I have to admit I wasn’t expecting PayPal to be the first company that realised phishing was a real problem but having just read a BBC News article reporting that PayPal is introducing a security token, I am very pleased to see this happen.

How they work?

These Verisign tokens are devices that generate one-time passwords every 30 seconds using a cryptographic key known only to the token and the server. PayPal will be selling these for $5 (USD) which is frankly a ridiculously cheap price for these tokens. The suggestion on BBC’s site that PayPal should be providing them for free is interesting, but I would pay a lot more if I managed to persuade my banks to provide these. Separating the authentication from a computer by requiring the user to type the tokencode into the system will vastly improve security, although this doesn’t solve the problem outright.

The article does acknowledge a problem with man-in-the-middle attacks which are still possible as long as the malicious party is ready to use the tokencode immediately it becomes available to them. This means that someone engaged in phishing would need to run a site which persuaded you to give then the tokencode, which they then used to login into PayPal straight away. This does decrease the window of opportunity significantly however. One-time passwords in general have always suffered from race conditions, which this is not too different from.

The keyring problem..

These tokens have already been used in the corporate market for many years with RSA SecurID being one of the leaders. Similarly banks have used them for specific applications like corporate banking, stock brokerage, etc. When they wake up and realise the benefits of cutting fraud and introduce them for all customers, we are all going to have fun carrying around one of these tokens for each of our bank accounts, workplace login systems, etc. They may be getting smaller but they aren’t that small.

Sooner or later, some kind of hybrid solution needs to be found. Sharing the token ‘secret key’ (the encryption key located on the token and the server) is clearly not an option, unless it’s a full private-public key infrastructure, although with codes as short as six (or in RSA SecurID special applications I believe they can be up to eight) digits long, I’m not sure how feasible that would be whilst maintaining security seeing as you don’t want your employer having the keys to your bank account, etc.

Another option is a trusted third party verification system, something that is already being tried on the Internet in general for unified logins. However, it then comes down to the question do you trust the third party. Is it wise to put all eggs in one basket?

What I suspect will happen, certainly for devices which show digits on the front, is that hybrid devices will come in which can securely store multiple secret keys which in turn work for different functionality. In the long run, it’s also quite possible that smart cards will take over in which case fully PKI infrastructure will manage the problem with a single key. The reason why these ‘tokencode’ devices are so useful is because they require no hardware interface to a PC (although some have USB interfaces) which mean they can be rolled out at minimal cost. To an extent this already happens with RSA having soft tokens for PDAs and mobile phones.

Open standards & low quantities

The one change I would like to see this industry make is for the standards to become open and for individual keys to be sold without the need to buy a huge infrastructure to go with it as this would encourage even smaller companies to adopt these which are currently priced for the corporate market. RSA has launched an SecurID appliance but the cost per user is still very large and the licensing overly complex–Charge £10-20 per token and £10 per order to deliver the keys and allow open development of the server applications. Of course, I doubt RSA will go that way as they would fear their corporate business, but sooner or later this cash cow will mature into a competitive industry. It is worth adding there are more open platforms than others, some of which are linked below.

I have also just seen the Initiative for Open Authentication which is trying to unify authentication architectures and looks promising.

Links

Verisign
RSA SecurID
Aladdin eToken
ActivIdentity

Apologies for not updating my blog for the last few weeks but it has been very hectic to say the least. I have quite a few issues I intend to write about when I get more time. In the meantime however, I have been persistently annoyed by the following issue.

The Post Office (or at least the one I frequent) doesn’t take credit cards as payment for items such as postage for Special Deliveries, etc. They accept debit cards, but not credit cards. Well, that is to say they say they don’t accept credit cards, but a friend has had no problem using one when he put it in the PIN-pad machine, but I am assured they don’t.

It seems quite backward that an organisation such as the post office cannot accept a modern means of payment for their services. If it was a question of costing too much, I would be quite prepared to pay for it, just like at Ikea where a surcharge applies for credit (and I think debit) card transactions to cover the extra cost they incur in processing.