informa
/
Risk
News

Tokens' Big Flaw

EBay's new password keyfob is a nice concept, if not particularly well thought out

5:25 PM -- Experts on the Web are pointing out a flaw in eBay/PayPal's new authentication scheme that might just apply to your token-based security plan.

PayPal last month began shipping a keyfob that synchronizes with eBay and PayPal, serving as a second factor of authentication to these much-phished sites. It's a good idea -- the device generates a new code every 30 seconds, and you can't log into your account unless the code on your device matches the code in the eBay system. Without having both your keyfob and your ID and password, phishers can't log into your account.

The problem is in plan B. You see, PayPal doesn't want to inconvenience users who forget their keyfobs. So if you don't have yours, you simply choose the option that says "I have my keyfob, but I don't have it with me right now." PayPal then presents you with some secondary questions, asking you for additional information, such as your bank account or Social Security number.

The problem is that these are the very questions that phishers likely have already answered through their illicit efforts. There's a good chance that a phisher will already have enough data to answer these questions -- and access your account.

Hopefully, PayPal will address this flaw soon, either by requiring the user to have the keyfob or by adding more difficult questions. But it raises an important issue: What does your organization do if a user forgets a smart card or token?

If your plan B is too oriented toward user convenience -- and easy to circumvent -- then the whole cost and expense of plan A, the token, is basically a big waste of time. Don't lock the door with a token and then leave a window open.

— Tim Wilson, Site Editor, Dark Reading

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5