PayPal's New Authentication Scheme

EBay's payment arm test-drives random-number generator

2:55 PM -- When I'm not working on stories about IT security (only a few minutes each day, I promise), I have a side business buying and selling sports trading cards on eBay. So you can imagine my consternation as I'm bombarded each day by reports of spam and phishing attacks on eBay and its online payment subsidiary, PayPal.

EBay and PayPal are, in fact, the number one targets of phishers. In fact, any bozo can now buy a kit that provides the logos and information needed to disguise oneself as one of those entities. Researchers at Trend Micro reported last month that a PayPal ID and password can now be purchased on the black market for just seven bucks. (See How Much Is That Exploit in the Window?)

But it looks like PayPal -- finally -- is fighting back. According to a report today on, PayPal is beta testing a new random number generator that will add an additional factor of authentication to its arsenal.

For five bucks, PayPal users can now buy a keychain fob that generates an additional passcode every 30 seconds which must be entered before a user can access a PayPal account. This means attackers must now not only have a password, but also a token before they can penetrate a user's account.

You could certainly argue PayPal's choice of technologies. Random number generators have been infamously cracked in the past, and they probably will be again in this case. There's also the question of whether PayPal users -- many of whom are a few cards short of a set -- will be able to hold onto a token, or remember how to use it properly.

Whatever you think of PayPal's approach, though, you have to give the company credit for doing something to stem the rising tide of phishing going on at its site. Most banks and financial institutions have already moved to two-factor authentication as part of the mandated FFIEC guidelines. PayPal should have made this move long ago.

Like a locked car door or a home alarm system, PayPal's random number generator won't stop determined identity thieves, but it may just discourage some of the bozos. And as somebody who does business on the site, I definitely won't miss them.

— Tim Wilson, Site Editor, Dark Reading