Comments on: $5 PayPal security key gives false hope to stop phishers

By: Chris Dawson

Chris Dawson — Thu, 11 Oct 2007 23:26:00 +0000

Whilst you comment is partially valid you do have to confirm your password when bidding if not already fully logged into eBay. If one was bidding in the final moments of an auction on a slow connection any problems could mean by the time you were logged in it would be too late to bid. It is possible to access your account if you were logged in previously but eBay will still ask you to confirm your password prior to performing certain actionson the site. The answer is as you infer to make sure you’re fully logged in prior to bidding.

In future however please refrain from belittling other commentators on the TameBay site even if you have an opposing opinion.

By: Geta brain

Geta brain — Thu, 11 Oct 2007 22:53:47 +0000

‘Mai Name’ said “I canâ€™t imagine trying to use these things while actually bidding on ebay.”

That’s probably because you WOULDN’T HAVE TO use it while actually BIDDING, you cretinous moron…

Jesus. Are people this stupid allowed out into society?

By: HSBC says “No” to PayPal style security keys : TameBay

HSBC says “No” to PayPal style security keys : TameBay — Thu, 06 Sep 2007 19:15:17 +0000

[...] I wrote about my concerns back in January of this year, two factor authentication was never designed for use on the Internet. Today I’m joined in regarding two factor authentication as flawed by the HSBC Bank. [...]

By: TameBay : Security threat to eBay motors

TameBay : Security threat to eBay motors — Tue, 06 Mar 2007 17:14:44 +0000

[...] A trojan, called bayrob, is capable of presenting fake eBay pages even though you log into the real eBay site. It works by changing files on your computer so that when you click on a link on eBay it seamlessly directs you to a fake site. Users should, as always, make sure their anti-virus software is up to date and be cautious of clicking on links and attachments unless they are sure they are legitimate. The trojan performs what’s known as a “man in the middle” attack . Normally hackers attempt to trick you into logging on to a fake site in attacks known as phishing and pharming, but this new approach is harder for the user to detect. It also has the potential to bypass the security of the new PayPal Verisign tokens, which generate a unique one time password whenever you log on. [...]

By: mai name

mai name — Fri, 02 Mar 2007 08:58:11 +0000

These are absolutely useless to dial up users. You simply can’t load the pages quick enough most times for the key code to remain valid. In my own trials, about 9 of 10 logins resulted in failure. And that’s not single key entries, but logins. Each login allows repeated attempts to enter a valid key, before it simply gives up, and asks for two successive keys, like during the devices activation. my experience left me deactivating the devices use in paypal after 1 day. I can’t imagine trying to use these things while actually bidding on ebay. There are much better ways to waste $5 on ebay/paypal.

By: eBay/PayPal security token - www.gadgetguy.de - The GadgetGuy

eBay/PayPal security token - www.gadgetguy.de - The GadgetGuy — Sun, 25 Feb 2007 22:50:11 +0000

[...] I’m not at all sure they’ll stop phishing attacks (especially considering they’ll only be used by a fraction of the users…), but at $5 I couldn’t resist. The token seems to be an OEMed Vasco token, distributed by verisign. [...]

By: TameBay : Hacking, taunting and eBay security

TameBay : Hacking, taunting and eBay security — Fri, 23 Feb 2007 22:38:37 +0000

[...] Two events appear to have taken place, ongoing and persistent abuse of hijacked accounts and taunting of eBay by a Romanian hacker. eBay are constantly working to prevent account hijacks and educate users on how to stay safe online but it is a never ending battle. Even the new PayPal security tokens don’t give a 100% guarantee of security although they will certainly slow hackers down. The key for all users is never click links in emails, and be suspicious of all links on websites. The much maligned eBay toolbar will show if you are about to enter your user name and password into a non-eBay site, and new EV SLL enabled browsers will assist also. (eBay and PayPal are amongst the first websites to be EV SLL ready). [...]

By: Vin

Vin — Mon, 22 Jan 2007 23:51:00 +0000

While cynicism and pessimism are hallmarks of a true security pro, it is worth noting that the see-saw of attack/defense rises as well as falls.

Yes, MitM attacks, as well as targeted trojans, are presumtively effective attacks, but there are also new defenses that can block them.

RSA seems to waiting for the IETF to publish its new cryptographically secure protocol, Protected One-Time Passwords (POTP)-- although it was approved by the IETF's Engineering Board in October, and is already embedded in RSA products and those of several leading switch manufacturers -- but you can review its mechanics on the RSA Labs' website, where it is listed as one of RSA's "One Time Password Specifications" (OTPS).

Where RSA find more security, VeriSign (and eBay, PayPal, etc.) will surely follow.

POTP blocks MitM attacks with a local desktop agent that interacts with the server to establish a crypto secret, which is never transmitted, but can then be used to secure the session and (as well) provide a key for additional crypto functions.

Many financial institutions today often buttress strong (2FA) authentication with a back office transaction monitor which collects and tracks, in real time, a slew of data points about the consumer, his transaction, and the device he typically uses for transactions. The monitor typically fires off an alert or alarm if a new incoming call varies significantly from the consumer's past habits and practice so the site's adaptive authentication processes can demand more surety proofs.

There will doubtless be new attacks developed by the bad guys as these defenses fall into place, but that will only spur the vendors and eCommerce sites to grab their suspenders and move new defenses into place. It is a historically endless cycle, hopefully abbreviated as law enforcement gets its act together and begins to nail and jail more of the predators. It is also worth noting that groups of low-level crooks fall by the wayside with each new defense barrier; others are forced to rely on other people's attack code which they don't fully understand -- which raises their vulnerability to the Lawmen.

By: Udi

Udi — Sun, 21 Jan 2007 14:37:00 +0000

But true hope costs less and covers all threats mentioned at the very good article. take a look at http://www.sentry-com.co.il and you will find a unique solution that frees the consumer from any device except the cellular or a phone. It also provides full authentication when you call the call-center.