What is Digg?148 Comments
- inactive, on 10/12/2007, -25/+158I continue to be appalled at the gross ignorance and prejudice of the digg readership. I don't know if "user-driven" news sites will ultimately end up succeeding or not, but if they don't, this will surely be one of the reasons.
Anyhow, these security keys are RSA security tokens that PayPal agreed to buy from Verisign back when they purchased the Verisign Payments division. Part of the deal included an agreement to purchase a million of these. And, they are not being cheap by making you pay $5. These keys typically cost around $100 each. PayPal is basically massively subsidizing them to anyone who wants one because the number one reason a PayPal account gets compromised is because the user is stupid enough to either pick an insecure password, write their password down somewhere, click on a link to a phishing site, or otherwise allow someone else to find out what it is. With two-factor authentication, you have to steal the guy's "key" (in the physical manner of stealing car keys) as well as prove that you know the password. This is PayPal paying ~$95 per account (they probably got a volume discount but it's still in the mid-to-high double-digits) to make them much harder to compromise. Every account that is protected in this fashion is therefore able to be much more favorably treated by their real-time fraud models (because it's therefore much more likely that any "weird" activity on the account is just the user doing something wacky, rather than the account having been stolen), enabling them to be much more accurate in fraud detection, resulting in fewer false positives, and therefore decreasing the number of customers who accidentally get screwed over.
In short, this is PayPal paying a lot of money to keep users safe and protect YOUR money. - mikev, on 10/12/2007, -33/+107So I guess for an extra 5 bucks paypal can securely ***** you over?
- sockpuppets, on 10/12/2007, -29/+96So paypal protects you from criminals... who's going to protect you from paypal?
- Legato, on 10/12/2007, -12/+44no joke, i've used paypal for years with nothing bad to report...
- inactive, on 10/12/2007, -5/+29A search on Froogle turns up the lowest price of $20 for one of these tokens from a volume retailer. So it's not a dollar or 30 cents. $20/each is a pretty good million dollar deal volume price, I'd say.
Also, PayPal IS providing them for free - to users with a business account. You know, the people from whom PayPal actually makes any money. For Personal accounts, $5 doesn't sound like too much to ask from users of a free service, as PayPal is paying for the credit card processing fees on payments made by most Personal accounts. - eliburford, on 10/12/2007, -12/+31Why does everyone hate PayPal so much?
I might get one of these things. - redlemon, on 10/12/2007, -4/+22visa/mastercard should be doing this themselves. in todays world, why cant everyone accept credit cards?
- paralleljay, on 10/12/2007, -8/+23@ywong137
I don't think there's any dispute in the security of the RSA SecurID system. I work with these things daily, and they would be painful to hack. I think what everyone here is bitching about is the company providing the tokens. Paypal could easily take the (large) fortune they are making from their bloated fees and provide there for free to every user that isn't a free sign-up, rather than making you pay an additional $5 over and above the charges they already pay. - signal15, on 10/12/2007, -5/+19This is just a standard 2 factor authentication token, similar to RSA SecurID. Now here's one of the problems with it... if you get it, and your account gets hacked, Paypal is going to claim there is no way in hell that someone could hack it and you'd never see your money.
The problem is, it's still not 100% secure. Phishers can still run their phishing site to collect credentials, they just have to monitor it while it's running and use those credentials that you provide within 30 seconds (actually an average of 15 seconds). Paypal could make it harder by requiring you to enter a new password every time you do something related to payments or account changes, but a crafty attacker could still get past it with a little bit of skill and probably a bit of luck.
I actually have two sweet solutions for this little problem, but the whole startup thing just isn't something I can do financially right now. Someone wanna give me a few million to get going? :) It would actually probably be significantly less, but there are some equipment and coding costs involved. - DoubtfulSalmon, on 10/12/2007, -7/+20"These keys typically cost around $100 each. PayPal is basically massively subsidizing them "
Crap they do. Sure a single pre-production hand made demo costs $100 each... A million of them ought not cost more than thirty cents, a dollar each if you're a bad negotiator.
