digg

So paypal protects you from criminals... who's going to protect you from paypal?

What is this? Corporate spam? PayPal taking over Digg? Are they the new sponsor of diggnation or simply trying to screw us over again?

My advise - want to keep your money safe? Keep'em away from PayPal. No security keys required.

I continue to be appalled at the gross ignorance and prejudice of the digg readership. I don't know if "user-driven" news sites will ultimately end up succeeding or not, but if they don't, this will surely be one of the reasons.

Anyhow, these security keys are RSA security tokens that PayPal agreed to buy from Verisign back when they purchased the Verisign Payments division. Part of the deal included an agreement to purchase a million of these. And, they are not being cheap by making you pay $5. These keys typically cost around $100 each. PayPal is basically massively subsidizing them to anyone who wants one because the number one reason a PayPal account gets compromised is because the user is stupid enough to either pick an insecure password, write their password down somewhere, click on a link to a phishing site, or otherwise allow someone else to find out what it is. With two-factor authentication, you have to steal the guy's "key" (in the physical manner of stealing car keys) as well as prove that you know the password. This is PayPal paying ~$95 per account (they probably got a volume discount but it's still in the mid-to-high double-digits) to make them much harder to compromise. Every account that is protected in this fashion is therefore able to be much more favorably treated by their real-time fraud models (because it's therefore much more likely that any "weird" activity on the account is just the user doing something wacky, rather than the account having been stolen), enabling them to be much more accurate in fraud detection, resulting in fewer false positives, and therefore decreasing the number of customers who accidentally get screwed over.

In short, this is PayPal paying a lot of money to keep users safe and protect YOUR money.

@ywong137

I don't think there's any dispute in the security of the RSA SecurID system. I work with these things daily, and they would be painful to hack. I think what everyone here is bitching about is the company providing the tokens. Paypal could easily take the (large) fortune they are making from their bloated fees and provide there for free to every user that isn't a free sign-up, rather than making you pay an additional $5 over and above the charges they already pay.

This is just a standard 2 factor authentication token, similar to RSA SecurID. Now here's one of the problems with it... if you get it, and your account gets hacked, Paypal is going to claim there is no way in hell that someone could hack it and you'd never see your money.

The problem is, it's still not 100% secure. Phishers can still run their phishing site to collect credentials, they just have to monitor it while it's running and use those credentials that you provide within 30 seconds (actually an average of 15 seconds). Paypal could make it harder by requiring you to enter a new password every time you do something related to payments or account changes, but a crafty attacker could still get past it with a little bit of skill and probably a bit of luck.

I actually have two sweet solutions for this little problem, but the whole startup thing just isn't something I can do financially right now. Someone wanna give me a few million to get going? :) It would actually probably be significantly less, but there are some equipment and coding costs involved.

"These keys typically cost around $100 each. PayPal is basically massively subsidizing them "

Crap they do. Sure a single pre-production hand made demo costs $100 each... A million of them ought not cost more than thirty cents, a dollar each if you're a bad negotiator.

I have one of these keys already, one of my banks, HSBC, just automagically mailed them out to all customers in Australia. No need to request, no charge, no fees, it just arrived in the mail one day.

A search on Froogle turns up the lowest price of $20 for one of these tokens from a volume retailer. So it's not a dollar or 30 cents. $20/each is a pretty good million dollar deal volume price, I'd say.

Also, PayPal IS providing them for free - to users with a business account. You know, the people from whom PayPal actually makes any money. For Personal accounts, $5 doesn't sound like too much to ask from users of a free service, as PayPal is paying for the credit card processing fees on payments made by most Personal accounts.

"$20/each is a pretty good million dollar deal volume price, I'd say."

You're kidding, right? Which negotiating school didn't you go to? $20 each for a million tokens is a GREAT price, for the seller, they'd be laughing their guts up and partying for a week once they got the signed order from you for that much!!!

Like I said... thirty cents each, a dollar if you're a bad negotiatior. Take it or leave it.

@ WikiEasy

A real bank makes a lot more volume of money from their fees then paypal, did paypal ever charge you $27 for being in the negative? did paypal spot you half a million to buy a house?

