Protect PayPal Accounts With VeriSign Identity Protection Devices
I had a rather unpleasant experience with PayPal lately where someone transferred all the money from my account. PayPal was not very forthcoming and I do not know until today how this happened.
One of the first things that I did after this experience was to order a PayPal Security Key. I was contacted by VeriSign, the creators of those security keys, just a few days later and they sent me a key as well. In other words: I bought a key and got one from VeriSign for testing.
The VeriSign Identity Protection device can be used to add another layer of security to the login process. The PayPal Security Key mentions only eBay and PayPal and I'm not sure if it works with other websites and services that the VeriSign Identity Protection key works with.
The key is a little device that displays a six digit security code when a button is pressed. That code is active for 30 seconds after which it disappears again. The device has to be activated on the website that you want to use it for by entering the serial number of the device and two six digit codes.
Once a device has been linked to an account it has to be used to log into the account by pressing the button and entering the six digit code after the password on that website or by entering the login credentials normally and the six digit code on the next page where it is requested before the user can proceed.
The real benefit of this key is obviously that an attacker who is getting hold of your login credentials cannot log in into the account as the six digit number that is randomly generated by the device is required as well.
PayPal seems to heavily subsidize the key. If you order the security key at PayPal you receive a blueish-gray device for roughly 5â‚¬ while the VeriSign key is delivered in dark red for the price of $30. As I said I'm not sure if the PayPal key works with other services as well.
The VeriSign website offers two additional devices. One is the so called VIP Security Card (for $48), a credit-card sized device that seems to offer the same functionality and the SanDisk U3 TrustedSignins which works with SanDisk U3 devices but does not seem to come with additional charges.
This is definitely a step into the right direction and I strongly suggest to everyone using eBay and PayPal regularly to get one of those security devices to add another layer of protection to their account.
Note:Â Verisign seems to be part of Symantec now and the service is called as Symantec VIP now. The devices have been renamed Validation & IP Protection and are still available. You can purchase a VIP Security Token for $30 or a VIP Security Card for $48. There are also two new products: mobile apps for smartphones that are free to download and use, and desktop programs that are also free to use.
Hardware tokens are not available anymore; the site links to Amazon only, and Amazon lists the devices as unavailable.
I got this message on paypal:
The Security Key is currently not available. Please try again later.
Maybe they don’t ship it to the netherlands yet. Guess Il have to try again later.
unruled what if you go here https://www.paypal.com/securitykey
yes, that’s where I went and was given that message ;)
Thanks for the tip – for anyone running a business that involves Paypal for payments, I’d imagine that a security key would be WELL worth the money.
I got one from PayPal/eBay Australia, so maybe only some countries are currently included. I also got another one for free for my online banking from Commonwealth Bank of Australia.
This key fob idea has been in use by the U.S. Federal Reserve Bank for it’s member banks to authenticate their wire transfers. It works because the Fed limits who has access to these fobs and strictly govern their destruction.
I fully expect some phreaker to get their hands on a few of Paypal’s fobs (since Paypal will be giving to everyone). With fobs in hand and an analysis of the codes they generate, a phreaker can easily figure out the algorithm that the fobs use to generate a unique code every 30 seconds – even when you’re not using it (it’s time based).
Than they simply have to sniff your traffic for a bit and backward engineer your fob’s base code. Any dingdong who uses wi-fi for their web access (to Paypal) is wide open to this hack.
>Than they simply have to sniff your traffic for a bit and backward engineer your fobâ€™s base code.
As far as I understand this system there is no need to transfer serial code (only once when registering) so there is nothing to sniff. Even if you do sniff one instance of access key – it expires in seconds.
Even if exact algorithm is known it’s no use unless serial for specific account is known, which requires access to physical key… Which is kinda the point. :)
Just to get back on unruled’s comment:
Does the PayPal Security Key work on all PayPal country sites?
No. The PayPal Security Key is currently available to eBay and PayPal members registered in the U.S., Australia, and Germany.
All the physical keys use the same algorithm. That’s why the Fed regulates who has possession of their fobs. Paypal, due to their client base cannot. Once one figures out the algorithm of the fob. Than they just need to sniff the web traffic to find the account key associated with the fob.
Think of the fob as the private key of a PGP encryption that is registered with Paypal once you get the fob. And the number given from the fob is the public key. Once you figure the private key (fob) it’s pretty easy to get it all once you sniff out the public key.
That’s also why fobs sort of died in the banking industry. They’re now looking for physical keys – i.e. the ATM card with the embedded chip, and a customer specific reader to read the ATM card at a registered PC.
Could you please explain why do you think serial code can be sniffed?
I don’t see a single reason serial key must be exchanged between server and client except for initial registration.
ah, thanks Gemini. I guess I will have to be patient then :|
All the fobs should be programmed to generate a number a certain “unique way”. The registration process merely tells Paypal the fob’s “unique way” – the unique key. This way, when the fob generates the number for you to put into your transaction, Paypal will generate the same number and agree with it.
If a phreaker have access to enough fobs, s/he should be able to figure out the algorithm. And when s/he sniffs the traffic, s/he will get the number given by the fob. Enough such numbers from one target, and a phreaker should be able to figure out the key if the algorithm is broken.
Hm… I am no expert but I always thought that basis of every single public/private key cryptography system is that private key can’t be calculated using public one.
It’s like hashes – you may know exact algorithm, you may know hash value… But you can’t reconstruct original object from hash.
The VIP Credentials from VeriSign use the open standard OATH HOTP algorithm (openauthentication.org), published as IETF RFC 4226 (http://www.rfc-editor.org/rfc/rfc4226.txt). This algorithm is based on HMAC-SHA1, which is a one-way hash function virtually impossible to reverse — http://www.openauthentication.org/pdfs/Attacks%20on%20SHA-1%20FAQ.pdf.
Glad to hear it worked well for you! The PayPal Security Key and the VeriSign token you received (as well as the VIP Security Card) are all VIP Credentials, which mean they work on any site which is a member of the VIP Network. These sites include eBay, PayPal and AOL — the complete list is available at https://idprotect.verisign.com/wheretouse.v. Being part of a network means that you only need a single device to secure all of these sites, whether you got it from PayPal, directly from VeriSign, or from another network member.
Jeff thanks for clarifying, well done especially on a Sunday ;)
Thanks Jeff for the information.
Now I am curious. Martin, could you subject your fob to extremes of heat and cold? Just to see if the token’s timing can be thrown off :) You’ll know if your timing is off when the number you enter is not accepted. Of course, this will void your warantee.
Disclaimer, I do not hack, nor do I know how to. I’m just “curious” :)
had to use this link
I have a big concern..
When using these keys to login, ebay does not disclose the serial number of the device when asking for the code… however paypal does! Could the serial number be used by a hacker to help generate more probable codes (if they knew/reverse engineered the algorithm these devices use)?
Also, why does paypal allow you to bypass the code completely and answer secret questions (which all friends/family know anyway)?
Also.. it says something like “you can log in using your secret questions this time, but next time you’ll need to enter a code”.. yet it does not act on this. You can login as many times as you want subsequently without entering a code at all.
Ebay does not allow this. If you lose your reader/don’t have it on your persons etc it calls your home telephone number with a new code. It does not allow you to login using secret questions. It seems way more secure. Why is this? Paypal should be more secure than ebay!!! It has my money.. why is ebay more secured?
Paypal Security Key shall be available worldwide by now. Why is it tacking so much to be offered in all other countries where Paypal offers its services?
Martin, do you know if it is available in Brazil already? I downloaded the Android app, but when I go to register my code it gives me some kind of error.
I can’t really see a reason why they should not be available. Have you tried contacting support?
Does this work in Canada?
I’m using this in Germany, so it works in countries other than the US.