Thursday, August 16, 2007

PayPal's Security Key

PayPal's recently introduced Security Key two-factor authentication for the millions of its customers in cooperation with VeriSign's growing centralization of two-factor authentication in a typical OpenID style -- Ebay's also a partner -- is adding an extra layer of security to the authentication process, it's a fact. The entire strategy relies on the fact that, if a customer's accounting details get keylogged, or they fall victims into a phishing scam and provide the accounting data themselves, the phishers or malware authors wouldn't be able to login since the key generated in the time of keylogging wouldn't be active by the time the malicious parties use it the next time. PayPal's Security Key :

"Generates a unique six-digit security code about every 30 seconds. You enter that code when you log in to your PayPal or eBay account with your regular user name and password. Then the code expires – no one else can use it. Watch the demo"

However, given the spooky commitment from phishers and malware authors we've been witnessing for the last several years years, wouldn't they entirely bypass this extra layer for authentication by basically purchasing the $5 Security Key and like legitimate customers, start generating security codes ending up with having both the accounting data, and the ability to generate valid access codes as well? Take E-banking for instance, the pseudo random key generators issued by different banks are supposed to have different algorithms for generating the codes, so that we never get the chance to discuss monocultural insecurities in two-factor authentication. Malicious parties are no longer interested in showing off as rocket scientists, but as a pragmatic and efficiency centered crowd. The way keylogging evolved into "form grabbing" and entire sessions hijackings of malware infected PCs right after the user herself authenticates though several factors based authentication, in this very same way malicious parties started coming up with ways of bypassing compared to directly confronting the security measures put in place.

The flexibility of notifications for financial transactions via alert based system and static receipt of notices sent to a mobile are an alternative. For instance, via the web interface of my E-banking provider I can set to receive an SMS when a given range of money come and go out of the account, sort of an early warning system for self-vigilance. What I'm missing is a historical "last logged from" feature, and the option to receive an SMS each and every time, I or maybe not me logs into the account. Features like these should be provided on an opt-in basis, and those customers truly perceiving the value of them will pay for the service. As always, the market delivers what the customer wants - two-factor authentication, and the irony from a psychological perspective is that in fact, those with less income are more vigilant for possible fraud attempts, than those with more income who are more gullible since they can afford the losses.