPal website and enter your user name and password which they later use to access your account. Smarter phishing sites are becoming more common where the hacker captures your user name and password and instantly uses it to log on to the real site. They pass the information you request to the site and back to you – you may never realise you’re not logged directly into the site, but in the mean time the hacker is able to perform any transaction they please while you make the transaction you logged on to do.
Far too few Internet users keep their security up to date allowing virus and trojan attacks. If a phisher manages to install a trojan on your computer next time you log on to eBay or PayPal they can piggy back on your logon to perform their own transactions.
These two methods for bypassing one time passwords are not new – they were reported by Bruce Schneier back in March 2005. What does this mean to the new PayPal and eBay security devices? Well it’ll make the phishers lives harder but so far they’re only available in the US, Australia and Germany, leaving plenty of targets for phishers in the other eBay and PayPal territories. Secondly they’re not compulsory, free for PayPal Business accounts but the $5 cost will put off many users who arguably are the most vulnerable. Finally the efficacy of the tokens themselves has to be questioned. It’s technology that’s been around before most of today’s hackers first logged on to the Internet and was designed for dial up connections to corporate networks. Hackers have grown up looking for ways to render them useless.
It remains to be seen if the promise of security will result in users lowering their guard still further. After all no one can access your account without your token can they? Well possibly they can – users need to be as vigilant as ever. As Blogging stocks ask “Are the days at an end to eBay and PayPal phishing scams?”. Sadly the chances are they’re only just beginning!