PayPal to offer security key fobs for additional account protection
For every stupendous scam that crafty / immoral individuals pull off on eBay, there's at least a couple phishing scams out there trying to jack your precious eBay or PayPal password and access your hard-earned dollars. PayPal is readying a VeriSign security key that will resemble the RSA SecureID we corporate workers are all too familiar with with, and will sport a monochrome LCD screen that rotates a six-digit password every 30 seconds. Clients who opt to use this device will be able to enter it along with their usual username / password credentials when logging in, which would prevent scammers from accessing their account without the key fob in hand. The firm has been testing the device with employees for "several months," and plans to start trialing it with customers "within a month or so." Personal account owners in America, Germany, and Australia will eventually have the option of picking one up for a one-time fee of $5, while business accounts will receive the unit gratis, but if you're not savvy enough to pass on by those tempting scams, five bucks could be a small price to pay to keep your cash out of strangers' hands.[Via jkOnTheRun]
Filed under: Misc. Gadgets
Reader Comments (Page 1 of 1)
Trevor @ Jan 15th 2007 11:43AM
This is exactly what I have been waiting for them to release. Now if ebay would do the same, I would be set. I myself have had my ebay account hacked into multiple times.
Rivet @ Jan 15th 2007 12:13PM
Being dumb enough to enter your password onto a phishing site != "hacked"
James Grinter @ Jan 15th 2007 12:14PM
So, which type is it going to be? A 'press-button' style token, like you picture (from the likes of Vasco - your picture looks like their DigiPass Go 3 model), or a 'time-based' token from RSA (SecurID) - as pictured in the referred article at jkOnTheRun?
Ben @ Jan 15th 2007 12:29PM
If only they would allow me to use my work one so I wouldn't have to carry two of those damn things around.
Big Mike @ Jan 15th 2007 12:35PM
AOL did this YEARS ago. Granted nothing on AOL is really hackworthy but it IS sad that such an inept company offered this type of security long before a company like paypal, who houses such sensitive information.
josh @ Jan 15th 2007 12:35PM
I had my ebay account hacked, and I didn't enter my password into any phishing site. I hadn't even used the account for a year or so, but one day I got a bunch of emails about "my" auctions. They apparently either managed to guess my password reminder question answers, or ran a dictionary file of some kind on my password, which was pretty simple since I made it years ago. (Now it's a random string of numbers and letters, so I should be safe)
Mike @ Jan 15th 2007 12:35PM
What someone SHOULD do is create a secure membership network for e-commerce sites so that ONE token can be used for your account at all the participating sites...get the major online retailers to become participants and you will have secured the internet marketplace exponentially with very little effort.
IMO the credit card companies should form a NFP org. and do this, it would save them millions in fraud costs a year.
NOTE: If you're listening BIG BANKING, I'll be sure to charge you a competitive fee to use that idea and for my consult. :-P
James Grinter @ Jan 16th 2007 5:52AM
Managed service authentication is already being offered (I don't know if anyone significant is using them, mind.) RSA has been offering it since early 2005, and I'm sure the other vendors do too. (As a customer of RSA, I just happen to know more about their offerings.)
And "soft" tokens - in PDAs, Mobile phones (including BlackBerrys), and on PCs - are also available (with their own advantages and disadvantages.)
But, probably for logistical reasons as well as straight cost-of-widget reasons, the uptake hasn't been very high in the consumer space.
Phil @ Jan 15th 2007 12:39PM
Verisign has an OEM relationship with Vasco which explains why the token shown in this article looks just like the Vasco GO 3.
Renato @ Jan 15th 2007 12:58PM
For sure, the token is a Vasco Go 3.
Janlouis @ Jan 17th 2007 10:31AM
GO-3 = Vasco = Versign = Paypal
http://www.vasco.com/products/product.ht...
http://news.com.com/2100-7355_3-6149722....
.Jeffries
http://tinyurl.com/yhuf8d
VASCO is the sweet spot of this trend, and upcoming deals(SSSS) in Japan and with Paypal (!!!!) give us increased confidence in 2007. Price target increased from $15 to $17."
