Taken from “http://www.askdavetaylor.com/8-blog-pics/paypal-security-key-3.png

PayPal is a company that is deeply rooted in security measures, as they should be since they handle a large percentage of the e-commerce transactions that occur in the world today. Although they have had some miniscule issues in the past, they have made significant strides to improve security and allow their users to reduce a small portion of the stress in their hectic lives.

PayPal has two security features available to users that seem to be relatively unused, or not known about. These features are the PayPal security key, and email identification.

The PayPal security key is basically a random code that gets generated and is then entered with your login credentials. The security key itself is a small device that you carry with you and use to generate your code whenever you want to log in to the service. It does cost around 30 dollars to obtain the device for generating the keys, but it is a small price to pay in a world where it feels as though everyone is out to get you. PayPal also offers a mobile security key option which allows users to receive text messages with their randomly generated keys that they can use to log in.

However, along with “randomly” generated keys goes an algorithm that chooses how these keys are randomly generated. It isn’t extremely far-fetched to imagine that an attacker could get his hands on the algorithm and thus render the security key service useless. This led us to dig deeper online and see what we could find out about the security key. We stumbled upon a website where the key was taken apart and analyzed. The first thing that was noticed was the fact that the key wasn’t ultrasonically welded together as most every other key based authentication systems are. Most of these other key systems are also encased in an epoxy resin to prevent attackers from accessing the circuit board. However, once the PayPal key is opened, the circuit board is sitting right there and a hacker could reverse engineer the circuitry and gain unauthorized access to someone’s account. There is also a secondary authentication method in place in case the user doesn’t have the key on them at the time. It involves going through a series of questions to prove who you are. This method of authentication has long been a problem, as the answers can be easily obtained through a phishing scheme, which is exactly the thing that the security key is trying to prevent.

PayPal’s email identification is a tool which attempts to reduce phishing scams by verifying whether or not an email actually came from PayPal. Email providers, such as Gmail, have incorporated an authentication icon that is included with emails from authorized senders. This takes away all the time that is spent wondering if the email is from a credible vendor, or whether you are trying to be taken for all that you own! This also raises a concern, that an attacker could spoof an email address that is verified and essentially make the end user think that the email was credible and fall victim to a phishing scam.