Paypal's two-factor authentication has a big hole...10:31 AM, August 2nd, 2010
The first iteration of this device looked like this:
The 6-digit code on the display changes every 30 seconds. It works on a very simple and brilliant concept: Basically, the device contains a simple quartz clock, no different from the one in a cheap wristwatch. It also contains a pseudo-random number generator and an ID code.
Every 30 seconds, the device generates a new random number, using its ID code as the seed value. On PayPal's servers, the same number is generated, since it knows both your ID, the time, and the algorithm. These are then matched when you try to log in.
The display stays blank until you press the button, but the button merely shows the current number -- it does not affect the timing of the random number generator.
What this means in simple terms is that, in order for someone to break into your PayPal account, they need:
Since the code changes twice a minute, they'd need to either steal your token from you, or somehow convince you to give them the current code. Both of these are very difficult for someone to do without you noticing. So it's a pretty secure system.
Now, I guess people complained about the somewhat bulky token, because recently PayPal launched a new type of security token: the credit-card form factor. It looks like this:
It's truly as thin as a credit card, and has what looks like an e-paper screen for the number display. It's really quite a remarkable piece of technology. There's a button on the front. When you press this button (quite hard), the currently displayed code disappears, and a new code appears in its place.
But, there's a big hole in this security model.
Unlike the previous token, this one doesn't have a clock. The code doesn't change every 30 seconds. This takes away one of the big security features of the token-style device; simply, that you had to know the code within 30 seconds.
With the new card, the codes are valid indefinitely. If you happened to catch a glance at my card and memorized the code, that code will remain valid until I log in to my PayPal account with it or with a newer code.
So, for example, let's say you know my PayPal username and password. You already know one of my codes, because it is in the photo above, 463267. If I hadn't already used that code to log in to my PayPal account, you could go and log in right now -- or tomorrow, or next week. There's no time limit.
Having the card is still more secure than not having it at all. But it's important to understand that it is not as secure as the older type of security token.
Um... Don't press the button unless you're about to log in? Sounds like it would work to me.
I'm not sure you understand, Jason. The problem is that the codes remain valid for a long period of time.
For example, this scenario is possible with the card, but not possible with the old token:
Your buddy Bob has figured out your PayPal username and password, and for whatever reason he has decided to screw you. At a dinner, as you pull your wallet out to pay, he glances at your PayPal security card and memorizes the six-digit number (which is always displayed -- the token hides the number after several seconds).
Later that evening, or possibly even later that week, he is able to successfully log in to your PayPal account. The only reason he'd be unable to log in is if you'd already logged in with the code (or a newer one) on your card.
If you only log in to your PayPal account infrequently, the code could be valid for weeks... you wouldn't know anyone had logged in to your account.
Sorry, Avator-X, it's you who doesn't understand.
"With the new card, the codes are valid indefinitely. If you happened to catch a glance at my card and memorized the code, that code will remain valid until I log in to my PayPal account with it or with a newer code."
If you press the button to get a new code and immediately use that code, that code is then no longer valid. So, as Jason sez: Don't press the button unless you're about to log in"
Besides, simply keeping the card in an inner pocket, behind another card, or backwards will stop people from seeing it. it's not rocket surgery.
the code changes every 30 seconds... if they see the code and done use it within (i think its 43 seconds) then a new code is required...
at least that is how World of Warcraft does it
If you push the button a bunch of times does it generate a new code each push? If so, how would the server know the code? If not, its the code only valid until you log in, and you have to log in to get a new code? If that is the case, how does the card know to generate a new code?
|Posted by Avbrand Blog Commenter|
Sorry, Avator-X, it's you who doesn't understand.
No, really, it's you. Read my article more closely and you will see.
|If you press the button to get a new code and immediately use that code, that code is then no longer valid.|
Yes. I know. I said exactly that in my article. You even quoted it.
The problem is that the code is valid UNTIL it is used, potentially for weeks.
|the code changes every 30 seconds... if they see the code and done use it within (i think its 43 seconds) then a new code is required...|
Yes, the "old"-style security token works like this (the first one pictured in this article). But the new one does not. The new one does not generate a new node every 30 seconds.
|If you push the button a bunch of times does it generate a new code each push?|
Yes. Every time you push the button, you get a new code, even if you push it 10 times in 10 seconds.
|If so, how would the server know the code?|
It doesn't know exactly which code you have on your screen, but it knows the next 100 codes that your card will generate, and it will allow you to log in with any one of these codes. It might not be 100, it might be 10 or 1000, but that's how it works. It's a matched random number generator that are both seeded with the same seed.
|If not, its the code only valid until you log in, and you have to log in to get a new code?|
Yes, the code can only be used once. Once it has been used to log in, you can't use that code again.
|If that is the case, how does the card know to generate a new code?|
It generates a new code when you push the button. The card doesn't "know" anything... it has no connection to the outside world. It only generates a code when you push the button and that is all.
