Inside the PayPal Security Key
This week I received my PayPal Security Key. Curious about the internal workings and origins of this device got the better of me, so I thought I’d share my findings with anyone interested while I ripped it apart and found out what made it tick. And then I went on to see just how secure this method actually is.
A few months ago I was perusing the news sites and ran across an article that described how PayPal and eBay were going to offer a new authentication method that was immune to phishing scams, brute force attacks, and general end user gullibility tactics. They were going to start offering a security fob that generates six digit codes that you use as part of your password to log into the websites.
After asking PayPal when they’d be offering, they said that they would make them available to customers with business accounts by the end of January for a one time fee of $5 (US). When it became available, I used my paypal account to order one.
This week my fob arrived via USPS First Class mail in a cardboard envelope that was slightly bulging in the middle. The exterior of the envelope had the PayPal logo on both sides and a sticker which I later found contained my fob’s part number and serial number in both bar code and alphanumeric characters.
The envelope contained an instruction manual, a list of ten security tips, a printed packing list, a wallet card with instructions (not shown), and a white cardboard box which contained the fob.
After removing the fob from the box, I was able to get an idea of initial quality of the design. I wasn’t overly impressed and don’t think this device would hold up attached to my keychain. But I wanted to get a better look inside before I made my final decision on that.
The second thing I found that was odd was that the display was blank and only activated when you press the rubberized gray triangle button on the left side of the display. My only other experiences with token based security devices has been with RSA’s SecurID product that is always showing a code and a time bar that shows how soon before the code changes.
I used a small jeweler’s screwdriver to open up the device. The front of the fob is securely snapped into the back in six locations around the perimeter of the case. It’s a tad tricky to crack it, but nothing compared to RSA’s devices which are ultrasonically welded together.
The inside of the device contains a small circuit board with a standard CR2025 battery. The CPU of this device is contained under the blob of black plastic. Typically this is how a inexpensive or simple chips are mounted to circuit boards, take a look at any calculator or LCD clock.
There are six interface points that match up with six holes on the back of the device. These are covered up by the identification sticker on the back, but are most likely used to program the device with its initial numbers and calculation method. Here’s a better view.
Starting at the first point under the main CPU, these ports are labeled:
SDAT SCLK REF OUTIN GND RST
After removing four extremely small Phillips screws from the circuit board, the front case was removed and I could see the front of the board. And this is where I could finally get see how poorly protected the weakest part of the device – the LCD display. There is nothing between the LCD display and the outside environment to protect it from puncture, crushing, or scratches.
Who Made Who?
Where did the Verisign logo come from, and who is Vasco?
Vasco is a multinational company with financial headquarters in Oakbrook Terrace, Illinois and an operational headquarters in Belgium. In 2005 Verisign chose Vasco as the provider of their one time password (OTP) authentication solution.
The OTP device (the PayPal key) has been designed by Vasco and manufactured in China. The Vasco product name for this device is the Digipass Go 3.
Now, enough of the guts – how do I use this thing?
Registering The Key
Before you can use the key, you have to register it on PayPal and optionally on eBay. A better way to describe it to synchronize your key with the authentication server. You see, the server needs to learn what pattern of numbers your key will be displaying at any time, so when you use it it’ll be able to validate your password. When you register the key, you enter the code that is displayed and then wait for 30 seconds and enter the next code. This is enough information for the server to know what algorithm and step your key is on. In the future, it’ll be able to calculate what your key is going to be displaying +/- a few seconds.
Registering it is a four step process:
1. Log into your existing PayPal account
2. Enter the serial number of the key
3. Enter the 1st code from the display
4. Wait until the code changes and enter the new code.
Once confirmation from PayPal is received, your key is ready to use. Paypal is owned by eBay, so you can visit eBay and do the same thing if you wish to also use your key to protect your eBay account.
Using the Key
Using the key doesn’t add much of a hassle. You enter your username and password, but then include the key code right after your password. If you forget to enter your key code before you press login, the next page will prompt you for your key code.
If you don’t have your key with you, you can click on the link that says “I don’t have my PayPal Security Key”.
You’ll then be given two options:
1. I don’t have my PayPal Security Key. The key isn’t lost, but I don’t have it right now.
2. My PayPal Security Key is lost or broken. I would like to log in and deactivate my Security Key.
Obviously, if you key is lost or stolen – you should deactivate it. But if you just don’t have your key with you and you want to log in, you do have a few options.
You can continue to log in by providing one of the following pieces of information:
bank account debit card credit card numbers Or answer one of the security questions, like last 4 digits of your SS number.
Yes, the very same information a phishing scam will likely obtain from a victim – will allow them to bypass the Security Key authentication, rendering the entire system worthless to the victim.
Save your $5, follow a few basic security tips and you’ll maintain your account security.
1. Don’t follow any links to any paypal or other financial sites from email you get… even if it looks legit. Open a browser and type in the url you lazy bum.
2. Use a strong password. If you don’t know what that means – you probably have a very weak password. Visit pctools.com‘s password generator for some examples.
But the real problem I have is with this device and its implementation.
1. The device itself isn’t hardened like many other token based authentication systems. RSA’s keys are encased in epoxy resin to prevent a cracker from reverse engineering the circuitry or programing of their system.
2. The authentication system has been weakened drastically to account for users who don’t carry the device with them… so as not to inconvenience them too much. The secondary security questions can be answered very easily by an unauthorized person simply by using a phishing scam to obtain it – the very scams this type of authentication system is supposed to prevent.
Recommendations to eBay
If you want to make your user accounts phishing proof – eliminate the secondary questions and require the device for all access privileges. Otherwise, why even bother?
Also, eBay – opt for a more hardened device that can provide me with some confidence in the security of the technology – and allow it to survive on my keychain. Check out RSA’s offerings if you want to see a decent quality OTP device.