I have one of these keys already, one of my banks, HSBC, just automagically mailed them out to all customers in Australia. No need to request, no charge, no fees, it just arrived in the mail one day. - bonexaw, on 10/12/2007, -0/+13Because the infrastructure sucks.
Having my own merchant account (which does allow me to accept payments from anyone with a Visa, MasterCard, AMEX, etc), I can definately say that they live in the dark ages of fax, telephone calls, and "real" paper work. Something like emailing with a digital signature is well beyond the current infrastructure.
While this is a great ideal, it simply is just hard to change a multi billion dollar industry while still supporting the millions of customers with credit card swipe machines that require a dedicated phone line. - Karyyk, on 10/12/2007, -12/+25How much do you want to bet that getting this will add about fifty new reasons for PayPal to lock/close your account for no good reason? To hell with PayPal...
- rusty0101, on 10/12/2007, -1/+14OK, the quick explanation is that there is a clock inside of the fob that is hashed with the serial number for the fob, as well as some other numbers that are stored in the firmware of the fob. The resulting hash has 'mod 1000000 applied to it, and the resulting number is displayed as six digits.
When you 'register' or 'activate' your fob, you will be asked to enter three different sets of 6 numbers that the fob generates. (more or less) This makes sure that the fob and the computer that is doing the authentication are working with the same time reference. As they drift later on the server will adjust an offset for your account to 'adjust' the time on the server when calculating the hash to compare against your fob's hash.
You may also have to confirm the serial number for the fob. You will have to enter a password of some sort, which will probably be different from your existing paypal password (recommended) but which I don't know if it is compared.
In all likelihood you will be asked to provide some information that they can use to confirm you are you in the unlikely event that you need to report that your fob is damaged, destroyed or has disappeared.
When you go to a site that you need to authenticate to paypal at, you will either enter the password you created above, with the number from the fob as a prefix or suffix to your password, or possibly entered into a separate field of the authentication page. The contents are then sent off to paypal in some way, who compares the results of what it calculates, with what you entered (also comparing for 30 seconds forward and backwards of 'now') and either sends a yeah or a neigh to the system asking if you are 'you'.
The primary 'down' side to this is that in many cases some number of failures to authenticate result in locking the account. There are others, including attacks to reverse calculate the information used by the fob to generate the string of numbers being displayed, etc.
As Darmichar suggests, there are other resources available. But if you want to treat my discourse as authoritative, I've got no problem with that. Not sure that someone else won't have a problem, but then why would either of us be concerned about that?
[edit] You don't get to 'set' anything on the fob. It has a clock that is set via contacts at the factory, and drift is handled within the server you authenticate to. - spkaine, on 10/12/2007, -4/+17"PayPal sucks" comments are exactly what I want to read. NOT. Leave a thoughtful comment it you take the time to comment. Here's my 2 cents:
-No one is forcing you to use PayPal, so don't use it if you don't want to.
-I'd gladly pay the $5.00 for this added layer of protection. I pay $3.95 for a ***** latte.
-Pfishing is a serious threat. It's easy to make a "mistake" just *once* and log in to a fake PayPal site (like I almost did). Thank god for Firefox's automatic password/username completion. When the boxes weren't completed automatically for me, I really had to work to see that it was a Pfishing site. (And Firefox and GMail didn't identify the site as suspicions)
-As a business who has thousands of dollars in my PayPal account AND who has employees who aren't as tech savvy as me - this is a godsend.
-Why don't I go somewhere else? Like google checkout? Google checkout uses my bank account, unlike PayPals Money Market. I get no interest in my business checking account and like 1.2% in my savings account. I average 4% in the PayPal MM. - jmontes, on 10/12/2007, -13/+24http://www.paypalsucks.com/
- DoubtfulSalmon, on 10/12/2007, -2/+12Uh, video or it didn't happen. I know Paypal is *seriously* evil, but even for them this sounds too "conspiracy theory' for my liking
- BESTenemy, on 10/12/2007, -34/+41 What is this? Corporate spam? PayPal taking over Digg? Are they the new sponsor of diggnation or simply trying to screw us over again?
My advise - want to keep your money safe? Keep'em away from PayPal. No security keys required. - Jammer, on 10/12/2007, -0/+7And how do people pay you via your BoA card, moron?
