PayPal Security Key

JDMurray

Is anybody using the new PayPal Security Key? It's a temporary password generator that creates a random, 6-digit number every 30 seconds. You need to enter this number with your PayPal password to authenticate each of your PayPal transactions. Without the number generated by your specific PayPal Security Key your PayPal password by itself is useless.

The PayPal Security Key is only $5US to buy and free to activate; I'd like hear if anybody has had any problems using it before I buy one for myself.

christenm123

Hmm, seems neat. I don't use paypal all that often myself, so this wouldn't be useful to me. The only time I use paypal is the odd time I buy something off eBay, and I don't sell or anything. Also, if its only 5$, why don't you just go for it? What have you got to lose?

Webmaster

I use similar hardware tokens for online banking, but those aren't from Verisign and this Paypal device is, so it looks good to me. I'm definitely going to get it.

Bob Kiwi

I just got one myself. They are quite nice.

For more information, check out Security Now! (its a podcast from GRC/TWiT). They have been raving about it for a few weeks, check the show notes.

JDMurray

Yeah, I've been catching up on the Security Now! podcasts and that was the first I've heard of it. PayPal started the beta test of this security key program in Jan or Feb this year, and the beta ended in June, but I haven't noticed any direct marketing about it. eBay may only be advertising it to its corporate customers.

The security key device itself is a VASCO Digipass GO 3 token and uses the VeriSign Identity Protection service. One day we'll all have a pocket full of these devices, so I think I'll order one today and blog about it.

christenm123 wrote:

Also, if its only 5$, why don't you just go for it? What have you got to lose?

Well, once you switch your PayPal account over to using the token it can't be switched back. If I don't have the device with me I can't use PayPal like I can when using a password-only PayPal account. And what do you do when the battery in the thing dies? How long will I not be able to use PayPal while I wait to receive a replacement?

RussS

Not for me. Paypal is owned by ebay is it not? Well, considering I got screwed out of a fairly large sum of money after someone managed to get my secondary email account from ebay I have little faith in their security

Good concept though

sprkymrk

I wanted to add a link to JD's blog on this very topic. He did a great write up on it worth checking out. He's too humble to link to it himself, so I'll do it for him:

http://www.techexams.net/blogs/jdmurray/paypals-security-key#comment-741

JD is not only very tech-savy, but he's a great writer/author. Check it out and leave a comment there or here.

BeaverC32

JD is not only very tech-savy, but he's a great writer/author.

My thoughts exactly. Have you ever considered writing publications for some extra income? It's often hard to find a technical savvy person whose words flow so well.

JDMurray

sprkymrk wrote:

He did a great write up on it worth checking out. He's too humble to link to it himself, so I'll do it for him:

Too humble? Oh please. I completely forgot about this thread. Great idea for the link. And thanks for the complement.

BeaverC32 wrote:

My thoughts exactly. Have you ever considered writing publications for some extra income? It's often hard to find a technical savvy person whose words flow so well.

I did write books for a living, but only part-time to supplement another part-time programming job. It was enough money when I was a single guy living in an apartment, but I never figured out how to earn enough money from writing to pay for a marriage, kids, and a mortgage. It would sure be nice to go back to researching/writing and give up full-time programming for a while. I'm just glad that I am able to exercise my writing skills on a popular Web site like TechExams, and maybe help a few people as well.

mgeorge

I've had mine for about 2 weeks now and I've not had a problem with it. I put it to the test and tried to enter a wrong key several times and it just rejects it, my friend has one and I tried to use his and it gets rejected as well

Also, I've not been able to find an exp date on these, unlike the SecurID types. From what I've heard by rumor, some of the SecurID types had an case intrusion switch inside them, so if they were busted open, they would whipe the certificate/key. I've not been able to confirm this though, but if it is true, is it the same for these keys?

But as for the keyfob its self, I've not had a problem yet and you get them free if you have a premier/business account.

I personally like smartcards better though, but thats just me

JDMurray

mgeorge27 wrote:

From what I've heard by rumor, some of the SecurID types had an case intrusion switch inside them, so if they were busted open, they would whipe the certificate/key. I've not been able to confirm this though, but if it is true, is it the same for these keys?

Either that or the ASIC inside is constructed to be destroyed as the case is pulled apart.

mgeorge27 wrote:

I personally like smartcards better though, but thats just me

I have my fob on the same lanyard as my USB flash drives. It's like carrying around a crazy pocket watch. Not recommended for people that insist on wearing really tight pants, tho.