RS: We are partners in Get Safe Online UK, but I'm not sure how much work they do with the education system. Now shall we move on to the new initiatives we've got to keep the customer safe?
hS: Yes, you have a connection with VeriSign and they are part of the OpenID. PayPal also is a sustaining corporate member of OpenID.
MB: Yes, that's right.
hS: Well perhaps we can come back to that. You have introduced two new security measures, or rather two versions of the same measure, delivered through two mechanisms. You have the Security Key and the SMS to mobile phone systems, both delivering the same one time 'password'. So how does the system actually work?
MB: The exact mechanism is the sort of happy stuff that crypto people will talk about for long periods of time, discussing the pros and cons of different algorithms, but practically what it does is provide a further one-time password, in the form of a six digit number, that you use in addition to your user name and original password.
A VeriSign credit card format VIP card
PayPal fob format security key
You have a password delivered by a device (a little like a pager) on which you push a button and it generates the six digit code, which it displays on the built in LCD. I've got one here, this happens to be a VeriSign one that we are using in the States (displays something that looks exactly like a credit card, except it has a small LCD window at the top right corner). This one is event based, so each fresh number remains valid until it is used, the other security key, which is the key fob one (displays the grey plastic pager-like device being shipped to UK customers). On this one, you push the button and each number is good for thirty seconds, because this design has more room for the electronics, so it has a clock on it. As far as we can tell the credit card form factor is prefered by Americans. In the UK we charge £3 for one of these devices.
(The PayPal electronic security key system is supplied to PayPal by VeriSign)
hS: Did you consider giving those security keys away to your customers.
MB: Funnily enough yes we did, we had the Security Key in pilot in the US for at least six months, in fact we did a lot of trials in the US, Germany and Australia and when we had it on trial we experimented with different configurations for the system, so we gave Security Keys to one set of users and then we charged a nominal fee to a different group of users. I should add that the figures we just gave for the price in different countries, that doesn't cover the cost of the device and the shipping and handling costs, so we are still subsiding the cost of the device. What we discovered was this, if we give it to people they think it's worth what they paid for it, which in this case would be nothing. They don't value it, they don't use it as much, they lose it more often, so we said lets find a price point that is reasonable and we considered that one large coffee at a coffee shop is going to set you back what £2 or £3, if you have a pastry as well, its definitely going to cost at least that much. Most people can afford that, so we're not putting it at a price point that is disadvantaging anyone, but it does mean that it has value and people take care of it. We were very concious when we moved out of pilot mode into production, that we wanted to charge a little for them, simply because psychologically people treat them better.
Now there are circumstance where we are now experimenting with giving them to account takeover victims, because those are people who have just been abused, their accounts just been abused by criminals and we want to do what we can to help them. We'd love it if we could predict which people were going to get abused by criminals, but that's a little bit trickier. To the extent we can, we absolutely do want to do what we can to help those people, so they can be very comfortable going forwards.
The other thing we discovered over the trial, as well as in the subsequent months its been in production, is that for the set of people who use the Security Key, and its not for everybody, its really not, the fraud on accounts is almost nothing, so if you are using a key it does make you much, much safer. Its the old thing of, if a burglar is casing a couple of houses next door to each other and one's got good locks on the doors and windows and the other has a window open, guess which one he's going to burgle.
RS: Just to mention that the Security Key is entirely optional. We aren't saying that our customers have to do this.
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