No way, they will cost more to produce then your estimates. Even if your estimates were correct, theres a lot more costs for paypal:

Freight to Warehouse
Warehouse Storage
Payroll for Warehouse workers and security
The cost of integrating this system into their site (many hours of coding, R&D, and QA)
Training all their help desk employees about these new keys
Lastly the postage to you

Thats all I can think of atm, but I'm sure there are more costs then that involved. Why whine over $5? It will make PayPal a hell of a whole lot more secure. I ordered one for my personal account and they sent me a free one for my business account.

The Security Key is currently not available. Please try again later.

:(

To guys above, with all due respect, PayPal's overheads are minute compared to banks, so banks have to claw back money for their services some how.

PayPal should be able to get a good deal on these security keys, but what the going rate is dependent on what is required and where they get them from. I personally dont know how much they go for, but from what I know, froogle isnt the best place to get an idea of real market prices. Firstly you goto the supplier(s) get a price and then knock them down, if you don't then this is definatley not good business practice. Also to secure future business you shouldnt charge your existing customers for a security key, these should be provided for free, especially if they use their account on regular basis.

In addition and just out of curiosity, how do you go into minus(the red) on a PayPal account??

"PayPal sucks" comments are exactly what I want to read. NOT. Leave a thoughtful comment it you take the time to comment. Here's my 2 cents:
-No one is forcing you to use PayPal, so don't use it if you don't want to.
-I'd gladly pay the $5.00 for this added layer of protection. I pay $3.95 for a fucking latte.
-Pfishing is a serious threat. It's easy to make a "mistake" just *once* and log in to a fake PayPal site (like I almost did). Thank god for Firefox's automatic password/username completion. When the boxes weren't completed automatically for me, I really had to work to see that it was a Pfishing site. (And Firefox and GMail didn't identify the site as suspicions)
-As a business who has thousands of dollars in my PayPal account AND who has employees who aren't as tech savvy as me - this is a godsend.
-Why don't I go somewhere else? Like google checkout? Google checkout uses my bank account, unlike PayPals Money Market. I get no interest in my business checking account and like 1.2% in my savings account. I average 4% in the PayPal MM.

@signal15:
> I actually have two sweet solutions for this little problem

Let's talk. (seriously). ajck-1234 at usa dot net
(You have no contact details on your profile)

I normally wouldn't pay five bucks for this, but it is just another measure to help people from accessing my account. Yeah PAYPAL sucks, but there are not many other options, so I consider this insurance to keep shady people out. $5 is cheap compared to the cost of trying to get your identity or your money back.

Because the infrastructure sucks.

Having my own merchant account (which does allow me to accept payments from anyone with a Visa, MasterCard, AMEX, etc), I can definately say that they live in the dark ages of fax, telephone calls, and "real" paper work. Something like emailing with a digital signature is well beyond the current infrastructure.

While this is a great ideal, it simply is just hard to change a multi billion dollar industry while still supporting the millions of customers with credit card swipe machines that require a dedicated phone line.

no joke, i've used paypal for years with nothing bad to report...

I've had bad experiences but the good still outweighs the bad for me.

http://www.paypalsucks.com/
Read some of the stories.Don't just look at the link. Go there and read.

Because they are thieves, grossly (some would say intentionally) disorganized and torture to have to work with. Especially as a merchant. I know, we've been burned by them in the past. Unfortunately, we have no choice but to accept them as a method of payment. Perhaps one of the best examples, however, of how they work was seen when Something Awful raised over $27,000 in emergency donations, in 24 hours, for the Red Cross to aid in the Hurricane Katrina recovery effort. PayPal seized that money and then tried to get them to redirect the funds to another charity.

PayPal's approach to handling a merchant problem is to freeze their account, often without warning. This has the resultant effect of preventing the merchant from accepting payment. In other words, PayPal puts them out of business. The net is rife with horror stories (http://www.paypalsucks.com) and the number of merchants who have had problems is unacceptably high.

Links:

http://www.somethingawful.com/d/news/paypal-fiasco-summary.php

http://www.somethingawful.com/d/news/further-proof-paypal.php

I second that. Been using it for 4 years now without a problem.

