OT: eBay/Paypal security

Jim Leonard trixter at oldskool.org
Fri Nov 2 15:48:19 CDT 2007

Curt @ Atari Museum wrote:
> The real key to 
> implementing this is that the keyfob code has to be manually entered by 
> requiring mouse over clicks across a number bar on the screen, not 
> typing it into a text box, otherwise a fake site could grab the login 
> info, relay it into paypal via a script and then process and run an 
> automated script once logged in to transfer/remove funds.

(Disclaimer: I used to work in the security industry)

(Disclaimer2: I am not ranting against Curt, just trying to dispel some 
myths and paranoia before they start)

If someone is willing to target you so specifically, I don't think a 
"manual" method of entry is going to make a difference.  Setting up that 
level of phishing is so much work that, I am not making this up, it is 
easier to just visit your house with a gun and extort the cash from you. 
  Seriously.  There were stories in my industry of someone coming up 
with a new protection method for an ATM or something (like a way to 
prevent people from spying on the keypad, or requiring double-entry 
where the second entry had reversed number positions on the screen) and, 
I kid you not, it wasn't worth the mafia's effort to try to crack it -- 
instead, they showed up at the engineer's office with a picture of his 
family and asked him, "nicely", to reveal how it worked.

You'd have to be some millionaire classic computer collector to attract 
that kind of attention.  A keyfob is so much trouble to scammers and 
phishers that they don't even bother, they just move to the millions of 
others who don't use one.

And the "but people steal cars locked with The Club too!" argument 
doesn't work here -- The Club is a placebo.  Any hacksaw can get through 
it in 45 seconds.  The keyfob has a six-digit number seeded specifically 
for you and changes once a minute and the period is something crazy, 
like 2^19337 before it repeats.  Our bones will turn to dust long before 
the number is guessable :-)

Bottom line:  Don't fear the keyfob.  It's a no-brainer for $6.
Jim Leonard (trixter at oldskool.org)            http://www.oldskool.org/
Help our electronic games project:           http://www.mobygames.com/
Or check out some trippy MindCandy at     http://www.mindcandydvd.com/
A child borne of the home computer wars: http://trixter.wordpress.com/

More information about the cctalk mailing list