PayPal.com - OpenID - VeriSign - ScottCate.com

re: PayPal.com - OpenID - VeriSign - ScottCate.com

Me too — Mon, 16 Mar 2009 06:04:21 GMT

In response to Angus: Yes, this why authentication should never be done in the clear. If your authentication is done via HTTPS, you should be only susceptible to trojans that live on your own PC and they probably cannot process the information (send it somewhere else) in 30 seconds, unless it was designed to do exactly this. Then your theory has one other issue, the both that will use your credentials presu,ably will run them against the same resource (web site). Usually most web sites do not allow the same persson to be logged in twice. Unless the session is coming from the same instance of your own web browser, which is a bigger problem. Usually it leads to one session invalidating the other.

Also I believe the YubiKey I mentioned is not susceptible to this issue, since the OTP it generates is combined with a counter and you definitely cannot use the same OTP twice.

re: PayPal.com - OpenID - VeriSign - ScottCate.com

Josh — Fri, 08 Feb 2008 05:47:54 GMT

Also worth noting -- Verisign will sell you this same device for $30 from their own website. Given it's cross-compatible, very much worth getting it through PayPal, even if the device comes branded. Now, how to get access to their authentication service without OpenID? :P

re: PayPal.com - OpenID - VeriSign - ScottCate.com

cyberjack — Tue, 11 Dec 2007 17:37:47 GMT

Does this mean that if I'm at my buddy's place and don't have my key fob I can't pay for anything with Paypal?

re: PayPal.com - OpenID - VeriSign - ScottCate.com

Angus — Thu, 25 Oct 2007 10:54:22 GMT

Makes for an interesting read. Alas, I believe that the phishing attacks will just adapt/evolve. There's simply too much money stake. It's conceivable that a sophisticated phishing scheme could grab the login details + key code and instead of using them at a later date, the info would be used to make a login immediately via a zombie. Once a login had been made, then a session can easily be kept alive for a few hours giving the fraudsters a much larger window to run amok.

Granted, it makes the phishing attacks much less accessible to the likes of script kiddies. However if recent press is to be believed, then the kinds of gangs behind these schemes are well organised criminals with the resources to pull something like this off.

The key fob is a good counter measure, but nothing is 100% safe - don't be lured into a false sense of security and NEVER LET YOUR GUARD DOWN.

re: PayPal.com - OpenID - VeriSign - ScottCate.com

Dan Hounshell — Thu, 04 Oct 2007 19:28:53 GMT

Thanks for the tip, Scott. Ordered. This might turn out to be better than free CueCats from Radio Shack!

re: PayPal.com - OpenID - VeriSign - ScottCate.com

scott cate — Wed, 03 Oct 2007 21:07:52 GMT

If you're adding support to subtext, consider looking at @JasonA dot net open id project. code.google.com/.../dotnetopenid

re: Paypal.com - OpenId - Verisign - ScottCate.com

Steven Harman — Wed, 03 Oct 2007 21:02:30 GMT

I just ordered mine as well. I suppose this will be the motivation to finally add OpenId Support to Subtext. :)

Paypal Security Key

British Inside — Wed, 03 Oct 2007 19:02:09 GMT

Wow, I just LOVE this idea. Ordered . [include:blogad]