VeriSign secures UK PayPal accounts
26/01/2009 at 19:59
VeriSign and PayPal have today announced the introduction of strong authentication passwords in the UK. They will be enabled either through the use of the PayPal security key or passwords delivered via SMS text message to users mobile phones.
Essentially up until now PayPal users have been playing russian roulette with phishers desperate to steal their password. VeriSign Identity Protection (VIP) offers an extra layer of security to protect your online identity and secure your PayPal account.
There are two options – PayPal or VeriSign keyfob or creditcard style tokens (costing £3.00 from PayPal), or SMS text messages via your mobile phone. Both options can secure accounts by using a new one time password each time you log in.
Once you’ve activated your security key (from the profile section of your PayPal account) you simply log in as normal and there’s an extra screen which will ask you for the number displayed on your security token. This number will change every 30 seconds so it doesn’t matter you seeing my “password” on the screen shot above – it’s already out of date!
If you prefer you can skip this screen by entering the six-digit code displayed on your Security Key immediately following your password (e.g. if your password was PASSWORD and the security key is displaying 123456 then enter PASSWORD123456 as your one time password.
I’ve had a PayPal security key since eBay Live! at Boston in June 2007 and was at last able to activate it today. If you already have a Verisign token which you use for work or secure banking you can use the same token for your PayPal account – there’s no need to carry multiple tokens around. Alternatively if you don’t have or want a hardware token then using your mobile phone is just as secure and possibly more convenient.
“Offering the Security Key via text message is really important as we want to make it as quick and convenient as possible. You just need your mobile phone to use it, which prevents having to carry another gadget around with you.”
Garreth Griffith, Head of Risk Management at PayPal UK
Whilst the PayPal security key isn’t a cast iron guarantee that your account will never be hacked, it is a huge leap forward in securing it and does protect against phishing. No one will be able to log into your account without knowing your password and having your security key or mobile phone.
If you’re a business user and want to protect the thousands of pounds passing through your account I’d recommend ordering a security key, or signing up for PayPal text message passwords today.
Ed (BuildaSkill) says
6:57 am on 27/01/2009
What happens for those of us with UK PayPal accounts who are located very, very far away – i.e. out of range of the security keys, and unable to sign up for PayPal SMS due to being out of country? (I’ve had the same issues with UK online banking too).
Kevin Ashman says
8:43 am on 27/01/2009
Good news!
Where on the Paypal site do you sign, as I can’t find any mention of it?
Cheers
Kevin
Chris Dawson says
9:19 am on 27/01/2009
#1 I guess that’s one of the disadvantages of choosing to bugger off to the other side of the world and live in a beautiful country
#2 Simply log into PayPal, click on “My Account” and then “Profile” in the tool bar and in the left hand column you’ll see the link for “PayPal Security Key”
Liz says
9:53 am on 27/01/2009
I have been waiting for this for ages, around two years since the announced it in the US. I have had one with my business account for ages.
Paul says
11:22 am on 27/01/2009
Thanks for telling us about this, Chris. Did it straight away.
northumbrian says
3:24 pm on 27/01/2009
your right in the shite if you loose your mobile phone or key fob
northumbrian says
3:30 pm on 27/01/2009
ah just found this it sort of defeats the object though why not just have the questions in the first place and do away with all the sms and key fob malarky
Can I still log in to my PayPal account if I lose or break my token,
or if I don’t have my mobile phone with me?
Yes. During login, we’ll ask you questions to help confirm your identity. When you answer them correctly, you’ll be able to log in.
whirly says
3:54 pm on 27/01/2009
#7
I don’t think this gadget will be appearing in the next Bond movie Norf
or being used by the president
“Sir, we are at Defcon 10, we need to launch our nukes”
“Fcuk, I forgot my security key”
“No problem Sir, whats your mums maiden name”
“Shelia”
“Missle’s launched Sir”
Chris Dawson says
3:55 pm on 27/01/2009
#8 It’s a balance of security and convenience.
No matter how secure it may be I don’t want to have to trawl through a load of question and answers EVERY time I want to log into PayPal. (They’re pretty much the same questions as if you forget your password as it happens).
Equally I want to know I’m safe if I use an internet cafe or a shared PC – doesn’t matter if someone sees my password or uses a keystroke logger to capture it because in 30 seconds time it’ll have changed and be useless.
It’s like a one in a million shot that someone will guess the six digit code, but in 30 seconds time they’ll have to start guessing again as it’ll have changed. I can live with those odds.
1/1000000 within 30 seconds ain’t great odds for a hacker :O
whirly says
4:15 pm on 27/01/2009
#9 Wadda ya picking on me for, Norf started it.