- eliburford, on 10/12/2007, -6/+13Why would PayPal be taking over digg?
Do sites have to be sponsors of diggnation to get a story on the front page? - Darmichar, on 10/12/2007, -9/+16Whatever you do, DO NOT go to https://www.paypal.com and look there.
That would be the last place that would have information about these.
I would avoid Google at all costs, they're useless in cases like this too. - Ryosen, on 10/12/2007, -0/+6Because they are thieves, grossly (some would say intentionally) disorganized and torture to have to work with. Especially as a merchant. I know, we've been burned by them in the past. Unfortunately, we have no choice but to accept them as a method of payment. Perhaps one of the best examples, however, of how they work was seen when Something Awful raised over $27,000 in emergency donations, in 24 hours, for the Red Cross to aid in the Hurricane Katrina recovery effort. PayPal seized that money and then tried to get them to redirect the funds to another charity.
PayPal's approach to handling a merchant problem is to freeze their account, often without warning. This has the resultant effect of preventing the merchant from accepting payment. In other words, PayPal puts them out of business. The net is rife with horror stories (http://www.paypalsucks.com) and the number of merchants who have had problems is unacceptably high.
Links:
http://www.somethingawful.com/d/news/paypal-fiasco-summary.php
http://www.somethingawful.com/d/news/further-proof-paypal.php - Egoist, on 10/12/2007, -9/+15@klawz: You're complaining about spending $5 on an expensive device. Who exactly is the cheap one?
- Jammer, on 10/12/2007, -3/+9Beautiful. Paypal tries to help with phishing scams and what have you, and the large douchebag majority that is digg calls it a ripoff, scam, etc.
People: get a ***** clue. A one-time $5.00 fee is insiginificant in the scheme of things. Sure, some banks give these things out for free, but Paypal isn't a bank and they do not rake in the fees that banks do.
I've got a solution for all you whiners and know-nothings out here: you don't like Paypal, then don't do business with them. Don't weigh in with opinions on issues you know nothing about, either: it makes you look stupid, and annoys the rest of us. - Vorex, on 10/12/2007, -6/+12@ WikiEasy
A real bank makes a lot more volume of money from their fees then paypal, did paypal ever charge you $27 for being in the negative? did paypal spot you half a million to buy a house?
No way, they will cost more to produce then your estimates. Even if your estimates were correct, theres a lot more costs for paypal:
Freight to Warehouse
Warehouse Storage
Payroll for Warehouse workers and security
The cost of integrating this system into their site (many hours of coding, R&D, and QA)
Training all their help desk employees about these new keys
Lastly the postage to you
Thats all I can think of atm, but I'm sure there are more costs then that involved. Why whine over $5? It will make PayPal a hell of a whole lot more secure. I ordered one for my personal account and they sent me a free one for my business account. - DoubtfulSalmon, on 10/12/2007, -1/+7"Thats how i think it works"
Nah, it's not. The end user can push the button like crazy all the time, and it won't stuff up the authentication. It's time based, with some compensation for drift... The auth system checks back and forth 30 seconds if the 'now' number isn't right, and makes a note of what it found. Over a bunch of subsequent authentications, a picture of how the clock in the token is drifting can be built up, and keep it working fine even if it is on the drift.
"It has a clock that is set via contacts at the factory"
You got me interested, so I peeled the serial number label off the back of my fob just now. There's six little holes - two rows of three - in the plastic body, and if you catch the right light you can see a matching six gold contacts on a board a few millimetres down the holes. That's the contacts alright :-) - glucoseboy, on 10/12/2007, -3/+8Paypal charges the nominal fee to make sure that the folks who order them actually use them. This is a beta program and they want to get data. If you're willing to pay $5 for it, then you are more likely to use than someone who just got it for free.
- nofxjunkee, on 10/12/2007, -0/+5This is what I've found: for a customer who uses them anywhere from 1-50 times a year for eBay purchases and other small payments of $500 or under, PayPal is just fine. They will charge your credit card or debit your bank account and pay the payee successfully. I have used them for years, paying for things and receiving a few bucks here and there. I have not had problems.
