How does it work? Is it a rolling code like a garage door opener? How does PP know what the new code number is? If it is just random and you have to tell PP what it is ahead of time, how is that different from a password, just a better password (more random rather than 123abc)?
Rick
I usually try to avoid security discussion. Looks like I screwed up again.
More than you probably wanted to know or read:
No. The garage door and car door locks change code each time the users pushes the button. The Verisign OTP changes every 60 seconds whether it's used or not. The algorithm conglomerates the date, time, device ID code, position of the moon, Verisign stock price, some random numbers, and produces a OTP (one time password), which the user is expected to type into the web page within 60 seconds.
Paypal doesn't know the OTP code. Its servers simply run the Verisign server side software for generating the OTP code. Nothing is saved by Paypal, which would be futile anyway, because the same code is not reused. Sniffing is also futile because the actual OTP is not sent over the internet. Instead a hash of the OTP and a bunch of other junk is sent to the server.
I am NOT a security expert, and therefore would have difficulties explaining the relative merits of the various authentication schemes. However, this one is easy. Let's pretend that I send you my Paypal login and password. You login to Paypal and try to empty my bank account. One problem. You don't have a OTP key generator. No matter what you do, you're not going to get past the challenge unless you have the correct 6 digit response. In effect, I have in my possession a physical device (hardware security) which is required to access the account.
On to passwords. Passwords suck. Passwords that people can remember are usually easy to guess or compromise with a brute force attack (rainbow tables). Passwords that are fairly secure are also long and difficult to remember. So, users write them down, save them on USB drives, save them in their smartphone address book, or hide a Post-it note with the password under their keyboard. The important point is not that it can be stolen, but that a password can be used more than once. Once the password has leaked out of your control (such as via a phishing site), it's gone and almost certain to be abused.
Incidentally, if you must save you passwords, encrypt them:
The combination of a re-usable password and a OTP has many advantages. If you lose your football or card, you can simply login and deactivate it (using the lost card procedure and the usual security questions). If you accidentally leak your password, the OTP device will still protect your account. There are problems with OTP systems, but nothing as bad as problems with just a password.
-- Jeff Liebermann jeffl@cruzio.com 150 Felker St #D http://www.LearnByDestroying.com Santa Cruz CA 95060 http://802.11junk.com Skype: JeffLiebermann AE6KS 831-336-2558
Ok, the same thing, it just changes with time rather than a button push. But the question is, does the server know what number to expect or do you send the number to the server first, then use it in the transaction. That wouldn't make sense to me.
Ok, so their computers DO know the code. It is a function of stuff known by both sides. I wonder how the football keeps track of the time accurately enough... or maybe the server is smart enough to work with a window and get a read on the time from the football based on which code is sent. Accepting three codes (minute that is expected, +/-1) shouldn't compromise security significantly.
This is not related to my question. I think I understand now how the server and the football stay in sync, it is time based and the server must have a way of syncing, much like a rolling code.
Yeah, this is better than nothing. I heard a show on radio talking about the lack of security with PIN numbers. Of course the most common one is 1234. Someone got their hands on a bunch of them that I think someone else had compromised and analyzed them. There were some few dozen that were used maybe 50% of the time (don't hold me to the exact numbers) but you get the idea. I take the advice of good people and have more complex passwords and PIN numbers. I just had to change a bunch of mine.
Rick
When ever I do any transactions that involves my employer, I have been instructed to use company network only and company purchasing policies and only veer when absolutely necessary with lots of approvals from over head.
As for my extra curricular jobs (moon lighting), I go for the cheapest route. I made suggestions many times to the purchasing dept at work for alternative sources for materials and components but get shot down in favor for their suppliers, which usually screw them very good! THe only time they go out side that is when they have to.
I see more money wasted and distributors that sell us stuff making a fortune on the place I work at. Either the people that write the checks are blind sided, ignorant or got their hands in some one's pockets to benefit their own, could be the only explanation I can come up with.
Jamie
My
rds
snd I
assure
ypal.
to
ved.
an
t away.
Hi Evan, First I appreciate your response here. It was I who mentioned the Rigol 'scopes. The deatils were taken care of by someone else in my company. (So I don't have access to them... and don't want to bother the person.) The 'scopes eventually arrived and everything is now fine... but at the time I remember thinking we might have to order them some one else.
iews.
ter
ur
We
That's reassuring thanks,
George H.
ng
rs
Good point. I gotta read the fine print. However, I'm fairly sure that time is involved somehow.
Ok, I tried it, except that I only waited about 5 minutes, and used my Paypal account instead of eBay. After I logged into Paypal, instead of greeting me with the usual challenge, it declared: "We weren't able to validate the security code you entered. To log in, please reactivate your security key. It just takes a minute." Unfortunately, I didn't enter a code that it couldn't activate. When I tried to reactivate the card, it bombed and proclaimed that there was a "system error". I think I'll need to wait a while before I try this experiment again. I hate Mondays.
