Now I am curious. Martin, could you subject your fob to extremes of heat and cold? Just to see if the token’s timing can be thrown off :) You’ll know if your timing is off when the number you enter is not accepted. Of course, this will void your warantee.

Disclaimer, I do not hack, nor do I know how to. I’m just “curious” :)

Glad to hear it worked well for you! The PayPal Security Key and the VeriSign token you received (as well as the VIP Security Card) are all VIP Credentials, which mean they work on any site which is a member of the VIP Network. These sites include eBay, PayPal and AOL — the complete list is available at https://idprotect.verisign.com/wheretouse.v. Being part of a network means that you only need a single device to secure all of these sites, whether you got it from PayPal, directly from VeriSign, or from another network member.

The VIP Credentials from VeriSign use the open standard OATH HOTP algorithm (openauthentication.org), published as IETF RFC 4226 (http://www.rfc-editor.org/rfc/rfc4226.txt). This algorithm is based on HMAC-SHA1, which is a one-way hash function virtually impossible to reverse — http://www.openauthentication.org/pdfs/Attacks%20on%20SHA-1%20FAQ.pdf.

It’s like hashes – you may know exact algorithm, you may know hash value… But you can’t reconstruct original object from hash.

All the fobs should be programmed to generate a number a certain “unique way”. The registration process merely tells Paypal the fob’s “unique way” – the unique key. This way, when the fob generates the number for you to put into your transaction, Paypal will generate the same number and agree with it.

If a phreaker have access to enough fobs, s/he should be able to figure out the algorithm. And when s/he sniffs the traffic, s/he will get the number given by the fob. Enough such numbers from one target, and a phreaker should be able to figure out the key if the algorithm is broken.

Could you please explain why do you think serial code can be sniffed?

I don’t see a single reason serial key must be exchanged between server and client except for initial registration.

Think of the fob as the private key of a PGP encryption that is registered with Paypal once you get the fob. And the number given from the fob is the public key. Once you figure the private key (fob) it’s pretty easy to get it all once you sniff out the public key.

That’s also why fobs sort of died in the banking industry. They’re now looking for physical keys – i.e. the ATM card with the embedded chip, and a customer specific reader to read the ATM card at a registered PC.

Question :
Does the PayPal Security Key work on all PayPal country sites?

Answer :
No. The PayPal Security Key is currently available to eBay and PayPal members registered in the U.S., Australia, and Germany.

As far as I understand this system there is no need to transfer serial code (only once when registering) so there is nothing to sniff. Even if you do sniff one instance of access key – it expires in seconds.

Even if exact algorithm is known it’s no use unless serial for specific account is known, which requires access to physical key… Which is kinda the point. :)

I fully expect some phreaker to get their hands on a few of Paypal’s fobs (since Paypal will be giving to everyone). With fobs in hand and an analysis of the codes they generate, a phreaker can easily figure out the algorithm that the fobs use to generate a unique code every 30 seconds – even when you’re not using it (it’s time based).

Than they simply have to sniff your traffic for a bit and backward engineer your fob’s base code. Any dingdong who uses wi-fi for their web access (to Paypal) is wide open to this hack.

The Security Key is currently not available. Please try again later.

Maybe they don’t ship it to the netherlands yet. Guess Il have to try again later.