For a merchant who wants to accept payments and may have thousands of dollars in their account at once, Using PayPal to accept payments may not be the best decision. Many people have no complaints about them, but they do have problems which have caused sites like www.paypalsucks.com to start operating. - mfoley, on 10/12/2007, -0/+5This is not an RSA SecurID(tm) token, it's a VeriSign token.
Disclosure: I work for RSA. - inactive, on 10/12/2007, -1/+5No, I can also order it in Germany
- MrSparky, on 10/12/2007, -1/+5Blah blah blah STFU.
PayPal isn't great but give them a break - $5?! What's the problem with that?!
You cheap bastards. - Badfysh, on 10/12/2007, -1/+5Needless to say, you should NEVER enter your username and password after clicking on a link like this. A successful phishing attack only needs one small slip up. This link looks ok, but you never know.
Just because you're paranoid, it doesn't mean nobody's after you. - turquoisefish, on 10/12/2007, -4/+8I am interested in getting one of these (i use Paypal and have an interest in security anyway) but couldn't get to the page to order one(it says "The Security Key is currently not available. Please try again later."). Is it only available in the US? (i am in England)
- digjedi, on 10/12/2007, -1/+5This sounds like a great deal. More online sites should be offering this type of service. I have several online financial accounts and only ETrade offers similiar keys and it's $25. For $5 to have extra security is a deal and I hope this catches on and -every- financial online account offers these at a cheap price.
Thank you Paypal. - smellinator, on 10/12/2007, -0/+3@rusty01010:
>> Actually, this is not encryption at all. It is a form of a random number generator.
I have to disagree with both of these characterizations. Random number generation is not what you are after, with a device like this. You want it to be very predictable (such that the results can be duplicated at the other end). The numbers are far from random.
One goal is to have them be predictable (i.e. duplicatable by the server). The other is to make it *appear* random - unpredictable - (so that someone with the same information set (like "what time it is") cannot figure out the generation key, even though the RSA algorithm is well documented.
By using encryption techniques, the device generates a 6-digit number which is predictable by someone else who has all the same information that you have (which is: current time, serial number of the device, encryption algorithm).
You said >> The algorithm may be as simple as multiply the timestamp date by the timestamp time, then take that number to the exponent of the serial number of the fob, divide the result by this number, and multiply it by another number, now display the least significant 6 digits.
Yes, encryption is just simple math. - Remmy, on 10/12/2007, -1/+4Alternatives are out there, but support by merchants is very low. With Google stepping into the market however, it's likely that PayPal will have a reputable contender. And we all know that competition is good for the consumer.
- Domestiques, on 10/12/2007, -5/+8keith makes big bucks from his blog
http://www.problogger.net/archives/2007/02/08/how-i-make-money-from-blogs-my-top-earners/
this is perhaps one way in which he makes a little more. - bcullman, on 10/12/2007, -5/+8Let me rephrase.. paypals site's faq provides only the following explanation of how they work:
How does the Security Key work?
The Security Key creates the account access code by using a complex algorithm that’s unique to your device. When you enter that code after you log in with your user ID and password, our secure servers can verify your identity. This helps prevent unauthorized users from logging in to your PayPal account.
Oh, *NOW* i see. a "complex algorithm" is used, and once I type it in, (after also providing both my username and password) thier servers can tell it's me (which they could do before with just my username and password) *rolls eyes*
Look, I think I asked a reasonable question here. What search term or terms can i used to read more about how these random number devices (or whever they are called - see I dont know, that's why im asking) work?
In other words, How does the server know the numerical value i am typing in is the correct one?
In other words, what is this type of encryption called?
What happens when the battery dies? - Eyebee, on 10/12/2007, -0/+3PayPal's UK and European operations are legally a seperate entity (due to the UK being part of all the EU ***** - and having to pay large amount of taxes to the largely unelected corrupt Brussels tax pigs to syphon off to regenerate the EU's new eastern European members, after the fat cats, have gotten a little fatter).
As I understand it, sometimes they might wish to try something out in the US before applying it in the UK or Europe, and sometimes legal issues get in the way. - slowdive, on 10/12/2007, -0/+3Yeah same problem here with a Swedish account. Damnit.
