|
|
|
UER Store
|
|
sweet UER decals:
|
|
|
|
Activity
|
|
752 online
Server Time:
2024-05-07 14:37:21
|
|
|
| Paypal's two-factor authentication has a big hole... entry by Avatar-X 8/2/2010 3:31 PM
| A few years ago, PayPal started offering an option to their users. For $5, you could buy a "security token". The token shows a random 6-digit number and requires you to provide this number when you sign in to PayPal, along with your username and password. The first iteration of this device looked like this: The 6-digit code on the display changes every 30 seconds. It works on a very simple and brilliant concept: Basically, the device contains a simple quartz clock, no different from the one in a cheap wristwatch. It also contains a pseudo-random number generator and an ID code. Every 30 seconds, the device generates a new random number, using its ID code as the seed value. On PayPal's servers, the same number is generated, since it knows both your ID, the time, and the algorithm. These are then matched when you try to log in. The display stays blank until you press the button, but the button merely shows the current number -- it does not affect the timing of the random number generator. What this means in simple terms is that, in order for someone to break into your PayPal account, they need: Your username Your password The six-digit code from your Security Token Since the code changes twice a minute, they'd need to either steal your token from you, or somehow convince you to give them the current code. Both of these are very difficult for someone to do without you noticing. So it's a pretty secure system. Now, I guess people complained about the somewhat bulky token, because recently PayPal launched a new type of security token: the credit-card form factor. It looks like this: It's truly as thin as a credit card, and has what looks like an e-paper screen for the number display. It's really quite a remarkable piece of technology. There's a button on the front. When you press this button (quite hard), the currently displayed code disappears, and a new code appears in its place. But, there's a big hole in this security model. Unlike the previous token, this one doesn't have a clock. The code doesn't change every 30 seconds. This takes away one of the big security features of the token-style device; simply, that you had to know the code within 30 seconds. With the new card, the codes are valid indefinitely. If you happened to catch a glance at my card and memorized the code, that code will remain valid until I log in to my PayPal account with it or with a newer code. So, for example, let's say you know my PayPal username and password. You already know one of my codes, because it is in the photo above, 463267. If I hadn't already used that code to log in to my PayPal account, you could go and log in right now -- or tomorrow, or next week. There's no time limit. Having the card is still more secure than not having it at all. But it's important to understand that it is not as secure as the older type of security token.
[last edit 8/2/2010 5:35 PM by Avatar-X - edited 1 times] Modify Entry |
|
Comments: (use Reply to add a comment) Avatar-X Alpha Husky
Location: West Coast Gender: Male Total Likes: 765 likes
yay!
| | | | Re: Paypal's two-factor authentication has a big hole... < Reply # 6 on 8/3/2010 1:22 PM > | Reply with Quote
| | | Posted by Avbrand Blog Commenter Sorry, Avator-X, it's you who doesn't understand.