This is what I've found: for a customer who uses them anywhere from 1-50 times a year for eBay purchases and other small payments of $500 or under, PayPal is just fine. They will charge your credit card or debit your bank account and pay the payee successfully. I have used them for years, paying for things and receiving a few bucks here and there. I have not had problems.

For a merchant who wants to accept payments and may have thousands of dollars in their account at once, Using PayPal to accept payments may not be the best decision. Many people have no complaints about them, but they do have problems which have caused sites like www.paypalsucks.com to start operating.

People have EXCELLENT reason to hate PayPal, they use bull tactics, its as simple as that. While they never have screwed with my small business, I know they could and being a small business without expensive legal resources, I can't do much as their contracts HEAVILY favor them.

The answer for us who haven't been screwed though isn't to not use them, it's to no RELY on them entirely. Sure, I make more money accepting PayPal as a payment source, however having my own merchant account, I'd say 95%+ of my sales go through MY BANK, not PayPal's.

If PayPal closed my account would I be pissed? Hell yeah. Would I be out of business? Far from it.

I get paypal fishing emails and I dont even use paypal
I dont even have an account with ebay/paypal
So spammers are stupid people
Fishing emails are random since they just send till they find a paypal user

these keys are used by many organisations for outside secure access. I don't see why people are thinking this is such a bad idea.

Whatever you do, DO NOT go to https://www.paypal.com and look there.
That would be the last place that would have information about these.
I would avoid Google at all costs, they're useless in cases like this too.

darmichar: Paypal doesn't really say much about how it works, other than from the most basic description.

I'm more curious from a technical perspective. They generate a new key every 30 sec, but do you need to set them to the current date/time so the key they generate is valid, or would any key generated on the correct day/hour work (to compensate for clock drift).

Anyone know?

I use two similar devices from http://www.securecomputing.com to access corporate VPNs for work, and one for my local bank's online banking site. I imagine this PayPal one works similarly, though I cannot claim to offer any insight as to how the damn things actually work.

Let me rephrase.. paypals site's faq provides only the following explanation of how they work:

How does the Security Key work?
The Security Key creates the account access code by using a complex algorithm that’s unique to your device. When you enter that code after you log in with your user ID and password, our secure servers can verify your identity. This helps prevent unauthorized users from logging in to your PayPal account.

Oh, *NOW* i see. a "complex algorithm" is used, and once I type it in, (after also providing both my username and password) thier servers can tell it's me (which they could do before with just my username and password) *rolls eyes*

Look, I think I asked a reasonable question here. What search term or terms can i used to read more about how these random number devices (or whever they are called - see I dont know, that's why im asking) work?

In other words, How does the server know the numerical value i am typing in is the correct one?

In other words, what is this type of encryption called?

What happens when the battery dies?

OK, the quick explanation is that there is a clock inside of the fob that is hashed with the serial number for the fob, as well as some other numbers that are stored in the firmware of the fob. The resulting hash has 'mod 1000000 applied to it, and the resulting number is displayed as six digits.

When you 'register' or 'activate' your fob, you will be asked to enter three different sets of 6 numbers that the fob generates. (more or less) This makes sure that the fob and the computer that is doing the authentication are working with the same time reference. As they drift later on the server will adjust an offset for your account to 'adjust' the time on the server when calculating the hash to compare against your fob's hash.

You may also have to confirm the serial number for the fob. You will have to enter a password of some sort, which will probably be different from your existing paypal password (recommended) but which I don't know if it is compared.

In all likelihood you will be asked to provide some information that they can use to confirm you are you in the unlikely event that you need to report that your fob is damaged, destroyed or has disappeared.

When you go to a site that you need to authenticate to paypal at, you will either enter the password you created above, with the number from the fob as a prefix or suffix to your password, or possibly entered into a separate field of the authentication page. The contents are then sent off to paypal in some way, who compares the results of what it calculates, with what you entered (also comparing for 30 seconds forward and backwards of 'now') and either sends a yeah or a neigh to the system asking if you are 'you'.

The primary 'down' side to this is that in many cases some number of failures to authenticate result in locking the account. There are others, including attacks to reverse calculate the information used by the fob to generate the string of numbers being displayed, etc.

As Darmichar suggests, there are other resources available. But if you want to treat my discourse as authoritative, I've got no problem with that. Not sure that someone else won't have a problem, but then why would either of us be concerned about that?