- mathew_bug, on 10/12/2007, -2/+5I second that. Been using it for 4 years now without a problem.
- CoolWind, on 10/12/2007, -0/+3Ryosen: There's something missing here. Why was PayPal unable to take $2 out of your checking account?
- tileeater, on 10/12/2007, -3/+6BTW, i don't agree with charging customers for "extra security" that's total BS. that's like if you went to bank of america and they asked you to pay extra to have your money in the vault instead of in their sock drawer like all the other peons.
- rusty0101, on 10/12/2007, -2/+5Actually, this is not encryption at all. It is a form of a random number generator. Provide some seed information to a random number generator, specifically some number that changes (a timestamp for example) a number that is unique to the device (a serial number) possibly some other numbers to reduce the likelihood that you will give a phisher the serial number for your fob and they figure out what time your fob thinks it is from a few displayed numbers. Use that information as a seed on both the fob and the authentication server, and both should end up generating the same number.
The algorithm may be as simple as multiply the timestamp date by the timestamp time, then take that number to the exponent of the serial number of the fob, divide the result by this number, and multiply it by another number, now display the least significant 6 digits. That sort of an algorithm may seem 'complex' to some people.
When the battery dies the fob doesn't display any further numbers. You call up paypal, let them know the condition of the fob, and they ship you a new one. The battery in the constant display SecureID fobs has an average lifetime of about 3 years. Along with the serial number, the fob should be tagged with an expiration date which should arrive before the battery fails. Something like a credit card, the company handling the authentication for paypal should be shipping you a replacement fob on or before the date.
The button you press on the fob to display the current number provides two things. First it increases the battery life by turning off the display when you don't need a number. It also prevents someone from seeing a long series of sequential results which could reduce the security of the random number generator being used.
If I know your password and your account name, then if you are not using a fob for security, paypal will consider me to be you if I give them that information. If you are using a fob, and have no problem keeping track of it, then it is less likely that paypal will be willing to consider me to be you, if I can't give them the right 6 digit number. If I can give them the right number, and your account name, but not your password, then again they are unlikely to think I am you. However if I compromise your fob, and have your password and account information, I am back to being you as far as paypal is concerned.
If you lose your fob, it's a good idea to report it missing right away. Just as it is a good idea to work with them if you suspect your account information has been compromised. If you have a history of loosing things, then this form of authentication may not be for you. - themoose, on 10/12/2007, -2/+4Do any of you make any money?
$5 is not a lot of money to keep your account more secure.
Hell, I'd spend way more! - Ryosen, on 10/12/2007, -3/+5You're confusing monopoly with popularity.
- MaxPayne3476, on 10/12/2007, -1/+3Really? I bought a used snowboard on Ebay for $100. Two weeks pass - nothing. I email the guy - nothing. I finally filed with PayPal and had my money back in around a week I believe. There was never any response from the guy or any contact. I love their security.
I've also dealt with Discover who has locked my card while I'm at the mall because apparently I made my purchases to quickly. -security that?
Oh, and yes - I do have a receipt of everything I've bought online as a proof of purchase. Just as I save Credit Card receipts from BnM stores. It only takes 5 seconds to print the page out and throw in a nice filing folder that you can just keep in a closet or somewhere. - MikeyMoose, on 01/30/2009, -0/+2"The Security Key is currently not available. Please try again later.", but then again, I'm in Canada - sittin' in my igloo - pass the back bacon...
- inactive, on 10/12/2007, -0/+2PDF Link: http://www.verisign.com/static/028476.pdf
- CoolWind, on 10/12/2007, -1/+3I don't think of it as spam because there is no other easy way to find out about this program. It's information.
- keiths, on 10/12/2007, -1/+3What exactly is spam about this? How is PayPal making money off this deal? I really doubt people are going to sign up for PayPal and start using it just because they have a new security key.
Like I said before, this is good information for people to know who already have a PayPal account. All the security you can get to protect yourself is good. -
Show 51 - 100 of 143 discussions
The Digg Toolbar for Firefox lets you Digg, submit content, and keep track of Digg even when you're not on the Digg site. Download the official 
© Digg Inc. 2009
— Content created and posted by Digg users is