PayPal is looking at a new security option to help safeguard its accounts from the frequent phishing attempts leveled at its users. The additional security comes in the form of a small electronic gadget that is sized to be on a keychain, like this one used by Purdue University. This electronic security key generates new numbers every 30 seconds. In order to log into your account, you would have to enter both your regular password and the numbers shown on the device.
It is like your username and password are your ATM card, and the numbers on the security key are your PIN number. Only, it’s even better because your PIN is constantly changing. Basically, in order to do anything, a thief would have to get your card and your keys. (Now imagine a similar security key device that requires a code to unlock the display and you are getting to security that is pretty much unbeatable except by government agencies.)
The idea is that even if a hacker or phisher were able to get your username and password, they would be useless without the numbers on the electronic key. If they managed to get the username, password, and numbers, they would only be good for 30 seconds.
On the one hand, this is great security. In fact, some method of combining this type of technology with something like OpenID so that it could be used on every website, would pretty much shut down phishing and password theft and cracking as we know it.
On the other hand, the PayPal security key is basically designed to stop phishing attacks where the hacker tricks the user into divulging their username and password. Not surprisingly, these methods work best on those who are the least security aware, or those who have the least understanding of website security. While those who are most concerned with security are likely to be vigilant and thus only fooled by the most sophisticated techniques.
In other words, this security device would best protect the people who are the least likely to get one, and do the least to protect the people who are most likely to get one.
And, while we’re at it, what about people with multiple PayPal accounts (a personal, and a business one, for example)? What about business accounts? If the guy with the number key device is out sick or on vacation, what then?
The bizarre part is the number of security improvements that could be made without requiring someone to order, buy, and keep track of another piece of hardware. ING’s online banking at ING Direct, for example, requires a user to choose an image and a phrase that validates that they are indeed looking at the REAL ING Direct login page before entering a password.
The image and passphrase display over a graphical numeric keypad where the user enters their PIN. Any phishing attempt would fail immediately when the user noticed that the picture and words that are always there are suddenly missing or different.
Even better, entering the password PIN requires clicking the numbers on the screen, so not even a keylogger can capture the password.
PayPal doesn’t even offer this basic security and its next move is an electronic security key?
I know I would feel much more comfortable if when I clicked a button to pay with PayPal if I could see some sort of validation that this isn’t an elaborate deception that looks like I’m entering my PayPal username and password into my PayPal account when I am actually entering it into a form designed to look exactly like the original. All you have to do to pull of the scam on even the security savvy is a way to make the address in the URL bar say "PayPal" since that is the only means of validation PayPal currently offers.
Maybe PayPal should start by implementing some of the basics, and THEN worry about taking it to the next level.