Wednesday, March 07, 2007

PayPal security token…not ready for prime time yet?



I was excited about PayPal releasing a two factor auth system for account access. I spent the $5 and ordered one. I have a soft spot for responding to random emails asking for my PayPal account info. I thought with a device such as this I would no longer have to worry about which email asking me to verify my account details I needed to respond to. I got my slick looking security token today, went to the website and set it up. Now when logging in I am asked for the 6 digit number on my token.

Here is the rub: it doesn’t work. When I enter the number I get an error message telling me to check the value and try again. You can still login in but you have to do something like use your entire bank account number as authentication. I deactivated it an setup it up again 3 different times and still no joy. If I can’t get it working I have no idea what mom-and-pop user are suppose to do. Of course I freely admit this may be an error on my part, although I followed the instructions step-by-step 3 different times.


Bad PayPal, no cookie.

UPDATE: Alot of people missed my sarcastic post here. I really don't repsond to emails asking form my paypal details and I know that two actor auth won't stop a real time phisihing attack.

11 comments:

one.miguel said...

Did you type in "240919" by chance? :-)

The problem I've had with tokens (although I haven't used the PayPal one) is that the time starts when the login page is called, NOT when you hit submit.

For example, if it takes me 10 seconds to enter the information, the code might have changed in that time.

Does the PayPal token have an indicator for how long before the code will change? Maybe try watching when the code changes and then hit refresh on the login page.

NIST.org said...

I ordered one for testing. Works fine on both Paypal and eBay (you have to register it in both places). There is no indicator with a count down.

Mine registered just fine. Triple check the device number, mine starts with 2 letters followed by all numbers.

btw: For anyone else reading this token devices do not prevent man-in-the-middle attacks. If you visit a malicious site they'll capture your information in real time, pass the login information, then cut you off. You may get a screen back that looks like its from Paypal saying that something is wrong. At that point they can clean you out. (not suggesting that this is what is happening here).

John at http://NIST.org

Mokum said...

Seems your problem is not unique. On the order a paypal page, it now reads:
"The Security Key is currently not available. Please try again later."
Ewout at http://meij.net

Roland said...

Does this device require a PIN, as well? Because if it doesn't, someone can steal your hardware token and, if he knows your PayPal ID, clean you out.

Schlum said...

I had similar problems with may Paypal token and could not register... I tried agina the next day typing the number in as soon as i could because it changes after some time.. but still no luck.

Why can this not be simpler?
Why can it not be like a car or a house key where if you have the key, somehow paypal knows about it and allows you to continue?

Some key connected to the PC thru USB or bluetooth or whatever?

Now that would be cool!!

schlum

Tompsci said...

How does Two-Factor security protect you from phishing attacks? Two-Factor authentication only authenticates the user, not the webiste. What it does give you is that if someone steals your password you won't notice, but if they steal your token then (hopefully) you will.

Patrick said...

I had gotten one last week and had no problems registering it with either ebay or paypal.

Security Retentive said...

Have you tried it again? I've heard rumors of spotty behavior for a few people.

phodara said...

It worked perfectly for me. I followed the instructions and set it up for both paypal and ebay, it took about five minutes. I love it.

Did you RTFM?

fduplex said...

I just got my security key in the mail and when I press the button nothing happens. It appears mine is DOA. Waiting for a reply from paypal about the problem. Has anyone else gotten a DOA?

Leonardo said...

You can use the Ironkey as a USB version of this for eBay and Paypal.

: )