I can see that some of you are having trouble understanding how this code thing works, so I will try to explain it:
In the computer world, there is no such thing as a truly "random" number. Randomness is something that you cannot create in mathematics -- it must come from an outside source. But, most of the time, you don't really need true randomness, you just need the appearance of randomness. So computers have something called "pseudo-random number generators". These generators produce a series of numbers that are "random enough" for most purposes.
These pseudo-random number generators work from a "seed". The seed is the starting input, and it defines the sequence of numbers that are produced. If you provide two random number generators with the same seed, even if they're on different computers half a planet apart from each other, the same sequence of numbers will be generated.
So, now, let's take a look at these security devices. For the sake of this example, let's say my starting seed is "1234". When given a seed of 1234, the number generator outputs the following numbers:
The chain of possible numbers is infinite, but let's just work with those 7 numbers.
Now, PayPal has embedded the same random number generator algorithm and initial seed value into the card. So the first number it displays is 45.
When you push the button, it simply advances to the next number in the sequence. So lets say I push the button a few times and now it displays "12".
Now, I try to log in to PayPal. It asks me for the code, and I put in "12". PayPal was expecting "45", but it can see that "12" is one of the upcoming possible answers, so it lets me in. PayPal now advances a marker in their database, marking that the next valid code is "65".
If I try to log in again with the code "12", it will fail. 12 is not the "current" code, nor is it one of the next few codes.
The same goes if I try to log in with "45" or "43", as these codes are also not "current".
I hope I've explained how the relationship between the card and PayPal works...
It appears the misunderstanding here is, when you get the card, log in with the number displayed. If once you do that and don't press the button again, the code displayed is no longer valid. When you are ready to log in again, press the button and log in. Again, if you don't press the button after that, the code displayed is no longer valid. If once you log in you are dumb enough to push the button and not log in again, that is your stupidity and if someone hacks your paypal you have no one to blame but yourself. I believe this new device would be much easier to hack than the old device, but is still secure enough for most people.
Does the display blank out after a set time or does it display the last code indefinitely? If the code goes away, it would eliminate the chance of someone peeping. They would have to get their hands on the card to get your code.
Theoretically, my buddy Bob could gain physical access to my wallet at dinner (say I showed him the pictures of my family) and Bob would push the button and get a code (712781.) Bob would memorize that code all the while talking about how cute my children are, and then Bob would click the button again to generate a new code (302899.) We finish dinner, Bob sticks me with the bill, and races home to his computer. He logs onto my account with the 712781 number and he steals all my money.
This is different than the key fob approach where if I left my keys on the table during dinner, he could read a variety of six digit numbers, but none would be of any value to him unless he could get to a computer within 30 seconds after we leave the restaurant.
To add my two cents here… “Know your enemy.”
Using security tokens like these are all about managing your risk. The two token types discussed here differ in that one uses a time based algorithm while the other uses an event driven algorithm. With event driven tokens the code is valid until one logs in with a valid code. The numbers are not random and a successful log in will advance the next expected token code on the backend. Each has their uses and it really depends upon how secure you feel you need to be as to which token is appropriate for you.
As Avatar-X mentioned, there is a scenario where my buddy Bob could log in as me. He would have to know my ID, my password, and manage to see a “fresh” code from the credit card token. Bob would have to use this information and log into PayPal before the next time I log in, which could be months in my case. I think it is fair to say that I would not press the button and leave an unused code on the display, but just in case I do – I can tell you from experience that the code fades from the display after a certain amount of time. And how exactly did Bob get my password?
If I had the old time based token, Bob would only have 30 seconds to log in with the code. So Bob’s chances of getting into my account are severely limited. How do I stop Bob from pickpocketing my token? Maybe he swapped my token with another so I don’t even notice….
So… do you have friends like Bob? I’d like to think I don’t. Therefore the event driven token is a reasonable choice for me. Generally both token types do an excellent job of protecting against strangers since they shouldn’t have access to the token in the first place. If you are looking for protecting against exploitation by your friends, you are going to have a hard time with the kind of friend that is intent on getting into your account – regardless of the protection.
The only “big hole” is being friends with Bob. There are different risks mitigated by the two tokens. Who are you trying to protect yourself from?
A lot of great posts here.
For the record, the code does not fade away or disappear from the card after a delay. It is always visible. The display only blanks for a second or two as a new code is being generated.
I realize that the example I have provided where your friend "bob" is breaking into your account is very unlikely. I merely wished to point out that the card is comparatively much LESS secure than the previous time-based token.
Does the card have a battery inside? And if so, how long does the battery last?
Not that it matters much, but I am curious how long have you let the token code sit to confirm its not fading? I think it may take several days (I just generated a fresh code on mine now so I’ll find out) – but as you said yours may not fade at all.
