PayPal and eBay launch one-time passwords
Since CeBIT 2006, it has been talked about, and now it has entered the test phase. eBay and PayPal are offering security tokens to make authentication more secure. A security key is to be added to the password already needed for registration in order to make life harder for phishers. In short intervals (every 30 seconds), the key creates a new six-digit number that is required for registration. After 30 seconds, the token cannot be used any longer; phishers thus cannot use them later.
Unfortunately, claims that such "2-factor authentication" offers better protection are a bit misleading. The PIN/TAN method that banks use is also 2-factor authentication and has proven to be very vulnerable to phishing attacks. Authentification with tokens does, however, provide greater security because time comes into play.
On the other hand, there are already real-time man-in-the-middle attacks and trojans that can log in with a stolen number and manipulate an account. In mid-2006, customers of Citibank USA were the victims of such an attack when a Russian web site stole such tokens. With the data, the specially prepared server had sixty seconds to register with genuine Citibank servers. RSA, itself a vendor of security tokens, even says it has discovered a universal phishing kit on the internet that allegedly facilitates such attacks.
Nonetheless, eBay and PayPal have raised the ante with these tokens. Key-compatible tokens from VeriSign will soon hit the market in the public test phase for 4.95 euros; they can already be ordered. No other charges are incurred during use. For your account to interact smoothly with the technology, you must first clear your account for authentication via tokens. For more information, visit PayPal.
- PayPal Security Key, PayPal's announcement