The key is an electronic device that generates a six digit key every 30 seconds. That key is needed to login into PayPal. The device can be ordered from within the PayPal interface or from VeriSign directly. It works at all websites that make use of the key including eBay and PayPal.

PayPal has introduced the mobile security key recently. It makes use of the same principle with the difference that the security key is generated by an official server and send to the user’s cell phone instead.

This offers a few advantages like increased mobility and no waiting time till the device arrives. It does however mean that the user is charged for every SMS send by his cell phone provider. Merchants who log into PayPal several times a day might want to use the hardware solution primarily to save costs.

Users who want to order a mobile security key can do that once they are logged into PayPal. The option becomes available after the PayPal login. A click on the Security link in the top right corner of the website will load a new page with a link named Security Key.

A click on that link will display two options: To order a security key device or a SMS security key.

The VeriSign Identity Protection device can be used to add another layer of security to the login process. The PayPal Security Key mentions only eBay and PayPal and I’m not sure if it works with the other websites and services that the VeriSign Identity Protection key works with.

The key is a little device that displays a six digit security code when a button is pressed. That code is active for 30 seconds after which it disappears again. The device has to be activated on the website that you want to use it for by entering the serial number of the device and two six digit codes.

Once a device has been linked to an account it has to be used to log into the account by pressing the button and entering the six digit code after the password on that website or by entering the login credentials normally and the six digit code on the next page where it is requested before the user can proceed.

The real benefit of this key is obviously that an attacker who is getting hold of your login credentials cannot login into the account if he does not have access to the active six digit code.

PayPal seems to heavily subsidize the key. If you order the security key at PayPal you receive a blueish-gray device for roughly 5€ while the VeriSign key is delivered in dark red for the price of $30. As I said I’m not sure if the PayPal key works with other services as well.

The VeriSign website offers two additional devices. One is the so called VIP Security Card (for $48), a credit-card sized device that seems to offer the same functionality and the SanDisk U3 TrustedSignins
which works with SanDisk U3 devices but does not seem to come with additional charges.

This is definitely a step into the right direction and I strongly suggest to everyone using eBay and PayPal regularly to get one of those security devices to add another layer of protection to their account.

The analysis of my computer did not turn up anything that could have been used to grab my PayPal credentials and make the transfer and I did scan it with a multitude of scanners.

The support line at PayPal was not helpful at all and could not even tell me if I was the only one that has logged into my own PayPal account recently claiming that it was against their privacy policy to disclose such data. That was very unfortunate because it would have helped me tremendously to know if someone logged into my account to make the payment.

I was contacted at the same day by Steve Ragan from The Tech Herald who published an interview about the case on the website. That interview seemed to have sparked the interest of PayPal because I was shortly after contacted by their CISO who wanted to transfer my case to a specialized team, he called it unusual e-crimes investigations team. That was a pleasant surprise and I had hopes that I would finally find out how the money was transferred.

Unfortunately though I have not heard back yet and I’m not sure if I ever will. I know that some big companies are rather slow when working on cases but it has been two weeks and no reply since.

Last but not least Steve contacted me again telling me that the guys at VeriSign would like to send me one of those PayPal Security Key after they have heard the story which is really nice of them. Unfortunately though I have ordered one already which has not arrived yet. It’s also been two weeks since then and I’m beginning to see a pattern here. So VeriSign nice, PayPal not so nice. I will keep you updated if I’m ever contacted again by PayPal about this matter.

Update:

I received both the PayPal Security Key and the VeriSign ID Protection key shortly after finishing the article. Will write about those soon.