FFS
susan says
4:32 pm on 27/01/2009
when are paypal releasing the jam trousers, thats what i want to know?
http://uk.youtube.com/watch?v=fui3H8j6phY
pete says
5:02 pm on 27/01/2009
#9 Actually, those odds are pretty good. Much better than a random password, which could be any combination of alpha/numeric etc.
Without exception, once technology (passcards, fobs etc) are employed to ensure security, an equally clever piece of kit is created to break it wide open.
As far as I can see, all this new system does is reduce the password variables, a very bad thing.
northumbrian says
5:09 pm on 27/01/2009
I willl just stick to plane old simple passwords thanks as Attila the son nicks me keys and buggers off with my car and my security key ,
then the Wifes nicked my mobile phone cos shes used up all her minutes for the next 24 months in one go ,on her phone, and needs to try and improve on her olympic marathon record for talking on the telephone
northumbrian says
5:15 pm on 27/01/2009
and as paypal has this nasty habit of freezing accounts and with holding dosh
there is never much to nick anyhow
Jimbo says
6:33 pm on 27/01/2009
I have something similar with a bank account but it is only used for performing certain transactions rather than logging in.
Do you need multiple keys if you manage multiple PayPal accounts?
Chris Dawson says
7:14 pm on 27/01/2009
#10 Soz Whirly – meant for Norf
#12 Easier to obtain a password from phishing than it is to crack a one in a million code in 10 seconds (Oh… and you need the password as WELL, not instead).
#15 If you bank one is a verisign token you can use it for PayPal as well. You can also use multiple tokens if more than one person needs access to your PayPal account.
ebuyerfb says
7:37 pm on 27/01/2009
Actually it makes that kind of brute force hacking easier. Instead of trying numbers 1 through 999999 you just try the same few numbers over and over. Since the numbers reset regularly you are guaranteed that those numbers will come up in the future.
Plus this does nothing to protect you from a man in the middle attack. Once they have control of your account they will surrender control of it once they log out. That’s the only improvement for that scenario.
Chris Dawson says
7:52 pm on 27/01/2009
#17 Since the numbers reset regularly you are guaranteed that those numbers will come up in the future.
Sure you you can try… but if you tried once every 30 seconds it would take you almost a year until the right one came up.
I’m pretty sure PayPal have enough security in place to notice a log in attempt on a particular account that occurs every 30 seconds without a pause for three hundred and forty seven days. They’ll probably just block you before you get in
Pete says
8:00 pm on 27/01/2009
susan says
11:38 am on 28/01/2009
darn it i went and got one.
if it locks my account i’ll be a tad annoyed
still 3 squids for a gadget…cool
FenLex says
11:59 am on 28/01/2009
So, let me get this straight: if you have a Verisign gadget already then you can use that to get into your PayPal account as well … which means that, even if a fraudster does not already have a Verisign gadget of their own, they can spend three quid for the key to all the Verisign protected PayPal accounts in the UK.
That cannot be right!
If you really can use any Verisign gadget for any account, then that is no security at all. It would be just as daft as if every car of every make used matching keys.
Have I misunderstood something, is there some misinformation from somewhere or is this really not just useless but dangerous as I currently think it must be?
Jimbo says
12:06 pm on 28/01/2009
The gadget has a registration number that has to be connected to you account (I think).
northumbrian says
12:16 pm on 28/01/2009
if this thing is so good .and so needed .and so cutting edge why are they charging £3 quid,
they should be carpet bombing the UK with them for nowt
thousands a month paypal make out of us if they cant afford to give Us a £3 gadget to make us safe its a poor show
Chris Dawson says
12:16 pm on 28/01/2009
#21 Each VeriSign or PayPal key has to be linked to your account before it can be used. Also each has a different key which the algorithm uses to generate passwords individual to that unit.
It’s a bit like saying I’ve got a Yale key for the Yale lock on my front door so I can open your front door too…. except I can’t. The key’s may come from the same blank but they’re cut differently
northumbrian says
12:20 pm on 28/01/2009
or in other words your account is hackable give us £3 quid or else
susan says
12:22 pm on 28/01/2009
each fob must have a set of numbers and this must tie in with an internal clock or timer and create the number by melding the two uniquely every thirty seconds.
the other party like paypal / bank etc armed with the number you link to the account must also be able to create the same number so the security is bonded to the serial number of the device.
its pretty water tight as long as you dont lose the key, although the paypal logo will be rubbed of mine straight away, a link to the puzzle that does not need advertising.
Jimbo says
12:41 pm on 28/01/2009
I was going to write my password on the other side so everything is kept together in a convent way
Suz says
5:00 pm on 28/01/2009
I have three of these key fob wotsits already, one of them is handily plastered with my banks details….!
How can I use one of them for Paypal please?
Idiot proof instructions would be good
Suz x
Chris Dawson says
5:33 pm on 28/01/2009
#28 Follow the instructions in comment #3 above – if it’s a valid verisign fob then it should work.