OT: eBay/Paypal security
trixter at oldskool.org
Fri Nov 2 15:48:19 CDT 2007
Curt @ Atari Museum wrote:
> The real key to
> implementing this is that the keyfob code has to be manually entered by
> requiring mouse over clicks across a number bar on the screen, not
> typing it into a text box, otherwise a fake site could grab the login
> info, relay it into paypal via a script and then process and run an
> automated script once logged in to transfer/remove funds.
(Disclaimer: I used to work in the security industry)
(Disclaimer2: I am not ranting against Curt, just trying to dispel some
myths and paranoia before they start)
If someone is willing to target you so specifically, I don't think a
"manual" method of entry is going to make a difference. Setting up that
level of phishing is so much work that, I am not making this up, it is
easier to just visit your house with a gun and extort the cash from you.
Seriously. There were stories in my industry of someone coming up
with a new protection method for an ATM or something (like a way to
prevent people from spying on the keypad, or requiring double-entry
where the second entry had reversed number positions on the screen) and,
I kid you not, it wasn't worth the mafia's effort to try to crack it --
instead, they showed up at the engineer's office with a picture of his
family and asked him, "nicely", to reveal how it worked.
You'd have to be some millionaire classic computer collector to attract
that kind of attention. A keyfob is so much trouble to scammers and
phishers that they don't even bother, they just move to the millions of
others who don't use one.
And the "but people steal cars locked with The Club too!" argument
doesn't work here -- The Club is a placebo. Any hacksaw can get through
it in 45 seconds. The keyfob has a six-digit number seeded specifically
for you and changes once a minute and the period is something crazy,
like 2^19337 before it repeats. Our bones will turn to dust long before
the number is guessable :-)
Bottom line: Don't fear the keyfob. It's a no-brainer for $6.
Jim Leonard (trixter at oldskool.org) http://www.oldskool.org/
Help our electronic games project: http://www.mobygames.com/
Or check out some trippy MindCandy at http://www.mindcandydvd.com/
A child borne of the home computer wars: http://trixter.wordpress.com/
More information about the cctalk