Shark Bait

Knowledge Centers

Operating Systems

Networking & Internet

Mobile & Wireless

Security

Storage

Business Intelligence

Servers & Data Center

Computerworld Reports

Industry

See your link here

Michael R. Farnum

Hitting the Security Nerve

PayPal using security tokens

1 comment

IT TOPICS:Security

Security tokens have been used for quite a while now, and they are still very useful for enterprises. However, they are susceptible to man-in-the-middle attacks, especially when they are used for authentication over the Internet. This was shown a while back when Brian Krebs reported Citibank's problem with a phishing site that sat between the bank and client.

The site asks for your user name and password, as well as the token-generated key. If you visit the site and enter bogus information to test whether the site is legit -- a tactic used by some security-savvy people -- you might be fooled. That's because this site acts as the "man in the middle" -- it submits data provided by the user to the actual Citibusiness login site. If that data generates an error, so does the phishing site, thus making it look more real.

So now it looks like PayPal is going down this road as well (I got the link from Tom Olzak's post). I know the combination of the typical username / password with the token will probably increase security overall. And I know the Citibank phishing site was fairly sophisticated. But it is these big pay-off sites that will be a target for more sophistication in attacks, so I am thinking it won't be too long before a similar site pops up for Paypal.

Email this

Digg this

What People Are Saying

Add new comment

I'm the director for help

Submitted by robert on June 22, 2007 - 12:12 P.M.

I'm the director for help desk support in a very large company and I just saw the best token solution; it's made by a company called StrikeForce Technologies, their token solution has an automatic back-up authentication method incase the primary method (token) doesn't work or is unavaliable. The salesguy that came here handed me a hammer and asked me to smash hit token (so I did), two seconds later his cellphone rang and he authenticated "Out-of-Band"! For me that means no help desk call, for the company it save about $25 instantly, and the end user is productive immediately. And the best part of the whole thing was that their system is a one-time fee and cost about the same as one help desk call, as we get to use it for passwrod reset as well. I love their pricing model, there's no server charge, there's no 3-year relicense fee like RSA, it has a built-in redundancy, the CIO and I figured it will pay itself off in 6-9 months! Go StrikeForce!!!

Reply | Report this comment

Google Dashboard: Convenient, useful, but no big deal

Web filtering internationally, part 1: China

The fobbit

Unlock/jailbreak new iPhone 3G software with #blackra1n app

Managing Secure File Transfer to Save Time, Money and IT Resources
Learn how companies are using innovative technology to overcome these challenges and improve user productivity by offloading e-mail attachments and replacing FTP with...

All White Papers | All Webcasts