2 Nov
2007
2 Nov
'07
1:32 a.m.
This isn't even close to on-topic, but maybe it's of general interest.
Paypal is offering a SecureID fob, the "Paypal Security Key", for
authentication to your Paypal account. I haven't seen it mentioned on
the Paypal descriptions, but the coworker who showed me his tells me
that it works with eBay too. Worth mention, I suppose, is that it's *in
addition to* your email/password login info, not instead of.
Also, it's $5 USD shipped. :)
Doc
2 Nov
2 Nov
3:30 a.m.
Doc Shipley wrote:
Paypal is offering a SecureID fob, the "Paypal
Security Key", for
authentication to your Paypal account. I haven't seen it mentioned on
the Paypal descriptions, but the coworker who showed me his tells me
that it works with eBay too. Worth mention, I suppose, is that it's *in
addition to* your email/password login info, not instead of.
Also, it's $5 USD shipped. :)
Yep, it's a rebadged RSA SecureID token. While it won't prevent
cross-site scripting holes (the most common way a fraudster gets into
your ebay account to post in your name), it will most likely make it
impossible to take fraud to the final stop (ie. actually posting and/or
actually screwing around with your money). I highly recommend it.
--
Jim Leonard (trixter at oldskool.org) http://www.oldskool.org/
Help our electronic games project: http://www.mobygames.com/
Or check out some trippy MindCandy at http://www.mindcandydvd.com/
A child borne of the home computer wars: http://trixter.wordpress.com/
4:41 a.m.
New subject: OT: eBay/Paypal security
Of corse people in Canada can't buy it :(
Chris
On 11/2/07, Jim Leonard <trixter at oldskool.org> wrote:
Doc Shipley wrote:
Paypal is offering a SecureID fob, the
"Paypal Security Key", for
authentication to your Paypal account. I haven't seen it mentioned on
the Paypal descriptions, but the coworker who showed me his tells me
that it works with eBay too. Worth mention, I suppose, is that it's *in
addition to* your email/password login info, not instead of.
Also, it's $5 USD shipped. :)
Yep, it's a rebadged RSA SecureID token. While it won't prevent
cross-site scripting holes (the most common way a fraudster gets into
your ebay account to post in your name), it will most likely make it
impossible to take fraud to the final stop (ie. actually posting and/or
actually screwing around with your money). I highly recommend it.
--
Jim Leonard (trixter at oldskool.org) http://www.oldskool.org/
Help our electronic games project: http://www.mobygames.com/
Or check out some trippy MindCandy at http://www.mindcandydvd.com/
A child borne of the home computer wars: http://trixter.wordpress.com/
4:48 a.m.
On 2 Nov 2007 at 2:30, Jim Leonard wrote:
Yep, it's a rebadged RSA SecureID token. While it
won't prevent
cross-site scripting holes (the most common way a fraudster gets into
your ebay account to post in your name), it will most likely make it
impossible to take fraud to the final stop (ie. actually posting and/or
actually screwing around with your money). I highly recommend it.
I don't know--it looks like another d*mned thing to lose, step on or
have the dog eat. The difference between it and an old sock is that
when the dog eats your old sock, you can still use PayPal.
Cheers,
Chuck
12:18 p.m.
With all of the rampant phishing and other crap going on around the net
from people trying to steal ebay and paypal accounts, I
think this is
well past due, especially for paypal since it deals with money.
Having a keyfob as a 3rd line entry to access your account (I have this
with my Citibusiness account - ID, password, keyfob entry) so this would
virtually eliminate all of the stolen account attempts, phoney login
screens and fake phishing sites at long last. The real key to
implementing this is that the keyfob code has to be manually entered by
requiring mouse over clicks across a number bar on the screen, not
typing it into a text box, otherwise a fake site could grab the login
info, relay it into paypal via a script and then process and run an
automated script once logged in to transfer/remove funds.
Having the mouse over and click to a graphic bar (which could be shown
in multiple ways and arrangements which could vary with each session)
the keyfob code could not be simply cut & pasted from a fake to real
site. Having the keyfob code rotating every 30 seconds really cuts
down on the damage someone can do, they'll literally have to be sitting
at the keyboard 24/7 hoping to grab a keyfob code and use it fast enough
to log in.
Its not perfect, nothing ever is, but its a HUGE leap in the right
direction of responsibility on Paypals part... Now if they would just
do a charge verification and processing check BEFORE allowing payments
to go through instead of subjecting people to a 6 month window of
"Oppps, that $500 you got 2 months ago, well the charge card was a
fraud, so we'll just take that money back and you now owe us $500,
please pay now before we sic our collections agents on you, have a nice
day...."
Google Checkout does a full security and verification check BEFORE the
charge is completed for each transaction, this is why I now use them
over paypal. Ebay is being hit with a major anti-trust suit because
its blocking Google and other payment services in lieu of forcing people
to choose paypal for payment (since ebay owns paypal) so that is looking
like ebay has no leg to stand on and once the door opens for google,
paypal is going to have to be far more competitive and really going to
be forced to clean up its act.
We you read the horror stories over at paypalsucks.com and see the
stealing of funds from people's bank accounts, the instantly frozen
accounts with $1,000's of dollars in them that have to wait 6 months
while paypal performs its own internal investigation, leaving people
without their money, its just disgusting to see how paypal - which was
in its infancy - supposed to be this great new era of electronic funding
perverted into a Racketeering and Extortion Enterprise.
