Skip to content

March 17, 2007

7

Inside the PayPal Security Key

This week I received my PayPal Security Key. Curious about the internal workings and origins of this device got the better of me, so I thought I’d share my findings with anyone interested while I ripped it apart and found out what made it tick. And then I went on to see just how secure this method actually is.

Background

A few months ago I was perusing the news sites and ran across an article that described how PayPal and eBay were going to offer a new authentication method that was immune to phishing scams, brute force attacks, and general end user gullibility tactics. They were going to start offering a security fob that generates six digit codes that you use as part of your password to log into the websites.

Delivery

Envelope
After asking PayPal when they’d be offering, they said that they would make them available to customers with business accounts by the end of January for a one time fee of $5 (US). When it became available, I used my paypal account to order one.
Contents
This week my fob arrived via USPS First Class mail in a cardboard envelope that was slightly bulging in the middle. The exterior of the envelope had the PayPal logo on both sides and a sticker which I later found contained my fob’s part number and serial number in both bar code and alphanumeric characters.

The envelope contained an instruction manual, a list of ten security tips, a printed packing list, a wallet card with instructions (not shown), and a white cardboard box which contained the fob.

After removing the fob from the box, I was able to get an idea of initial quality of the design. I wasn’t overly impressed and don’t think this device would hold up attached to my keychain. But I wanted to get a better look inside before I made my final decision on that.
Key Front
The second thing I found that was odd was that the display was blank and only activated when you press the rubberized gray triangle button on the left side of the display. My only other experiences with token based security devices has been with RSA’s SecurID product that is always showing a code and a time bar that shows how soon before the code changes.




No Disassemble!

I used a small jeweler’s screwdriver to open up the device. The front of the fob is securely snapped into the back in six locations around the perimeter of the case. It’s a tad tricky to crack it, but nothing compared to RSA’s devices which are ultrasonically welded together.

The inside of the device contains a small circuit board with a standard CR2025 battery. The CPU of this device is contained under the blob of black plastic. Typically this is how a inexpensive or simple chips are mounted to circuit boards, take a look at any calculator or LCD clock.

There are six interface points that match up with six holes on the back of the device. These are covered up by the identification sticker on the back, but are most likely used to program the device with its initial numbers and calculation method. Here’s a better view.

Starting at the first point under the main CPU, these ports are labeled:

  • SDAT
  • SCLK
  • REF
  • OUTIN
  • GND
  • RST
  • Key Front
    After removing four extremely small Phillips screws from the circuit board, the front case was removed and I could see the front of the board. And this is where I could finally get see how poorly protected the weakest part of the device – the LCD display. There is nothing between the LCD display and the outside environment to protect it from puncture, crushing, or scratches.

    Who Made Who?

    Where did the Verisign logo come from, and who is Vasco?
    Vasco is a multinational company with financial headquarters in Oakbrook Terrace, Illinois and an operational headquarters in Belgium. In 2005 Verisign chose Vasco as the provider of their one time password (OTP) authentication solution.
    The OTP device (the PayPal key) has been designed by Vasco and manufactured in China. The Vasco product name for this device is the Digipass Go 3.

    Now, enough of the guts – how do I use this thing?




    Registering The Key

    Before you can use the key, you have to register it on PayPal and optionally on eBay. A better way to describe it to synchronize your key with the authentication server. You see, the server needs to learn what pattern of numbers your key will be displaying at any time, so when you use it it’ll be able to validate your password. When you register the key, you enter the code that is displayed and then wait for 30 seconds and enter the next code. This is enough information for the server to know what algorithm and step your key is on. In the future, it’ll be able to calculate what your key is going to be displaying +/- a few seconds.

    Registering it is a four step process:

    1. Log into your existing PayPal account
    2. Enter the serial number of the key
    3. Enter the 1st code from the display
    4. Wait until the code changes and enter the new code.

    Once confirmation from PayPal is received, your key is ready to use. Paypal is owned by eBay, so you can visit eBay and do the same thing if you wish to also use your key to protect your eBay account.

    Using the Key

    Using the key doesn’t add much of a hassle. You enter your username and password, but then include the key code right after your password. If you forget to enter your key code before you press login, the next page will prompt you for your key code.

    If you don’t have your key with you, you can click on the link that says “I don’t have my PayPal Security Key”.

