The Deliverator – Wannabee

So open minded, my thoughts fell out…

Is Paypal more secure than your bank?

Posted by Deliverator on August 10th, 2007

Paypal recently started offering RSA based security tokens for the low low price of $5. For this price, you get a small plastic keyfob with a tiny lcd screen and a single button. Inside is a highly accurate digital clock and a crypto chip. When you press the button, the keyfob feeds the present time and a unique number specific to the particular keyfob issued to you into the crypto chip and out pops a six digit number. Every 30 seconds or so the number changes. In a server at Paypal the same algorithm is running and generating the exact same six digit number. You type the number on your keyfob in along with your usual login information to get access to Paypal (or eBay). If you aren’t in possession of the keyfob as well as having the username and password, it is mighty hard to get access to your accounts. The server also keeps track of recent past generated numbers and numbers for the immediate future, so if the clock in your keyfob is off by a bit, the server will still accept the number. If your number was off by a few cycles, the server will note it and figure out if your clock is drifting in one direction or another and create a fudge factor to keep its internal accounting and your keyfob in lock step.

This combination of something you know (username and password) with something you have is one form of two factor authentication and is one of the better mechanisms for assuring identity imo. Another common type of two factor authentication is biometrics (something you are). You see this type of authentication used a lot in action movies, usually accompanied by stolen fingers and eyeballs impaled on ballpoint pens. I’ll take a plastic keyfob and happily give it up to anyone who asks at knifepoint to “can you spare a finger?” anyday.

While RSA security tokens aren’t perfect, they are a fair sight better than the means most major banks are using to provide the appearance of security. Federal regulators recently started requiring banks to provide two factor authentication for online banking. So, did major banks like Bank of America go out and hire the best security experts in the world to implement robust two factor security? No, they went and implemented deeply flawed systems like Sitekey, which provide the appearance of security to the average clueless user, yet rely on the same uncomprehending user’s limited understanding of the system to make the system even somewhat effective. One study conducted by MIT and Harvard revealed that 92% of computer users did not understand the system well enough to make it effective. Another site shows that even if a user understands how the system is supposed to work, it is still possible to create a fully automated man in the middle attack against the technology itself.

While RSA security fobs are also subject to man in the middle attacks, at least it isn’t difficult to understand how to use the system. You press the button and enter the number. It is important that users of an online banking system understand mutual authentication to avoid man in the middle attacks and banks are presently doing a miserable job on the whole “educating users” thing. IMO, basic security tips like “check to make sure you see a lock in your browser” and “don’t click on a link to website if it arrives in your email box, as it could be a pretender” are a lot easier to understand for the average user. Whether the average computer user will ever grok checking ssl certificates and certificate authorities is another thing, but banks need to provide better, more robust and user proof systems, while simultaneously making a better effect to educate end users. As it stands, Paypal is doing a far better job at this than my bank (and no, I am not using Bank of America).