| No, really, it's you. Read my article more closely and you will see. If you press the button to get a new code and immediately use that code, that code is then no longer valid. | Yes. I know. I said exactly that in my article. You even quoted it. The problem is that the code is valid UNTIL it is used, potentially for weeks. the code changes every 30 seconds... if they see the code and done use it within (i think its 43 seconds) then a new code is required... | Yes, the "old"-style security token works like this (the first one pictured in this article). But the new one does not. The new one does not generate a new node every 30 seconds. If you push the button a bunch of times does it generate a new code each push? | Yes. Every time you push the button, you get a new code, even if you push it 10 times in 10 seconds. If so, how would the server know the code? | It doesn't know exactly which code you have on your screen, but it knows the next 100 codes that your card will generate, and it will allow you to log in with any one of these codes. It might not be 100, it might be 10 or 1000, but that's how it works. It's a matched random number generator that are both seeded with the same seed. If not, its the code only valid until you log in, and you have to log in to get a new code? | Yes, the code can only be used once. Once it has been used to log in, you can't use that code again. If that is the case, how does the card know to generate a new code? | It generates a new code when you push the button. The card doesn't "know" anything... it has no connection to the outside world. It only generates a code when you push the button and that is all. I can see that some of you are having trouble understanding how this code thing works, so I will try to explain it: In the computer world, there is no such thing as a truly "random" number. Randomness is something that you cannot create in mathematics -- it must come from an outside source. But, most of the time, you don't really need true randomness, you just need the appearance of randomness. So computers have something called "pseudo-random number generators". These generators produce a series of numbers that are "random enough" for most purposes. These pseudo-random number generators work from a "seed". The seed is the starting input, and it defines the sequence of numbers that are produced. If you provide two random number generators with the same seed, even if they're on different computers half a planet apart from each other, the same sequence of numbers will be generated. So, now, let's take a look at these security devices. For the sake of this example, let's say my starting seed is "1234". When given a seed of 1234, the number generator outputs the following numbers:
The chain of possible numbers is infinite, but let's just work with those 7 numbers. Now, PayPal has embedded the same random number generator algorithm and initial seed value into the card. So the first number it displays is 45. When you push the button, it simply advances to the next number in the sequence. So lets say I push the button a few times and now it displays "12". Now, I try to log in to PayPal. It asks me for the code, and I put in "12". PayPal was expecting "45", but it can see that "12" is one of the upcoming possible answers, so it lets me in. PayPal now advances a marker in their database, marking that the next valid code is "65". If I try to log in again with the code "12", it will fail. 12 is not the "current" code, nor is it one of the next few codes. The same goes if I try to log in with "45" or "43", as these codes are also not "current". I hope I've explained how the relationship between the card and PayPal works...
| huskies - such fluff. |
| Avbrand Blog Commenter Comments from the AvBrand Blog
Total Likes: 3 likes
| | | AvBrand Blog Comment: Jim < Reply # 13 on 8/4/2010 5:09 PM > | Reply with Quote
| | | Not that it matters much, but I am curious how long have you let the token code sit to confirm its not fading? I think it may take several days (I just generated a fresh code on mine now so I’ll find out) – but as you said yours may not fade at all. I think the “Bob” example is a good one. And if you are worried about him, then you are correct in saying that the new token is less secure. However, “more” or “less” secure is relative to the risk you are trying to prevent and it is possible for both tokens to be equally secure in relation to certain risk factors. It’s fair to assume that one can always come up with risk factors that a solution can’t prevent against. Does that make it “less secure” overall? The probability of that risk factor occurring is just as relevant. Think of it kind of like trying to prevent yourself from randomly being struck by lightning. There are definitely some things you can do to reduce that chance. If you’re walking around in an open field during a thunderstorm, then you probably want to consider some preventative measures. Then again, if you are walking around on a cloudless summer day, I’d venture to say you could walk the same field dressed as the “Tin Man” and not have a concern (for the lightning that is but the heat will get ya instead). Let’s take the example of a bad guy attempting to use a phishing attack to get into your PayPal account. Let’s also make this bad guy a stranger – meaning he doesn’t know you and doesn’t have physical access to you or your possessions. In this case, I don’t believe that either token is notably less secure than the other. Do you agree? I believe that in current times, the majority of attacks on personal accounts are done by strangers, similar to this example, and not “friends”. That’s not to say that there aren’t ways for bad guys to still get into your account when you use either token – it’s just that the level of difficulty has been raised considerably and therefore the risk is lessened. Just to continue the discussion a bit - if a person does not have access to your physical token, are there any other cases where the time token is notably more secure than the event driven one?
| |
|
This thread is in a public category, and can't be made private. |
|
All content and images copyright © 2002-2024 UER.CA and respective creators. Graphical Design by Crossfire.
To contact webmaster, or click to email with problems or other questions about this site:
UER CONTACT
View Terms of Service |
View Privacy Policy |
Server colocation provided by Beanfield
This page was generated for you in 140 milliseconds. Since June 23, 2002, a total of 740930136 pages have been generated.
|
|