    You’ll then be given two options:

    1. I don’t have my PayPal Security Key. The key isn’t lost, but I don’t have it right now.
    2. My PayPal Security Key is lost or broken. I would like to log in and deactivate my Security Key.

    Obviously, if you key is lost or stolen – you should deactivate it. But if you just don’t have your key with you and you want to log in, you do have a few options.

    You can continue to log in by providing one of the following pieces of information:

  • bank account
  • debit card
  • credit card numbers
  • Or answer one of the security questions, like last 4 digits of your SS number.
  • Yes, the very same information a phishing scam will likely obtain from a victim – will allow them to bypass the Security Key authentication, rendering the entire system worthless to the victim.




    Conclusion

    Save your $5, follow a few basic security tips and you’ll maintain your account security.
    1. Don’t follow any links to any paypal or other financial sites from email you get… even if it looks legit. Open a browser and type in the url you lazy bum.
    2. Use a strong password. If you don’t know what that means – you probably have a very weak password. Visit pctools.com‘s password generator for some examples.

    But the real problem I have is with this device and its implementation.

    1. The device itself isn’t hardened like many other token based authentication systems. RSA’s keys are encased in epoxy resin to prevent a cracker from reverse engineering the circuitry or programing of their system.

    2. The authentication system has been weakened drastically to account for users who don’t carry the device with them… so as not to inconvenience them too much. The secondary security questions can be answered very easily by an unauthorized person simply by using a phishing scam to obtain it – the very scams this type of authentication system is supposed to prevent.

    Recommendations to eBay

    If you want to make your user accounts phishing proof – eliminate the secondary questions and require the device for all access privileges. Otherwise, why even bother?

    Also, eBay – opt for a more hardened device that can provide me with some confidence in the security of the technology – and allow it to survive on my keychain. Check out RSA’s offerings if you want to see a decent quality OTP device.

    Read more from Security
    7 Comments
    1. Mar 18 2007

      Thanks for an interesting post.

      Another problem that I can see with allowing people to enter other details when logging in without their key is that people are basically lazy. If they don’t have to use the fob, then they won’t. Users will get used to entering personal details on the site which in turn could make them even more vulnerable to phishing attacks

    2. Mar 19 2007

      Great analysis.

      Fancy running more tests on the token? 🙂 See: http://www.signify.net/uploads/How_RSA_Tokens_Compare_to_Vasco.pdf

      Would also be interesting to actually follow through with a “token-not-present” login as Paypal seem to claim to call the user after the initial security questions.

    3. DrJeckle
      Mar 19 2007

      I think the intent of this device is to provide a low-cost, added level of security. It costs $5 and it does provide additional security, so I feel it is a success. I have the device on my keychain, and while I do not regularly throw my keys across the room, I find the device to be sturdy enough. Maybe Paypal was afraid if the device cost $10 no one would purchase it? It’s cool that you
      took the thing apart to see how it works, but the fear of reverse engineering seems a little far-fetched. I agree that the real problem is Paypal allowing people into their account when they don’t ‘have’ the key; defeats the purpose.

    4. Mar 19 2007

      Perhaps the threat of reverse engineering the fob is a low risk, but the idea of the key is to run a secret algorithm to generate access codes… if that algorithm is compromised, all keys are compromised unless they went to the trouble of installing a different seed for each key.

    5. bilbow
      Mar 26 2007

      Each key has a unique algorithm, so if one is compromised, the rest are still secure. Unfortunately, we do not know how robust the algorithm is and I could not find anything stating what is used. It could be anything from a pseudo-random number generator to strong encryption similar to that used by the US government.

      Still, I think the key is worthwhile. I don’t fear phishing attacks, but I do worry about keyloggers or other malware obtaining information that I must enter to log onto one of my accounts. Fortunately, that is only ID and password – plus the key on ebay and Paypal. I would prefer that other accounts would allow using this key as well, but such a step is likely to be years in the future.

      I don’t worry about scammers getting my credit card numbers or similar information, as I never type them on my computer. The answers to my security questions are NOT true, but pass phrases having nothing to do with the question.

      I have not tried the “don’t have key with me” process. I may try it one of these days. I am not in any rush to do so.

    6. Mar 27 2007

      You bring up a good point bilbow – the key is still effective in an environment where your password is entered into an untrusted or compromised machine.

      Thanks for the comment.

    Trackbacks & Pingbacks

    1. Advanced User PayPal Techniques « PayPal Security

    Comments are closed.

    %d bloggers like this: