Paypal Introduces SecurID Tokens

Paypal will sell SecurID tokens to its customers, starting early this year. The PayPal Security Key is a keychain size device that generates a new six-digit code every 30 seconds. Paypal will require signed up customers to enter in order to complete transactions.

Paypal hopes the gadget adds an extra layer of security and helps prevent against account breaches.

Just don’t lose your your keys. — BEN POPKEN

The PayPal Security Key [Official Site via Gizmodo] (Thanks to Kornkob!)

Comments

Edit Your Comment

  1. AlteredBeast (blaming the OP one article at a time.) says:

    Wait…what?

    From what I know, the biggest security problem is those emails that say, “You need to log in to verify something!”

    I find this a bit unnessicary.

  2. magic8ball says:

    So is Paypal going to require everybody to buy one of their magical $5 keys? Or is it optional?

  3. AcilletaM says:

    Funny how I get a ton of those emails right after I need to use Paypal for something (which is rarely).

    I’ve dealt with these tokens for various security things with companies I’ve done work for. Pain in the ass. Paypal should be paying us for using them.

  4. Citron says:

    My dad uses one of those. He works in defense contracting, making guidance systems for missiles. I don’t feel important enough to have a thinggy that randomly generates numbers.

  5. rekoil says:

    Cool, except that I’ve already got one of these from E*Trade…and I hear Bank of America might be sending me one too…how many of these things am I gonna have to keep on my keychain?

    For those who don’t know, the token works by running a unique random seed value and a timestamp value through an algorithm to generate a key number that changes every 60 seconds. The clock inside the token is accurate enough to stay synced for years, so the auth server runs the same algorithm the token runs to compare the key and return a pass/fail.

    Every implementation I’ve seen combines the token’s code with a standard password – this is what is called “two-factor” authentication, the factors being something you know (your account number and password) and something you possess (the token). This lowers the possibility of someone accessing your account if they steal your SecurID (much like ATM card + PIN auth systems).

    An ideal solution to the four-tokens-on-my-keychain problem would be a centralized SecurID authentication service, so that one could carry a single token to authenticate with any client site. However, I doubt the sites themselves trust a single outside party enough for this to ever gain traction (remember Windows Passport?). But if this does happen I will be a happy man indeed.

  6. VA_White says:

    Paypal sucks to begin with. I don’t know if I want a token that ensures my security on a system that is threatened more by their own business practices than outside hackers. Is the token going to prevent them from freezing my balance and dipping into my checking account at will? If not, they can stick it.

  7. k4_pacific says:

    AlteredBeast:

    This would guard against those emails, because the phisher would need the number from the device to log in and clean out the account. Since that number changes every 30 seconds, he would have to prompt for the magic number on the fake login phishing page, then manage to log in to paypal within 30 seconds after the user was phished. Since the magic number keeps changing, he won’t be able to log in more than once.

  8. Kevin Murphy says:

    They’re not SecurID — that’s an RSA brand. Paypal is selling VeriSign tokens.

  9. Little Miss Moneybags says:

    Ugh, this really sucks. I use Paypal mainly for eBay purposes, and I could easily get along without it considering how infrequently I eBay, but several of my mystery shopping companies only pay through Paypal. I don’t think it’s right that I should have to “pay” for this device in order to get paid. When I’m done with Paypal, can I send it back for a refund? I doubt it.

  10. AlteredBeast (blaming the OP one article at a time.) says:

    k4

    This would guard against those emails, because the phisher would need the number from the device to log in and clean out the account. Since that number changes every 30 seconds, he would have to prompt for the magic number on the fake login phishing page, then manage to log in to paypal within 30 seconds after the user was phished. Since the magic number keeps changing, he won’t be able to log in more than once.

    Or, they can just email members and say “Don’t be a damn idiot! Dont log in through emails! Log in through the Paypal home page!”

    And save lots of time and effort.

    Unless, of course, they are turning a profit from these stupid devices.

  11. Hoss says:

    Oh great — this gets popular and our key ring will be larger than the high school janitor’s key chain. What’s wrong with the Bank of America and ING schema where you see a picture of a daisy (or whatever) then click the virtual keypad?

  12. Angiol says:

    It looks to be optional, but they’ll probably make you jump through so many hoops otherwise it’ll be better just to buy the thing.

  13. Smashville says:

    These are awesome…nothing like setting up a numbers racket by playing which number comes up next…

  14. Kornkob says:

    They’re not SecurID — that’s an RSA brand. Paypal is selling VeriSign tokens.

    Kevin, I think you might be wrong there. RSA’s website stays they sell SecurID. http://www.rsasecurity.comnode.asp?id=3051

  15. Kornkob says:

    Disregard last. I misread your comment.

  16. tz says:

    It won’t help with a “man in the middle” attack, i.e. if the phisher knows what they are doing and the user falls for the fake web page.

    But the big question is will they accept you knowing the number as proof you exist instead of having to fax copies of your utility bill at 3:30am to get your account unlocked?

    Somehow I don’t think so.

  17. kool371 says:

    What about if the hacker actualy posses one of these Security Tokens. Wont they be able to hack you account just as easy as the currently can without one.