New PayPal key to help thwart phishers

so it's probably been well looked into. Phishers would certainly have to be on their toes to transfer the login code into the real PayPal site within the 30 second time limit.

If this is the accepted way forward though we'll soon be needing some sort of universal controller - I'll have three of these 'handy keychain' devices now!

I fit makes it safer, I'm in. Not that I've had any known problems to date, but still - good for them for taking the step.

recently my bank migrated to the new online security measures to combat phishing...

http://blog.washingtonpost.com/securityfix/2006/10/phishers_respond_to_web_bankin.html

now, unless i see a stegosaurus, i shouldn't log in to the website. i think this is a good measure for my little local bank, but i see why this wouldn't work for paypal. there's simply too much effort being put into scamming paypal for a few dozen avatars to fix.

as the wp article points out, i don't think this key helps much. can't phishing sites just ask for your magic keychain code number, too?

an't phishing sites just ask for your magic keychain code number, too

Yes but then they would have to use that data in the 'real' PayPal within the 30 second time limit. After that has expired you need to generate a new one (the old one becomes invalid).

I assume the code generated incorporates a time limit within the algorithm. Maybe (probably) someone can crack that in time, especially if it is based on the account details, which you would still pick up on the phishing site. It all makes it harder though for them though, which is a good step.

I've been using these devices for something like 4 or 5 years now. It's a decent security mechanism, but practical problems exist - especially if you are on the road a lot and they don't fit on your keychain. Surprisingly, these things seem to last for literally years without needing a new battery.

My latest and greatest one has a url on the back - http://www.securecomputing.com/

i still don't see any reason why a phishing operation can't hijack an account in 30 seconds.

computer programs run in milliseconds, you're waiting only on web traffic after the user provides the information.

Try this article for another viewpoint:
http://www.schneier.com/blog/archives/2005/03/the_failure_of.html

It would stop someone who only has your password, but wouldn't stop accounts being compromised by trojans or phishing.

You can use a Linux live CD when logging in on public computers which bypasses an infected operating system. That would protect against trojans at least.

Two-factor autentication has been beaten before, based on exactly that fact. Last July (2006) Citibank was beaten. It was using a 1 minute validity window, and phishers created a man-in-the-middle phishing site to capture the details and attack citibank in real time. See Netcraft or other reports.

Just this week a Swedish bank busted an attack that took over a million bucks, and interestingly, the Russian hackers set up their phishing websites in the US. Interesting commentary on our homeland security?

interestingly, the Russian hackers set up their phishing websites in the US

I would say that was for two reasons:

There are so many US hosting businesses that attempt to automate the process. They get a copy of cPanel and a billing app, have little if any *nix admin skills and set things up in this way to reduce overheads to a minimum.

My experience of Russian hosts leads me think they are more secure (simply because they have less trust) - they usually require payment through approved bank transfer before turning on the account.

The second reason would be to stay as far away from your own jurisdiction as possible. Contrary to popular belief, the law here is actually pretty brutal if they catch you hacking.

The phishing/warez sites we have found on .ru domains usually trace back to US owners so I guess it works both ways.

I can see that. People here see a .ru domain and concede that there is no point in chasing Russian spammers.