News
Blogs
Shark Bait
Knowledge Centers
Opinion
Webcasts
Video
Podcasts
IT Careers
White Papers
Computerworld Reports
Zones
Case Study Library
RSS Feeds
Events
Industry
This Week in Print
Print Subscriptions


Ads by TechWords

See your link here


Martin McKeay's picture
Martin McKeay

Security Matters

More posts | Read bio

February 15, 2007 - 9:55 A.M.

Your key to PayPal

2 comments

Kudos to PayPal.  They're the first of the major online services to offer a security key for all of their users.  You know, one of those things just like an RSA SecurID key fob (which it may be, re-branded) that show a different 6 digit number every 30 seconds that the user enters at the web site to prove their identity.  They've attached a $5 price tag to the device, but I'm guessing that's just a way to prevent every customer from ordering one unless the customer is really going to use the device.

What does this accomplish for PayPal?  It gives them two-factor authentication.  The forms of identification are generally agreed to be something you know, something you have and something you are.  Occasionally we can add 'somewhere you are' to this, but that doesn't really apply to e-commerce.  The use of password is something you know, which is a good start, but passwords are often easy to guess and only using one form of identification leaves you open to a wide variety of issues.  By introducing a second form of identification, PayPal has placed themselves far above most of their competition and is showing a commitment to security.

This doesn't prevent man-in-the-middle attacks, but it takes a huge bite out of password guessing attacks and stolen passwords.  Your roommate will no longer be able to walk up to your computer and use your PayPal account because you cached your password.  Not that you'd ever do that, but if you did ... 

I think we'll be seeing a lot more of this over the next few years.  The only problem will be when you've got four or five (or more) of these keys and have to carry them around all the time.  I think we'll see these security keys compressed until they get to be the same size and form factor as your credit cards, maybe even integrated into your credit card.  You'll pull your PayPal-branded credit card out of your pocket and enter in the latest code flashing on the paper thin screen.   We're not there yet, but I think we'll see this within a few years.  I look forward to that day, because then we can do away with the security codes on the back of the card (properly called a CVV2 number) and instead use the same technology PayPal is using.  When we can have this built into our credit cards, we'll see a huge drop off in fraud.  Until the hackers break that too.

What People Are Saying

Add new comment

As it happens the PayPal

Submitted by Pete on March 7, 2007 - 8:17 A.M.

As it happens the PayPal tokens are rebranded devices from Vasco, not RSA. I've just received mine :)

Interestingly PayPal are the first major issuer of tokens under VeriSign's VIP program. This will allow me to register my PayPal token with other companies that also support VIP tokens. eBay are obviously on board, but I've read about a couple of other companies that are also signing up (including a couple of online banks or share trading sites). It will be interesting to see if this model takes off, because it's one way to cut down the number of tokens that you'll need to carry.

A company called InCard has been demonstrating their tokens for the last year or so, which are credit card size/shape/flexibility. According to news reports they are currently working with VISA to pilot a combination token & credit card. They have demo cards with mag stripe, EMV chips, etc.

@J: I work in online banking security and think that tokens can still add some value (despite the obvious limitations of MITM or session-hijacking trojans), because they impose a limit on the value of any intercepted identities/credentials. If attackers can only do their fraudulent transactions in a short time window - instead of at leisure - then this forces a significant change to their business model, and may increase their risks.

And of course any decent bank shouldn't be relying on authentication alone :P

Reply | Report this comment

As you noted,

Submitted by j on February 16, 2007 - 1:07 P.M.

As you noted, man-in-the-middle attacks are not affected by this mechanism. As the use of security tokens, "site-key" images and so on grows, so will the MITM attacks, and we won't be that much better off than before.

Reply | Report this comment

Related Posts

Google acquires reCAPTCHA in two-for-one deal
The swines! Flu panic blamed on Twitter and blogs.
Linux's dirty little secret: Uninstall
New 'fox performance is on fire

Today's Top Stories

Droid launch draws tech-savvy crowd
AMD graphics chip shortage hits PC vendors
First iPhone worm spreads Rick Astley wallpaper
Mozilla fixes Firefox crash bug
Update fixes iPhone sync problem with Windows 7 for some
First take: Apple's new MacBook offers sleek style, solid performance
About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map
CIO Computerworld CSO DEMO GamePro Games.net IDC IDG IDG Connect IDG Knowledge Hub IDG TechNetwork IDG Ventures
IDG.net InfoWorld ITwhitepapers ITworld JavaWorld LinuxWorld Macworld Network World PC World The Industry Standard
Copyright © 1994 - 2009 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of
Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.