15 minutes later... Ok, time to try again. I entered the code generated about 20 minutes ago, and it worked. Y'er right. So much for my clock sync guess. I'll try it with a 1 hr delay later. This is not good. If I demo the card, someone remembers the number, and then goes home an hour later and uses it to login to my account, I've got a big problem. No more demos at coffee shops and meetings.The Verisign price was about $75 a year ago. My guess(tm) the price cut was to find a working price point at which people and companies would pay. The card and football probably cost about $2 to produce, so the bulk of the price is royalties, IP, distribution, and service charges. That could be almost any price.
I did it once when I left the card at home. I don't recall anything that said it could only be bypassed once. If so, it's still a problem because it only takes one successful hack to empty the bank account.
Good point. The bank account to which I have my Paypal account tied to has a maximum of $500 in it. My other accounts at the same bank make the bank charges for this account quite small. The credit card that's attached has a $1500 maximum, with which I have incredible difficulties preventing the company from raising my spending limit. So far, no problems with either.
-- Jeff Liebermann jeffl@cruzio.com 150 Felker St #D http://www.LearnByDestroying.com Santa Cruz CA 95060 http://802.11junk.com Skype: JeffLiebermann AE6KS 831-336-2558
I generated a series of codes on the card and wrote them down. I then tried each one in turn with various delays on my Paypal account login: 5 min worked 14 min worked 33 min failed 46 min failed 91 min failed So, there's a time window, where it will accept any code produced in that window. That's much like the automobile wireless key fob system, which generates 256 usable codes in advance, and will allow any of the
256 to be used each time. Since the code changes on the card approximately every 30 seconds, a 15 minute window will allow about 30 codes (minus time necessary to punch the button and wait for the display to clear), all of which will work for about 15 minutes. This sucks but is probably necessary to make the system work without time sync.I'll dig more into this more after I seperate some customers from their money.
-- Jeff Liebermann jeffl@cruzio.com 150 Felker St #D http://www.LearnByDestroying.com Santa Cruz CA 95060 http://802.11junk.com Skype: JeffLiebermann AE6KS 831-336-2558
Ok, that nullifies everything. How does the server know what code to expect? It has to be a rolling code. What happens if you push the button twice and use the second code? Then try using the first code...
I would NEVER give PP my bank account info. They can put money into the account, they can take money out of the account. You then have to deal with them to get it back! With the credit card the company deals with PP and they have a lot more weight!
Rick
I just tried that test and it works. So, you're correct. It's a rolling code system: It's similar to the automotive keyless entry system, except that the door lock code is sent via RF, while the user has to type in the code from the LCD display. The server creates a small number of codes that will work. For the automotive keyless entry system, it's 256 codes, but probably fewer for the card key. When the user sends a successful code, the code generator resynchronizes the "clock" on the server so that the generated codes do not drift of the window caused by a drifting clock in the card key.
That's why I keep the bank balance and credit card limit small. I find the Paypal convenience well worth the risk, but I do not believe it is necessary to risk my entire bank account. While not totally risk free, it does minimize the exposure and reduce the damage in case of a problem.
-- Jeff Liebermann jeffl@cruzio.com 150 Felker St #D http://www.LearnByDestroying.com Santa Cruz CA 95060 http://802.11junk.com Skype: JeffLiebermann AE6KS 831-336-2558
You have protections on the Credit Card, you have few, if any with the bank. They can take money out of your account that you don't have in there. I suppose your bank will only honor a small overdraft though. Still, you get hit with fees and its a mess.
Why bother with the bank account? I am verified without it.
Rick
Good question. I was under the impression that I couldn't get a "verified" PayPal account based solely on a credit card. At least that was the case when I originally signed up many years ago.
Incidentally, when I pay for something with Paypal, I seem to have a choice of paying for it with an automatic bank draw, or with the saved credit card. I usually use the bank draw, but will try the credit card on my next purchase to see if that works.
-- Jeff Liebermann jeffl@cruzio.com 150 Felker St #D http://www.LearnByDestroying.com Santa Cruz CA 95060 http://802.11junk.com Skype: JeffLiebermann AE6KS 831-336-2558
I've used both with no problem.
and
and
Really? Just doing what is profitable is older than the industrial revolution. Did you learn nothing in your history courses?
Some variation between short term profits (or most currently stock appreciation due to a lower tax rate) and long term corporate survival is driven by legislation and regulation.
?-)
$3K
for
years
FTC.http://business.ftc.gov/documents/alt051-selling-internet-prompt-deli ...
"The Journey is the reward"manufacturers:
I bought a Rigol DSO from Saelig. The Rigol went out of stock before they could ship my order (big run due to the price drop), they were honest and up front about the situation from the get go. They offered me an in stock Owon that out-spec'd the Rigol, i chose to wait for the Rigol. Maybe i chose right maybe i chose wrong. I am still a satisfied customer.
YMMV
?-)
I've heard many good things bout Saelig, but have not personally used them.
Best regards, Spehro Pefhany
-- "it's the network..." "The Journey is the reward" speff@interlog.com Info for manufacturers: http://www.trexon.com Embedded software/hardware/analog Info for designers: http://www.speff.com
I mean the things that are profitable now are not the same things that were profitable 30 years ago. Stuff happens...
Rick
Yeah, I've bought stuff from them, never had any issues to speak of.
Jamie
ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.