PayPal to offer password key fobs to users

Passwords generated for one-time use are designed to increase security for PayPal and its account holders.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
2 min read
eBay is getting ready to offer its PayPal users a password-generating key fob that promises to increase the security of the online payment service.

The device displays a new one-time password in the form of a six-digit code about every 30 seconds. PayPal clients who opt to use the device will enter this password along with their regular credentials when signing into the service. The key fob is meant as another weapon in the battle on data-thieving phishing scams.

"If a fraudulent party somehow got hold of a person's username and password, they still wouldn't be able to get into the account because they don't have the six-digit code," Sara Bettencourt, a PayPal spokeswoman, said by phone Thursday. "This by no means is a silver bullet that is going to stop fraud. This is just another layer of protection."

PayPal Security Key
PayPal Security Key

The "PayPal Security Key" will cost $5 for personal PayPal accounts, but will be free for business accounts, Bettencourt said. PayPal has been testing the device with employees for a couple of months and plans to start trials with customers in the next month or so, she said. As of September 30, there were nearly 123 million PayPal accounts, eBay has said.

PayPal users in the U.S., Germany and Australia will be able to sign up for the trial through a special Web site, Bettencourt said. "Based on the response, we look forward to eventually rolling it out in other countries," she said.

The password-generating device is based on technology from VeriSign, with which eBay entered into a security partnership in 2005. Such key fobs are also used for added security by large corporations for access to corporate resources, and some banks and brokerage firms offer them to clients with a high net worth. Other companies that supply the password gadgets include RSA and Vasco.

eBay and PayPal are common phishing targets. These prevalent scams typically use fraudulent Web sites made to look like legitimate sites and spam e-mail to trick people into giving up their personal information such as login names and passwords.

In a recent survey of Google's public blacklist of phishing sites, security researcher Michael Sutton found that nearly half of all the active phishing sites targeted either eBay or PayPal. The Google blacklist is used in Google's Toolbar for Firefox and the Firefox 2.0 browser.