Saturday, January 13, 2007


PayPal anti-phishing token

InfoWorld tells us about a “security key” that PayPal will be offering to its users in the next few months. The security key, which will cost $5 for individual accounts (it'll be free for business accounts), is one of those little key fob devices that generates numbers that are constantly changing:

The security key is actually a small electronic device, designed to clip on to a keychain, that calculates a new numeric password every 30 seconds. PayPal users who sign up to use the device will need to enter their regular passwords as well as the number displayed on the key whenever they log in to the online payment service.
This is the same system that many of us use to log into our corporate networks while we're travelling. The idea is that the key fob generates and displays these numbers in a sequence that isn't predictable by someone who doesn't have the device, but that's known to the authentication servers. If it's properly done, each device is unique and is tied to the account of its owner (you can't use my fob to log into your account). As such, it's part of a two-factor authentication system.

We generally consider that there are three categories of things that we can use for identification: something you know, something you have, and something you are. Passwords and other related things (passphrases, “secret questions”, and so on) are in the first category. A problem with using that alone is that things you know are easily shared, both intentionally and un-. And when it's been compromised it may be hard to determine that, since the theft of a bit of knowledge doesn't deprive you of it.

The key fob is in the second category, something you have. If it's used by itself, your account will also be compromised if it's lost or stolen, of course. But since it's unique — its loss is obvious to you as soon as you need to use it yourself — the compromise will be easily detected.

The third category includes biometric information, such as eye scans and fingerprints. They're not readily stolen (and rather catastrophic when they are), and, while their use isn't particularly convenient yet, it's getting better. Deployment of systems that use biometric data is increasing.

The idea of two-factor authentication is that by using mechanisms from two categories at the same time, the authentication is more robust — it's harder for a thief to learn your password and steal your key fob at the same time. When biometric data is sufficiently convenient, it can replace the key fob as the second factor... or all three can be used, in a three-factor system. One could envision a fingerprint reader built into the key fob, so that while you hold it to read the number, your fingerprint is read automatically and you don't notice any added inconvenience.

Thanks to our friends at F-Secure for pointing to the InfoWorld article. I'm not sure why F-Secure thinks that the key fob won't solve the man-in-the-middle attacks that they warn about later in their blog entry. It won't, of course, stop the man-in-the-middle attacker from stealing the victim's password, but it will prevent the attacker from taking advantage of the password once it's stolen — the attacker won't have the key fob. With a 30-second change interval for the number on the fob, the attacker has an average of 15 seconds, and a maximum of 30, to log in after your credentials are stolen. If this becomes a problem, PayPal can simply institute a 30-second delay before asking for the fob code, or have you enter two consecutive codes.

[Update: A commenter explains the exposure here, so see the comments section for the discussion.]

What's more to the point, though, is that many people will find the key fobs to be inconvenient. By the very nature of its being “something you have”, you have to have it. If you misplace it, you have a problem. If you want to use it when you're not at home and you haven't brought it with you, you have a problem. If you lent the car keys to the kids, and that's where the fob is, you have a problem.

Apart from that, it sounds easy because it's just PayPal. But what if your bank should start using these too, and send you its own fob (it won't be using PayPal's, of course)? Oh, and you have two banks. And two credit cards, and they do it too. And your ISP, and.... Before you know it, you'll have to carry a separate tote bag just for the pile of key fobs — and then you have to find the right one when you want to log in. The key-fob system doesn't scale well.

The thing is that in most cases this sort of thing is really for the protection of the financial institution, not of the consumer: in most cases, you are not legally responsible for the loss, even if you stupidly compromise your own password — the institution has to bear the cost, and so the institution will push these sorts of solutions. PayPal seems to be a notable exception to that, where the user's liability may not be limited, as it is with banks and credit cards.

We deal with those inconveniences of authentication systems when our employers tell us we have to. And if you, as an individual, have enough money at risk — or you've already had money stolen by phishers — then perhaps you'll choose to put up with it yourself. But I think that most people will not accept the inconvenience, given the choice. They'll say that it won't happen to them. They won't be fooled by a phisher, their passwords will never be compromised, their accounts will be safe.

And the odds are that they'll be right. Still, phishers steal a lot of money every year, most of it from people who think it won't happen to them. Biometrics may eventually be a better answer, but for now PayPal has an idea worth trying.


Anonymous said...

SecurID and other common keyfobs can be subverted with a man-in-the-middle attack.

Customer goes to the fake bank. Fake bank connects to real bank and initiates login. Fake bank asks user for a SecurID code, then uses that code to login to the real bank, in real time.


Barry Leiba said...

Mm, I see... I had been thinking that the MitM would have to collect the info and then use it quickly, and that can be defended against. But you're right, if the MitM is acting like a proxy, the defense I had in mind fails.