Curt
Doc Shipley wrote:
This isn't even close to on-topic, but maybe
it's of general interest.
Paypal is offering a SecureID fob, the "Paypal Security Key", for
authentication to your Paypal account. I haven't seen it mentioned on
the Paypal descriptions, but the coworker who showed me his tells me
that it works with eBay too. Worth mention, I suppose, is that it's
*in addition to* your email/password login info, not instead of.
Also, it's $5 USD shipped. :)
Doc
4:48 p.m.
Curt @ Atari Museum wrote:
The real key to
implementing this is that the keyfob code has to be manually entered by
requiring mouse over clicks across a number bar on the screen, not
typing it into a text box, otherwise a fake site could grab the login
info, relay it into paypal via a script and then process and run an
automated script once logged in to transfer/remove funds.
(Disclaimer: I used to work in the security industry)
(Disclaimer2: I am not ranting against Curt, just trying to dispel some
myths and paranoia before they start)
If someone is willing to target you so specifically, I don't think a
"manual" method of entry is going to make a difference. Setting up that
level of phishing is so much work that, I am not making this up, it is
easier to just visit your house with a gun and extort the cash from you.
Seriously. There were stories in my industry of someone coming up
with a new protection method for an ATM or something (like a way to
prevent people from spying on the keypad, or requiring double-entry
where the second entry had reversed number positions on the screen) and,
I kid you not, it wasn't worth the mafia's effort to try to crack it --
instead, they showed up at the engineer's office with a picture of his
family and asked him, "nicely", to reveal how it worked.
You'd have to be some millionaire classic computer collector to attract
that kind of attention. A keyfob is so much trouble to scammers and
phishers that they don't even bother, they just move to the millions of
others who don't use one.
And the "but people steal cars locked with The Club too!" argument
doesn't work here -- The Club is a placebo. Any hacksaw can get through
it in 45 seconds. The keyfob has a six-digit number seeded specifically
for you and changes once a minute and the period is something crazy,
like 2^19337 before it repeats. Our bones will turn to dust long before
the number is guessable :-)
Bottom line: Don't fear the keyfob. It's a no-brainer for $6.
--
Jim Leonard (trixter at oldskool.org) http://www.oldskool.org/
Help our electronic games project: http://www.mobygames.com/
Or check out some trippy MindCandy at http://www.mindcandydvd.com/
A child borne of the home computer wars: http://trixter.wordpress.com/
5:10 p.m.
Hi Jim,
I used to do residential and vehicle security installations for a few
years around 20 years back... as for the Club... they are pretty much
unbreakable, except for the cheapo knock-offs... the car thieves cut
through the steering wheel, no the Club and then slid the club off of
the steering wheels to either steal the car or just steal the airbags
which were usually worth more then the car itself many times... New
thing these days, thieves are stealing the krypton headlights out of
cars as they are worth a pretty penny...
Curt
Jim Leonard wrote:
Curt @ Atari Museum wrote:
The real key to implementing this is that the
keyfob code has to be
manually entered by requiring mouse over clicks across a number bar
on the screen, not typing it into a text box, otherwise a fake site
could grab the login info, relay it into paypal via a script and then
process and run an automated script once logged in to transfer/remove
funds.
(Disclaimer: I used to work in the security industry)
(Disclaimer2: I am not ranting against Curt, just trying to dispel
some myths and paranoia before they start)
If someone is willing to target you so specifically, I don't think a
"manual" method of entry is going to make a difference. Setting up
that level of phishing is so much work that, I am not making this up,
it is easier to just visit your house with a gun and extort the cash
from you. Seriously. There were stories in my industry of someone
coming up with a new protection method for an ATM or something (like a
way to prevent people from spying on the keypad, or requiring
double-entry where the second entry had reversed number positions on
the screen) and, I kid you not, it wasn't worth the mafia's effort to
try to crack it -- instead, they showed up at the engineer's office
with a picture of his family and asked him, "nicely", to reveal how it
worked.
You'd have to be some millionaire classic computer collector to
attract that kind of attention. A keyfob is so much trouble to
scammers and phishers that they don't even bother, they just move to
the millions of others who don't use one.
And the "but people steal cars locked with The Club too!" argument
doesn't work here -- The Club is a placebo. Any hacksaw can get
through it in 45 seconds. The keyfob has a six-digit number seeded
specifically for you and changes once a minute and the period is
something crazy, like 2^19337 before it repeats. Our bones will turn
to dust long before the number is guessable :-)
Bottom line: Don't fear the keyfob. It's a no-brainer for $6. 
5 Nov
5 Nov
1:54 p.m.
Rumor has it that Curt @ Atari Museum may have mentioned these words:
New thing these days, thieves are stealing the krypton
headlights out of
cars...
Is this so when they get caught by Superman they have a chance of getting
away???
Sorry, just had to. Grabbing coat, calling taxi... ;-)
Laterz,
Roger "Merch" Merchberger
--
Roger "Merch" Merchberger -- SysAdmin, Iceberg Computers
zmerch at 30below.com
What do you do when Life gives you lemons,
and you don't *like* lemonade?????????????
6085
days inactive
6088
days old
7 comments
6 participants
participants (6)
-
cclist@sydex.com -
curt@atarimuseum.com -
doc@mdrconsult.com -
halarewich@gmail.com -
trixter@oldskool.org -
zmerch@30below.com