[edit] You don't get to 'set' anything on the fob. It has a clock that is set via contacts at the factory, and drift is handled within the server you authenticate to.

The paypal website says you have to activate the security key system by entering in two consecutive keys generated by the device ( you have to wait the 30secs for the 2nd key of course ). Then every time you log into the site you press a button to get the next key which paypal expects. I dont think that a new key is actually generated every 30secs, though it is possible if that is how often you log in. So it works by keeping in sync the number of times you log into the site, and the number of time you press the button on the security key. If it gets out of sync, then you may have to reactive the access key by entering in 2 consecutive numbers. Thats how i think it works, though i unfortunately had no hand in designing the system.

"Thats how i think it works"

Nah, it's not. The end user can push the button like crazy all the time, and it won't stuff up the authentication. It's time based, with some compensation for drift... The auth system checks back and forth 30 seconds if the 'now' number isn't right, and makes a note of what it found. Over a bunch of subsequent authentications, a picture of how the clock in the token is drifting can be built up, and keep it working fine even if it is on the drift.

"It has a clock that is set via contacts at the factory"

You got me interested, so I peeled the serial number label off the back of my fob just now. There's six little holes - two rows of three - in the plastic body, and if you catch the right light you can see a matching six gold contacts on a board a few millimetres down the holes. That's the contacts alright :-)

Actually, this is not encryption at all. It is a form of a random number generator. Provide some seed information to a random number generator, specifically some number that changes (a timestamp for example) a number that is unique to the device (a serial number) possibly some other numbers to reduce the likelihood that you will give a phisher the serial number for your fob and they figure out what time your fob thinks it is from a few displayed numbers. Use that information as a seed on both the fob and the authentication server, and both should end up generating the same number.

The algorithm may be as simple as multiply the timestamp date by the timestamp time, then take that number to the exponent of the serial number of the fob, divide the result by this number, and multiply it by another number, now display the least significant 6 digits. That sort of an algorithm may seem 'complex' to some people.

When the battery dies the fob doesn't display any further numbers. You call up paypal, let them know the condition of the fob, and they ship you a new one. The battery in the constant display SecureID fobs has an average lifetime of about 3 years. Along with the serial number, the fob should be tagged with an expiration date which should arrive before the battery fails. Something like a credit card, the company handling the authentication for paypal should be shipping you a replacement fob on or before the date.

The button you press on the fob to display the current number provides two things. First it increases the battery life by turning off the display when you don't need a number. It also prevents someone from seeing a long series of sequential results which could reduce the security of the random number generator being used.

If I know your password and your account name, then if you are not using a fob for security, paypal will consider me to be you if I give them that information. If you are using a fob, and have no problem keeping track of it, then it is less likely that paypal will be willing to consider me to be you, if I can't give them the right 6 digit number. If I can give them the right number, and your account name, but not your password, then again they are unlikely to think I am you. However if I compromise your fob, and have your password and account information, I am back to being you as far as paypal is concerned.

If you lose your fob, it's a good idea to report it missing right away. Just as it is a good idea to work with them if you suspect your account information has been compromised. If you have a history of loosing things, then this form of authentication may not be for you.

@rusty01010:

>> Actually, this is not encryption at all. It is a form of a random number generator.

I have to disagree with both of these characterizations. Random number generation is not what you are after, with a device like this. You want it to be very predictable (such that the results can be duplicated at the other end). The numbers are far from random.

One goal is to have them be predictable (i.e. duplicatable by the server). The other is to make it *appear* random - unpredictable - (so that someone with the same information set (like "what time it is") cannot figure out the generation key, even though the RSA algorithm is well documented.

By using encryption techniques, the device generates a 6-digit number which is predictable by someone else who has all the same information that you have (which is: current time, serial number of the device, encryption algorithm).

You said >> The algorithm may be as simple as multiply the timestamp date by the timestamp time, then take that number to the exponent of the serial number of the fob, divide the result by this number, and multiply it by another number, now display the least significant 6 digits.

Yes, encryption is just simple math.

