PayPal recently began to sell a so called PayPal Security Key to protect PayPal users from phishing attacks. The system works by protecting the login to the account not only with a username and password but also a security key that is generated on the fly on an external device. Attackers who are able to steal PayPal login information would need physical access to the security key to be able to log into the account at a later time.

It is not a 100% perfect solution as attackers are still able to circumvent the security key if they have additional information related to the PayPal user’s account. It still is a viable protection in most cases. PayPal is hosting a security center on their website that is informing and educating users about security risks and how to reduce them and prevent attacks.

Probably the best way of fighting most attacks and all phishing attacks is to always open the PayPal website directly instead of clicking on links that are supposed to lead there. Another security method is to use a password manager to store the PayPal login information. Many password managers, such as Last Pass, can fill out the login form and log in the user automatically in configured accounts. This can be a very effective method of detecting fake websites as the password manager will not fill out the login information automatically on these websites.

Related posts

• PayPal Now Offering Mobile Security Key (2)
• Update on my PayPal Story (8)
• Protect PayPal Accounts With VeriSign Identity Protection Devices (19)
• Unauthorized Payment Done With My PayPal Account (50)
• Send a Fax to unsubscribe from paypals newsletter (4)

The key is an electronic device that generates a six digit key every 30 seconds. That key is needed to login into PayPal. The device can be ordered from within the PayPal interface or from VeriSign directly. It works at all websites that make use of the key including eBay and PayPal.

PayPal has introduced the mobile security key recently. It makes use of the same principle with the difference that the security key is generated by an official server and send to the user’s cell phone instead.

This offers a few advantages like increased mobility and no waiting time till the device arrives. It does however mean that the user is charged for every SMS send by his cell phone provider. Merchants who log into PayPal several times a day might want to use the hardware solution primarily to save costs.

Users who want to order a mobile security key can do that once they are logged into PayPal. The option becomes available after the PayPal login. A click on the Security link in the top right corner of the website will load a new page with a link named Security Key.

A click on that link will display two options: To order a security key device or a SMS security key.

Related posts

• Protect PayPal Accounts With VeriSign Identity Protection Devices (19)
• Update on my PayPal Story (8)
• PayPal Login (1)
• Unauthorized Payment Done With My PayPal Account (50)
• Send a Fax to unsubscribe from paypals newsletter (4)

The analysis of my computer did not turn up anything that could have been used to grab my PayPal credentials and make the transfer and I did scan it with a multitude of scanners.

The support line at PayPal was not helpful at all and could not even tell me if I was the only one that has logged into my own PayPal account recently claiming that it was against their privacy policy to disclose such data. That was very unfortunate because it would have helped me tremendously to know if someone logged into my account to make the payment.

I was contacted at the same day by Steve Ragan from The Tech Herald who published an interview about the case on the website. That interview seemed to have sparked the interest of PayPal because I was shortly after contacted by their CISO who wanted to transfer my case to a specialized team, he called it unusual e-crimes investigations team. That was a pleasant surprise and I had hopes that I would finally find out how the money was transferred.

Unfortunately though I have not heard back yet and I’m not sure if I ever will. I know that some big companies are rather slow when working on cases but it has been two weeks and no reply since.

Last but not least Steve contacted me again telling me that the guys at VeriSign would like to send me one of those PayPal Security Key after they have heard the story which is really nice of them. Unfortunately though I have ordered one already which has not arrived yet. It’s also been two weeks since then and I’m beginning to see a pattern here. So VeriSign nice, PayPal not so nice. I will keep you updated if I’m ever contacted again by PayPal about this matter.

Update:

I received both the PayPal Security Key and the VeriSign ID Protection key shortly after finishing the article. Will write about those soon.

Related posts

• Unauthorized Payment Done With My PayPal Account (50)
• PayPal Now Offering Mobile Security Key (2)
• Protect PayPal Accounts With VeriSign Identity Protection Devices (19)
• PayPal Login (1)
• Send a Fax to unsubscribe from paypals newsletter (4)