Protect PayPal Accounts With VeriSign Identity Protection Devices

I got this message on paypal:

The Security Key is currently not available. Please try again later.

Maybe they don’t ship it to the netherlands yet. Guess Il have to try again later.

unruled what if you go here https://www.paypal.com/securitykey

yes, that’s where I went and was given that message

Thanks for the tip - for anyone running a business that involves Paypal for payments, I’d imagine that a security key would be WELL worth the money.

I got one from PayPal/eBay Australia, so maybe only some countries are currently included. I also got another one for free for my online banking from Commonwealth Bank of Australia.

This key fob idea has been in use by the U.S. Federal Reserve Bank for it’s member banks to authenticate their wire transfers. It works because the Fed limits who has access to these fobs and strictly govern their destruction.

I fully expect some phreaker to get their hands on a few of Paypal’s fobs (since Paypal will be giving to everyone). With fobs in hand and an analysis of the codes they generate, a phreaker can easily figure out the algorithm that the fobs use to generate a unique code every 30 seconds - even when you’re not using it (it’s time based).

Than they simply have to sniff your traffic for a bit and backward engineer your fob’s base code. Any dingdong who uses wi-fi for their web access (to Paypal) is wide open to this hack.

>Than they simply have to sniff your traffic for a bit and backward engineer your fob’s base code.

As far as I understand this system there is no need to transfer serial code (only once when registering) so there is nothing to sniff. Even if you do sniff one instance of access key - it expires in seconds.

Even if exact algorithm is known it’s no use unless serial for specific account is known, which requires access to physical key… Which is kinda the point.

Just to get back on unruled’s comment:

Question :
Does the PayPal Security Key work on all PayPal country sites?

Answer :
No. The PayPal Security Key is currently available to eBay and PayPal members registered in the U.S., Australia, and Germany.

All the physical keys use the same algorithm. That’s why the Fed regulates who has possession of their fobs. Paypal, due to their client base cannot. Once one figures out the algorithm of the fob. Than they just need to sniff the web traffic to find the account key associated with the fob.

Think of the fob as the private key of a PGP encryption that is registered with Paypal once you get the fob. And the number given from the fob is the public key. Once you figure the private key (fob) it’s pretty easy to get it all once you sniff out the public key.

That’s also why fobs sort of died in the banking industry. They’re now looking for physical keys - i.e. the ATM card with the embedded chip, and a customer specific reader to read the ATM card at a registered PC.

@Dante

Could you please explain why do you think serial code can be sniffed?

I don’t see a single reason serial key must be exchanged between server and client except for initial registration.

ah, thanks Gemini. I guess I will have to be patient then

@Rarst

All the fobs should be programmed to generate a number a certain “unique way”. The registration process merely tells Paypal the fob’s “unique way” - the unique key. This way, when the fob generates the number for you to put into your transaction, Paypal will generate the same number and agree with it.

If a phreaker have access to enough fobs, s/he should be able to figure out the algorithm. And when s/he sniffs the traffic, s/he will get the number given by the fob. Enough such numbers from one target, and a phreaker should be able to figure out the key if the algorithm is broken.

Hm… I am no expert but I always thought that basis of every single public/private key cryptography system is that private key can’t be calculated using public one.

It’s like hashes - you may know exact algorithm, you may know hash value… But you can’t reconstruct original object from hash.

@Dante, @Rarst:

The VIP Credentials from VeriSign use the open standard OATH HOTP algorithm (openauthentication.org), published as IETF RFC 4226 (http://www.rfc-editor.org/rfc/rfc4226.txt). This algorithm is based on HMAC-SHA1, which is a one-way hash function virtually impossible to reverse — http://www.openauthentication.org/pdfs/Attacks%20on%20SHA-1%20FAQ.pdf.

Martin:

Glad to hear it worked well for you! The PayPal Security Key and the VeriSign token you received (as well as the VIP Security Card) are all VIP Credentials, which mean they work on any site which is a member of the VIP Network. These sites include eBay, PayPal and AOL — the complete list is available at https://idprotect.verisign.com/wheretouse.v. Being part of a network means that you only need a single device to secure all of these sites, whether you got it from PayPal, directly from VeriSign, or from another network member.

Jeff thanks for clarifying, well done especially on a Sunday

Thanks Jeff for the information.

Now I am curious. Martin, could you subject your fob to extremes of heat and cold? Just to see if the token’s timing can be thrown off You’ll know if your timing is off when the number you enter is not accepted. Of course, this will void your warantee.

Disclaimer, I do not hack, nor do I know how to. I’m just “curious”