Armed with one of these keys, if you were to log on to your account from an
unfamiliar computer and some invisible password stealing program were resident
on the machine, the bad guys would still be required to know the numbers
displayed on your token, which of course changes every 30 seconds. Likewise, if
someone were to guess or otherwise finagle your PayPal password.
For years, PayPal and eBay have consistently been among the top
three targets of phishing attacks, online scams that use e-mail to
lure people into entering their login credentials at look-alike Web sites. This
technology certainly has the potential to make it tougher for phishers.
According to Avivah Litan, a fraud analyst with Gartner
Inc., other companies that have widely deployed similar security keys
have dramatically cut down on fraud. Litan said online stock trading provider
eTrade has never had an account takeover connected to a customer using
one of its security keys. Nevertheless, as last year's attack against Citibank's
showed, physical access tokens only work against phishing so long as the phishers don't also ask would-be victims to enter the
six-digit number displayed on their personal tokens.
Litan said the token offering fulfills a key requirement of eBay's
2005 acquisition of Verisign's payment gateway system. Under the
deal, PayPal agreed to deploy the tokens to between 200,000 and 300,000 of its
users by the end of 2007. Still, she said, that's a small target for a company
that claims to have more than 100 million users.
PayPal says even users who lose their physical token or don't have it in
their possession when they want to login can still access their accounts, and
that such users will be asked to confirm their account ownership (I'm guessing
with answers to additional questions -- PayPal's FAQ doesn't say). And yes, this should
work just as well for Windows PC users as for Mac people, and others. The
company says its security key works with any computer operating system and web
browser that can access the PayPal or eBay website.
This technology has the most potential to cut eBay's fraud losses among its
sellers: Most of the auction giant's fraud losses relate to the hijacking of
accounts that belong to sellers in good standing, Litan said. Fraudsters then
typically use the credibility the seller has built up with the eBay community to
set up fraudulent auctions.
I ordered one mainly to check it out and to become more familiar with it. But
I wonder how many customers will pony up the five bucks for this device. What
about you, Security Fix readers? Does this appeal to you, and is it worth it?