Paypal Introduces Security Fob
Strikingly similar to the RSA SecurID, PayPal has rolled out their own two-factor authentication (2FA) dongle.
While it's easy to dismiss random number key fobs as susceptible to man-in-the-middle attacks, I do think that if such this device were required on all accounts, it would significantly impact the effectiveness of traditional phishing scams -- assuming the attacker is actually going for PayPal account access.
Trouble is, the Security Key is a) optional and b) non-free, which will surely impact its rollout significantly. Maybe VeriSign (the manufacturer of the fob) will have a fantastically better marketing plan than RSA did, and actually get more than 5% of the PayPal users to adopt it.
The other problem is that there are plenty of PayPal-targeted phishing sites that really don't care about your PayPal login information -- there's just riding on the trust of PayPal to do things like collect credit card numbers, secondary banking information, and identity information. So, they really won't care if you give a correct or incorrect security code.
All that said, it is nice to see that PayPal is deploying a real second channel 2FA, rather than the "ask me for more passwords" 2FA schemes that other financial sites have deployed to comply with U.S. regulatory requirements. I just don't think 2FA, generally, is particularly effective in solving the problem of phishing. I suppose it's better than nothing, though.
While it's easy to dismiss random number key fobs as susceptible to man-in-the-middle attacks, I do think that if such this device were required on all accounts, it would significantly impact the effectiveness of traditional phishing scams -- assuming the attacker is actually going for PayPal account access.
Trouble is, the Security Key is a) optional and b) non-free, which will surely impact its rollout significantly. Maybe VeriSign (the manufacturer of the fob) will have a fantastically better marketing plan than RSA did, and actually get more than 5% of the PayPal users to adopt it.
The other problem is that there are plenty of PayPal-targeted phishing sites that really don't care about your PayPal login information -- there's just riding on the trust of PayPal to do things like collect credit card numbers, secondary banking information, and identity information. So, they really won't care if you give a correct or incorrect security code.
All that said, it is nice to see that PayPal is deploying a real second channel 2FA, rather than the "ask me for more passwords" 2FA schemes that other financial sites have deployed to comply with U.S. regulatory requirements. I just don't think 2FA, generally, is particularly effective in solving the problem of phishing. I suppose it's better than nothing, though.
posted by todb at 9:13 AM
0 comments
links to this post