David @ Jan 15th 2007 1:20PM
Would this device also be used for confirming payments, so that just incase the hacker managed to gain access to the account they wouldn't be able to buy anything on your credit card? And would it be available in the UK?
Ed French @ Jan 15th 2007 2:50PM
I'm not so sure this is a great idea. I understand that already phishing sites are using your login details as you type them (more like a man-in-the-middle attack I guess?). So the 30 second lifetime of the code is long enough for them to get in. Worst thing is that users may be more relaxed about checking sites are legit if they rely on this device.
Chris Franklin @ Jan 15th 2007 4:33PM
https://www.paypal.com/securitykey
Marcus @ Jan 15th 2007 4:46PM
I have one of these for my HSBC business bank account. They are quite a good idea really, but saying that, it seems a lot of effort just for something like Paypal.
TIMMAH! @ Jan 15th 2007 5:09PM
@Mike... yeah someone tried that. It was called "Microsoft Passport"... not a big success for some reason...
... @ Jan 15th 2007 7:01PM
This will only help the people stupid enough to use a really weak password on an account that is tired to their bank, or enter the password to said account into a phishing site.
But it does nothing to prevent the paypal scams that drive the majority of the people away from paypal.
nak @ Jan 15th 2007 8:30PM
Josh: you just got phished. The latest scam going around is to send people eBay-type emails about their auctions. You sign in to see what's going on and now they have your password.
nak @ Jan 15th 2007 8:37PM
I could have made that more clear. You get emails that look like they are from eBay concerning "your" auctions, when in fact, you have no auctions. You click on the link to respond or find out what's up, and give up your info to the phishers. Now they really do have your eBay account and will likely start scamming people with it.
Zeus @ Jan 15th 2007 8:58PM
It may sound dumb but they should add these as an option for like a onetime 10-15 buck fee for World of Warcraft account. I just lost 3 wow accounts with how much playtime and real material wealth because a mod I got from a (supposedly) legit site had a key logger and my Norton, A) didn't find it, B) firewall didn't block it from reporting back to the mothership...
CaptCaveman @ Jan 15th 2007 9:15PM
I like the idea. And I'm sure I'll pick one up. But now I will have one for work and one for Pay Pal. If the banks were smart they would do the same thing. But wait, I have 3 bank accounts. Now I have 5 of these things hanging from my neck or key chain. I'm sure there's a couple more online sites that could use them also, which means soon people will be fumbling for their RSA keys, like apartment building sups fumble for their regular keys.
It will be hilarious!
token @ Jan 16th 2007 12:17AM
personally i'd be more scared of paypal itself than scammers...
nak @ Jan 16th 2007 12:44AM
Perhaps RSA keys are the next big app for mobile phones. Simply register your mobile at a site and a few encrypted data exchanges later your mobile now provides your RSA key for that site. That'd be nice, and considerably easier for sites to implement. No selling hardware, just distributing code to mobiles.
LazyShrimp @ Jan 16th 2007 8:17PM
Random Passwords key fobs have been around for 15 years+
What's new here?
what's next after PayPal Security Key: Google TANs - you know: a printed list of password that one uses once and strikes with a pen when it was used...
keep up the good work
Jon Henshaw @ Feb 24th 2007 12:45AM
First look and screenshots on activating the key:
http://www.sitening.com/blog/2007/02/24/first-look-at-the-paypal-security-key-for-paypal-and-ebay/
ed @ Feb 25th 2007 6:18AM
To have Paypal charge you for these fobs is just another excuse for Paypal to make ridiculous profit from their customers... I heard these cost you $5 each - when in reality they probably cost a couple of pence or cents to make.. I'm all for added security but not at the expense of making profits off of the customer.
Greddy Paypal fat-cats at work again
PLEASE VISIT MY ANTI-PAYPAL BLOG & WHAT ALTERNATIVES ARE OUT THERE:
http://cqoutseller.blogspot.com/