I think the “Bob” example is a good one. And if you are worried about him, then you are correct in saying that the new token is less secure. However, “more” or “less” secure is relative to the risk you are trying to prevent and it is possible for both tokens to be equally secure in relation to certain risk factors. It’s fair to assume that one can always come up with risk factors that a solution can’t prevent against. Does that make it “less secure” overall? The probability of that risk factor occurring is just as relevant. Think of it kind of like trying to prevent yourself from randomly being struck by lightning. There are definitely some things you can do to reduce that chance. If you’re walking around in an open field during a thunderstorm, then you probably want to consider some preventative measures. Then again, if you are walking around on a cloudless summer day, I’d venture to say you could walk the same field dressed as the “Tin Man” and not have a concern (for the lightning that is but the heat will get ya instead).
Let’s take the example of a bad guy attempting to use a phishing attack to get into your PayPal account. Let’s also make this bad guy a stranger – meaning he doesn’t know you and doesn’t have physical access to you or your possessions. In this case, I don’t believe that either token is notably less secure than the other. Do you agree?
I believe that in current times, the majority of attacks on personal accounts are done by strangers, similar to this example, and not “friends”. That’s not to say that there aren’t ways for bad guys to still get into your account when you use either token – it’s just that the level of difficulty has been raised considerably and therefore the risk is lessened.
Just to continue the discussion a bit - if a person does not have access to your physical token, are there any other cases where the time token is notably more secure than the event driven one?
Rick, there is some form of very thin battery in there.
InCard Technologies offers a little bit of background on their cards which have a striking resemblance to the PayPal cards: http://www.incard.com/products.html
I used to work where these cards (prototypes) were made back in... 2007 now? There is a very very paper thin square lithium battery which powers the circuitry.
I have a few old prototypes in various stages of "completion" somewhere at my home, I will forward some images to Av when I have found them. The innards are quite impressive.
Nice and an alarming article. The author is right about the lesser security in this type of card.
Just pressing the button(even my kid can do it when it plays with it when I dont notice) and not using the code, ofcourse renders the code usable for a longer period of time. It is indeed a risk and insecure than the one which refreshes the code every 30 seconds.
It's very true that both this card and the older-style token will protect you from "random" attacks from people who don't know you.
My article was really to highlight the relative insecurity of the new card vs. the old one, since it seems like we're going to start seeing this technology in more places. The Incard website linked above shows a bank card with this technology.
I would love to see some photos of the prototypes -- I am still very impressed by these devices and what they pack into such a small package.
|Not that it matters much, but I am curious how long have you let the token code sit to confirm its not fading? I think it may take several days (I just generated a fresh code on mine now so I’ll find out) – but as you said yours may not fade at all.|
No, it doesn't fade -- it's not an LCD display and thus doesn't require power to maintain the display. It can display indefinitely.
Just an update nn the fading note - the cards I have are not LCD but the do fade. After 48 hours, the numbers are barely readable - but I can still make them out. I should have said before, but I do not have a PayPal card but a similar one that has the InCard logo on it, so it could be a difference in the tech. The fading could also be related to the age of the cards in my possesion - I've had them around 8 months or so.
Bob need'nt be a 'friend' he could in fact be a wily coworker. If the fob is on a keyring, it could easily sit on a desk at work, where there are several nearby... computers.
The bottom line is, don't let Bob near the Fob on the Job!
I just received the newest Paypal security key cards. The screen is blank at all times until you press hard on the "press" button. It totally dissappears after a very short time. Pretty safe in my opinion. Whenever I push it again, a new code number appeared.
Awesome. It sounds like they have made some improvements.
Am I still able to get the old version of the security token instead of the card? I would definitely prefer the old version token to the card.
I compared ebay's two-factor authentication to paypals.. and ebay's seems to be stronger?
The first reason is if you're unable to enter a code for whatever reason, ebay forces you to enter a code they tell you by phoning your home phone number.
Paypal offers no such feature, and allows you to bypass entering the code using your "secret" questions (which all family/friends know!)
Secondly, paypal leaks the serial number of the device when it asks you to enter the code, ebay doesn't. Isn't this a flaw? Isn't this the seed??? Couldn't this help somebody who knows/reverse engineers the algorithm of this device better guess the codes?
If so, they should replace most of the serial number with X's.. while still allowing multiple device holders to use the correct device.
If you setup to use SMS messaging, it also leaks your mobile telephone number! This makes it really easy for friends/family etc to target the correct phone to steal! The hacker just has to call the number and voila! If they're nearby, they know who to steal from.
Once again, this could be fixed by X'ing out most of the phone digits.
There's also the flaw of when using your serial number/credential ID on multiple websites, the owner of one of those websites could have malicious intent.. and share this value (which seeds the number generator) with hackers who already know your password.. or this person may be the hacker themselves.
Hello, I would like to buy 2 yellow and white security tokens like the one in the picture. I tried to buy them directly from PayPal, but they don't have this model anymore. If someone have 2 for me and they are in good condition, please let me know, I am willing to buy them. Thank you! Alex.
This is a blog, these tokens are not for sale here. Please contact PayPal.