PayPal Security Key not as secure as it could be

Earlier this year PayPal introduced a security fob that generates a six-digit code every 30 seconds, meant as an additional layer of protection against online identity thieves. However, one user discovered a bug that makes the key useless in certain situations.

By entering his valid PayPal login and password, answering a security question and entering ANY six-digit number, he can make a purchase. eBay and PayPal have been unable to reproduce the flaw, but Romero stands by his statement, claiming the key doesn't work as advertised. "For someone who's paid money for a Security Key and is thinking their wife or brother can't get into their account because they don't have the key fob ... they're not getting the security that they assume they have."

Out of all the security fobs PP had to choose from, they picked the one with the very LOWEST specs!

http://www.signify.net /uploads/How_RSA_Tokens_Compare_to_Vasco.pdf

Hilarious!!!!

 

The model PP chose is the Vasco Digipass Go3 Token,

which has already had published reports about it's vulnerabilities.

(some of which have curiously "evaporated")

Digipass Go3 Insecure Encryption Vulnerability



-- Edited by budnonymous at 22:50, 2007-11-28