I think that is dependent upon your idea of encryption. I don't happen to consider a hash function to be encryption. It is related to encryption, but is a one way function to generate a non-unique number. With a million fobs out there, it's a given that at any given half minute, at least two of them will be displaying the same number. Presumably the next 30 second interval any two that had a matching number.

A function like that can be used to authenticate who you are, or to generate a number that can be encrypted with your private key to providea signature for the information that you start with, but on it's own you can not generate the source material from the result. The timestamp in question may be 11 digits, or more. Though it may compress to a smaller number if you use a bitmapped data type to store the time. The serial number on the back of my SecureID fob is 8 digits. To the best of my knowledge there is no way to reverse the displayed 6 digits to the serial number. However given the serial number as part of the account, you can validate that the person providing some set of digits is likely to be the one who the account belongs to.

Encryption, as I understnd the concept, is the alteration of the source material to hide it's content from potential observers as it is being transfered from one location to another. It may be accomplished via eiter encoding on encyphering, the difference being that encoding may be used to send a very long pre-aranged message between two entities with something as simple as a single bit being flipped in a file that seems otherwise inoctuous. Encyphering is applied to either each character, or blocks of bits directly from the source material. Morse Code is an example of a cypher. A page and word number for a book that maps to an instruction or pre-arranged message is an example of a code.

making a 6 digit hash of the serial number of a fob and the current time, is not encryption as I understand it. If you understand it to be encryption, well OK, that's your understanding. I'll tend to disagree.

@rusty0101:

You make some good points. But, as you said, I understand this hash function to be encryption. Especially as invented by RSA - who made and patented the initial SecurIDs (http://en.wikipedia.org/wiki/Securid ) which this looks identical to in functionality. SecurID uses the RSA patented encryption algorithm to achieve its hash.

Wikipedia's page on hash functions says: "Because of the variety of applications for hash functions (details below), they are often tailored to the application. For example, cryptographic hash functions assume the existence of an adversary who can deliberately try to find inputs with the same hash value. A well designed cryptographic hash function is a "one-way" operation: there is no practical way to calculate a particular data input that will result in a desired hash value, so it is also very difficult to forge. Functions intended for cryptographic hashing, such as MD5, are commonly used as stock hash functions." http://en.wikipedia.org/wiki/Hash_function

Clearly this definition of a hash function eludes to encryption (referring to cryptographic hash). So at least I don't appear to be alone in thinking that hashes are a form of encryption.

Hash functions may not yield results which are decryptable to the original "message", but they do take a message and manipulate it so as to conceal that message. And that, to me, sounds like a form of encryption. (Especially since they sometimes use encryption algorithms to do the hash, as SecurID does, as SHA-1 does, etc.)

What are you talking about. I even tried to avoid things like this by linking straight to PayPal's site. There were tons of blogs reporting this but I even cut out the middle man and apparently I'm spamming.

Yea I'm sure PayPal is going to pay some one to advertise a service that is limited to a certain amount of people.

I'm sorry but people on this website are retarded if they think this is spam. This is really good information for people with a PayPal account. I ordered one (for free) as soon as I saw the news.

Oh yea, that's not even my blog. Not only that but I don't have a blog. I do have a website with news but it's a gaming website.

PayPal's UK and European operations are legally a seperate entity (due to the UK being part of all the EU bullshit - and having to pay large amount of taxes to the largely unelected corrupt Brussels tax pigs to syphon off to regenerate the EU's new eastern European members, after the fat cats, have gotten a little fatter).

As I understand it, sometimes they might wish to try something out in the US before applying it in the UK or Europe, and sometimes legal issues get in the way.

Yeah same problem here with a Swedish account. Damnit.

Paypal charges the nominal fee to make sure that the folks who order them actually use them. This is a beta program and they want to get data. If you're willing to pay $5 for it, then you are more likely to use than someone who just got it for free.

right, diverting the cost of security onto the customer. do you need an RSA fob for your online banking?

You're wrong. It is not a vocal minority and the number of cases that occur without being blogged about is very high. We had a bad experience with PayPal where they assessed a $2 fee against our account but never bothered to tell us about it. Since the account is used to receive payment and not to purchase items, we transfer the money out of the account as soon as it comes in. PayPal couldn't collect the fee (which was for a non-existant transaction) and froze the account.

