Scott Cate's WebLog

You just don't know what
you don't know.

community

frenz

my book(s)

my products

PayPal.com - OpenID - VeriSign - ScottCate.com

Last week I was in Boise, speaking to their .NET User Group, with INETA.org. The group leader, Cory Isakson, was talking about his PayPal Security Key. This is the key chain fob that has a tiny screen and a single button on it. Press the button, get a 6 digit security code. Then when you sign into PayPal (or eBay) you type your password, and append the 6 digit code. If you leave off the 6 digit code, it asks you for it on the next screen. It works great.

It makes sense for PayPal to have this. If every login had a security key that changes every 30 seconds, the success of fishing attacks would drop to almost zero. I had to surf around the PayPal site for a while until I found it, so here's a screen shot of what to look for.

Paypal Security Key

You can get your PayPal security key for $5.00, right on the profile screen.

The best part -- it's a VeriSign device. VeriSign has a new openid provider, that of course uses the security key. This means that for $5, I have a key fob that works with all my openid sites.

<link rel="openid.server" href="https://pip.verisignlabs.com/server" />
<link rel="openid.delegate" href="http://scottcate.pip.verisignlabs.com/" />

With the above openid headers on ScottCate.com, I can use the open id of "ScottCate.com" and allow/deny sites with my VeriSign secure key / open id login. Today I feel secure :)

UPDATE :: 2007  Oct 03 14:02

There is a little hiccup in the above process if you don't **first** activate your PayPal key fob. So for $5.00 the key fob is sold and sent to you from PayPal. When you receive it, you must activate it on PayPal, and only after it's activated it, you can link it to your VeriSign OpenID account.

Posted: Oct 03 2007, 08:20 AM by scott cate | with 8 comment(s)

Comments

British Inside said:

Wow, I just LOVE this idea. Ordered . [include:blogad]

# October 3, 2007 3:02 PM

Steven Harman said:

I just ordered mine as well. I suppose this will be the motivation to finally add OpenId Support to Subtext. :)

# October 3, 2007 5:02 PM

scott cate said:

If you're adding support to subtext, consider looking at @JasonA dot net open id project. code.google.com/.../dotnetopenid

# October 3, 2007 5:07 PM

Dan Hounshell said:

Thanks for the tip, Scott. Ordered. This might turn out to be better than free CueCats from Radio Shack!

# October 4, 2007 3:28 PM

Angus said:

Makes for an interesting read. Alas, I believe that the phishing attacks will just adapt/evolve. There's simply too much money stake. It's conceivable that a sophisticated phishing scheme could grab the login details + key code and instead of using them at a later date, the info would be used to make a login immediately via a zombie.  Once a login had been made, then a session can easily be kept alive for a few hours giving the fraudsters a much larger window to run amok.

Granted, it makes the phishing attacks much less accessible to the likes of script kiddies. However if recent press is to be believed, then the kinds of gangs behind these schemes are well organised criminals with the resources to pull something like this off.

The key fob is a good counter measure, but nothing is 100% safe - don't be lured into a false sense of security and NEVER LET YOUR GUARD DOWN.

# October 25, 2007 6:54 AM

cyberjack said:

Does this mean that if I'm at my buddy's place and don't have my key fob I can't pay for anything with Paypal?

# December 11, 2007 12:37 PM

Josh said:

Also worth noting -- Verisign will sell you this same device for $30 from their own website. Given it's cross-compatible, very much worth getting it through PayPal, even if the device comes branded. Now, how to get access to their authentication service without OpenID? :P

# February 8, 2008 12:47 AM

Me too said:

In response to  Angus: Yes, this why authentication should never be done in the clear. If your authentication is done via HTTPS, you should be only susceptible to trojans that live on your own PC and they probably cannot process the information (send it somewhere else) in 30 seconds, unless it was designed to do exactly this. Then your theory has one other issue, the both that will use your credentials presu,ably will run them against the same resource (web site). Usually most web sites do not allow the same persson to be logged in twice. Unless the session is coming from the same instance of your own web browser, which is a bigger problem. Usually it leads to one session invalidating the other.

Also I believe the YubiKey I mentioned is not susceptible to this issue, since the OTP it generates is combined with a counter and you definitely cannot use the same OTP twice.

# March 16, 2009 2:04 AM
Leave a Comment

(required) 

(required) 

(optional)

(required)