In the recent past I’ve done a lot of harping on the security woes of financial institutions (see here, here, and here) so when I saw this announcement I was both extremely happy and a little disappointed at the same time.
PayPal is about to issue SecureID cards to all business clients in order to provide further account security. Now this is what I’m always talking about when I speak of defense in depth! PayPal will combine layers of security, in this case something I have (SecureID password generator), with something I know (my username/password combo) to ensure it’s actually me accessing the site.
In fact RSA, the company that makes the SecureID platform, has has no reported case of a security breach in 15 years! So, I’m very happy to see PayPal leading the field in implementing this security mechanism. Now I just hope that the real financial institutions like Smith Barney, Bank of America and others will follow suit.
By Joris Evers, Staff Writer, via CNET News.com:
eBay is getting ready to offer its PayPal users a password-generating key fob that promises to increase the security of the online payment service.
The device displays a new one-time password in the form of a six-digit code about every 30 seconds. PayPal clients who opt to use the device will enter this password along with their regular credentials when signing into the service. The key fob is meant as another weapon in the battle on data-thieving phishing scams.
“If a fraudulent party somehow got hold of a person’s username and password, they still wouldn’t be able to get into the account because they don’t have the six-digit code,” Sara Bettencourt, a PayPal spokeswoman, said by phone Thursday. “This by no means is a silver bullet that is going to stop fraud. This is just another layer of protection.”
PayPal Security Key The “PayPal Security Key” will cost $5 for personal PayPal accounts, but will be free for business accounts, Bettencourt said. PayPal has been testing the device with employees for a couple of months and plans to start trials with customers in the next month or so, she said. As of September 30, there were nearly 123 million PayPal accounts, eBay has said.
PayPal users in the U.S., Germany and Australia will be able to sign up for the trial through a special Web site, Bettencourt said. “Based on the response, we look forward to eventually rolling it out in other countries,” she said.
The password-generating device is based on technology from VeriSign, with which eBay entered into a security partnership in 2005. Such key fobs are also used for added security by large corporations for access to corporate resources, and some banks and brokerage firms offer them to clients with a high net worth. Other companies that supply the password gadgets include RSA and Vasco.
eBay and PayPal are common phishing targets. These prevalent scams typically use fraudulent Web sites made to look like legitimate sites and spam e-mail to trick people into giving up their personal information such as login names and passwords.
In a recent survey of Google’s public blacklist of phishing sites, security researcher Michael Sutton found that nearly half of all the active phishing sites targeted either eBay or PayPal. The Google blacklist is used in Google’s Toolbar for Firefox and the Firefox 2.0 browser.