Turns out that the fee was billed in error - it was meant for a different merchant. Problem is, it took SIX months to get them to the point where they would admit it and unlock the account. During that time, we could not accept PayPal payments. Fortunately for us, our need for PayPal is few and far between. However, had this happen to a small retail store or EBay merchant, it would have put them out of business.

The number of occurances for this type of problem is very high. I have spoken with a lot of merchants who have had problems. It's always encouraging to see someone like yourself that has had a good number of transactions without a problem but there are just too many other folks that can't make the same claim as you.

Ryosen: There's something missing here. Why was PayPal unable to take $2 out of your checking account?

Because they never tried. Their billing system created a fee against our account but never billed for it, never attempted to collect it. It merely created a line item, said it was overdue by three months, and froze the account. It then took six months to get the error corrected and the account unlocked. The bank account that the PayPal account was associated with had sufficient funds.

Alternatives are out there, but support by merchants is very low. With Google stepping into the market however, it's likely that PayPal will have a reputable contender. And we all know that competition is good for the consumer.

@ mindtattoo

[sarcasm]
Oh, gee...I didn't know I could use a credit card to *accept customer payments*
For crying out loud...
[/sarcasm]

No, I can also order it in Germany

Well, I can't order it in Austria :(

> anyone know if you can use one fob with multiple accounts from different vendors?

It doesn't sound like these fobs are doing public-key crypto, but I don't suppose there's any reason they couldn't. If they did, then you could hand out the public key to multiple sites and give them all the ability to verify the codes.

I really don't think so. That would mean the algorithm is exactly the same.

Don't do business with pay pal. My exact sentiments. I'd much rather save using an truly open market and risk paying by direct deposit and risk a few loses. Much better than having every transaction hiked up by hidden merchant fees. It's my belief and it's how I act !

Really? I bought a used snowboard on Ebay for $100. Two weeks pass - nothing. I email the guy - nothing. I finally filed with PayPal and had my money back in around a week I believe. There was never any response from the guy or any contact. I love their security.

I've also dealt with Discover who has locked my card while I'm at the mall because apparently I made my purchases to quickly. -security that?

Oh, and yes - I do have a receipt of everything I've bought online as a proof of purchase. Just as I save Credit Card receipts from BnM stores. It only takes 5 seconds to print the page out and throw in a nice filing folder that you can just keep in a closet or somewhere.

I've used PayPal for 6 years, not one problem.

PDF Link: http://www.verisign.com/static/028476.pdf

Amen, brother. I've been a customer for quite a few years now - and I couldn't be any happier with them. Managing my account is so easy and the conveniences of buying online and quickly running through Checkout can't be beat. I love PayPal

That's why you don't buy stuff on a debit card unless you have enough money. Dur?

The point of a debit card is to take money THAT YOU HAVE.

Yeah, it happens. Luckily, ranks don't exist anymore so the incentive to be a douche has been lowered.

I thought this info was pretty good and needed to be on the front page. I probably saw your story and saw it didn't have many diggs and submitted it again. It's really not my fault, it's the way digg works, if you don't have a ton of friends it's very hard to get stories on the front page. And it's not really gaming. There's so many stories being submitted that most people don't even read stories with just a few diggs. Quite honestly digg needs to figure something out about this problem because it's way bigger then any other problems digg has.

You could have dugg my story, then all of your friends would have seen what you dugg and dugg the story if the liked it. Your argument is flawed.

Maybe you really are making comission like others state.

It's not flawed. Friends don't normally digg their friends diggs, just what they submit. Again, tell me how I'm making commission of off something that PayPal is making no money on? Also you saying that I make commission makes no sense because you submitted the same story. So I guess I could say maybe you're making commission too? Who's the flawed one?

I submitted the story, thus you could not get your commission unless you submitted it yourself.
I submitted the regular link: http://www.paypal.com/securitykey
You submitted this: http://www.paypal.com/cgi-bin/webscr?cmd=xpt/cps/securitycenter/general/PPSecurityKey-outside
Why would you use that long link?

It is a beta and it went live sometime Thursday morning, so I imagine it can end at anytime.

Read other comments. bcullman asked how it works, and he received plausible answers.