Like many financial institutions, eBay and PayPal are late adopters of security devices for one time passwords. A security device (costing $5 in the US) gives a different security code each time you log into your account. PayPal say it “generates a unique six-digit security code about every 30 seconds. You enter that code when you log in to your PayPal or eBay account with your regular user name and password. Then the code expires – no-one else can use it.” Or can they??
These devices have been around for almost twenty years with Security Dynamics (RSA Security) and Vasco being the earliest to market solutions. The eBay PayPal key has been developed in conjunction with VeriSign.
The biggest concern is are the tokens effective in preventing phishing attacks? Well firstly it’s not what they were designed for. They were designed originally for remote access solutions where an employee would dial into a company workplace over a telephone line. Rather than a password that could be written down the token ensured hackers couldn’t dial in to the network with a compromised password. There was little chance of anyone intercepting the dial up phone call. The tokens were then deployed for use internally for all users on a network. Later they migrated outside the network as the Internet became more common for remote users connecting to corporate networks, for online banking, and now for eBay and PayPal.
It’s important to realise they weren’t designed for use on the Internet in the first place, and that hackers have had decades to develop ways to combat the tokens. The actual keys generated are still secure, there is still no effective way to compromise the security codes generated. This doesn’t deter the phishers though – they have other tools in their arsenal.
Man in the middle attack
We’ve all seen phishing emails where a hacker tries to get you to click to a fake eBay or PayPal website and enter your user name and password which they later use to access your account. Smarter phishing sites are becoming more common where the hacker captures your user name and password and instantly uses it to log on to the real site. They pass the information you request to the site and back to you – you may never realise you’re not logged directly into the site, but in the mean time the hacker is able to perform any transaction they please while you make the transaction you logged on to do.
Trojan attacks
Far too few Internet users keep their security up to date allowing virus and trojan attacks. If a phisher manages to install a trojan on your computer next time you log on to eBay or PayPal they can piggy back on your logon to perform their own transactions.
These two methods for bypassing one time passwords are not new – they were reported by Bruce Schneier back in March 2005. What does this mean to the new PayPal and eBay security devices? Well it’ll make the phishers lives harder but so far they’re only available in the US, Australia and Germany, leaving plenty of targets for phishers in the other eBay and PayPal territories. Secondly they’re not compulsory, free for PayPal Business accounts but the $5 cost will put off many users who arguably are the most vulnerable. Finally the efficacy of the tokens themselves has to be questioned. It’s technology that’s been around before most of today’s hackers first logged on to the Internet and was designed for dial up connections to corporate networks. Hackers have grown up looking for ways to render them useless.
It remains to be seen if the promise of security will result in users lowering their guard still further. After all no one can access your account without your token can they? Well possibly they can – users need to be as vigilant as ever. As Blogging stocks ask “Are the days at an end to eBay and PayPal phishing scams?”. Sadly the chances are they’re only just beginning!
5 Responses
But true hope costs less and covers all threats mentioned at the very good article. take a look at http://www.sentry-com.co.il and you will find a unique solution that frees the consumer from any device except the cellular or a phone. It also provides full authentication when you call the call-center.
While cynicism and pessimism are hallmarks of a true security pro, it is worth noting that the see-saw of attack/defense rises as well as falls.
Yes, MitM attacks, as well as targeted trojans, are presumtively effective attacks, but there are also new defenses that can block them.
RSA seems to waiting for the IETF to publish its new cryptographically secure protocol, Protected One-Time Passwords (POTP)– although it was approved by the IETF’s Engineering Board in October, and is already embedded in RSA products and those of several leading switch manufacturers — but you can review its mechanics on the RSA Labs’ website, where it is listed as one of RSA’s “One Time Password Specifications” (OTPS).
Where RSA find more security, VeriSign (and eBay, PayPal, etc.) will surely follow.
POTP blocks MitM attacks with a local desktop agent that interacts with the server to establish a crypto secret, which is never transmitted, but can then be used to secure the session and (as well) provide a key for additional crypto functions.
Many financial institutions today often buttress strong (2FA) authentication with a back office transaction monitor which collects and tracks, in real time, a slew of data points about the consumer, his transaction, and the device he typically uses for transactions. The monitor typically fires off an alert or alarm if a new incoming call varies significantly from the consumer’s past habits and practice so the site’s adaptive authentication processes can demand more surety proofs.
There will doubtless be new attacks developed by the bad guys as these defenses fall into place, but that will only spur the vendors and eCommerce sites to grab their suspenders and move new defenses into place. It is a historically endless cycle, hopefully abbreviated as law enforcement gets its act together and begins to nail and jail more of the predators. It is also worth noting that groups of low-level crooks fall by the wayside with each new defense barrier; others are forced to rely on other people’s attack code which they don’t fully understand — which raises their vulnerability to the Lawmen.
These are absolutely useless to dial up users. You simply can’t load the pages quick enough most times for the key code to remain valid. In my own trials, about 9 of 10 logins resulted in failure. And that’s not single key entries, but logins. Each login allows repeated attempts to enter a valid key, before it simply gives up, and asks for two successive keys, like during the devices activation. my experience left me deactivating the devices use in paypal after 1 day. I can’t imagine trying to use these things while actually bidding on ebay. There are much better ways to waste $5 on ebay/paypal.
Mai Name’ said “I can’t imagine trying to use these things while actually bidding on ebay.”
That’s probably because you WOULDN’T HAVE TO use it while actually BIDDING, you cretinous moron…
Jesus. Are people this stupid allowed out into society?
Whilst you comment is partially valid you do have to confirm your password when bidding if not already fully logged into eBay. If one was bidding in the final moments of an auction on a slow connection any problems could mean by the time you were logged in it would be too late to bid. It is possible to access your account if you were logged in previously but eBay will still ask you to confirm your password prior to performing certain actionson the site. The answer is as you infer to make sure you’re fully logged in prior to bidding.
In future however please refrain from belittling other commentators on the TameBay site even if you have an opposing opinion.