[phyburn]

So ive been waiting for this for awhile now, paypal's new PIN system. You pretty much pay 5$ USD and they ship you a nice pretty number generator by verisign. So now instead of just typing in your user name and password you now also have to type in a 6 digit number that is generated by your little LCD screen you got for five dollars.

Now my question is, what are the attack vectors here? I can't see many since the number is changing every 30 seconds or so. The only thing I could see is somehow solve the algorithm that's producing the 6 "random" numbers. Any ideas?

btw, I purchased one today so ill prob have it by the end of the week, ill post pics when I get them!


Cheers.

LINKS:
https://www.paypal.c...rityKey-outside
https://www.paypalob...ritykey_us.html (demo)

[McGrewSecurity]

phyburn, on Oct 16 2007, 03:38 AM, said:

Now my question is, what are the attack vectors here? I can't see many since the number is changing every 30 seconds or so. The only thing I could see is somehow solve the algorithm that's producing the 6 "random" numbers. Any ideas?

I'm pretty sure these are rebranded SecureIDs: http://en.wikipedia.org/wiki/SecurID

You can check the links from there for technical information on how it works, and a few papers on cryptanalysis of them. I haven't read any of the papers, but I presume it'd be a matter of figuring out a unique "seed" number or password that is used to set off the number generator along its way. I guess the idea would be to find it based on a set of generated numbers and times. It must be pretty difficult to do so, or the attacks must be very impractical, though, as I haven't heard of anyone successfully breaking it, or any discussion of why they should not be used because of insecurities.

[riscphree]

I've got one for my paypal account.

Quote

So now instead of just typing in your user name and password you now also have to type in a 6 digit number that is generated by your little LCD screen you got for five dollars.

You need to provide your username AND password AND PIN number from the device. Not just the PIN number.

It is just a rebranded Verisign Secure ID thing. Verisign has EXCELLENT documentation on how this thing works. Even how the generation of the PIN number is done.

[phyburn]

riscphree, on Oct 16 2007, 10:21 AM, said:

I've got one for my paypal account.

Quote

So now instead of just typing in your user name and password you now also have to type in a 6 digit number that is generated by your little LCD screen you got for five dollars.

You need to provide your username AND password AND PIN number from the device. Not just the PIN number.

It is just a rebranded Verisign Secure ID thing. Verisign has EXCELLENT documentation on how this thing works. Even how the generation of the PIN number is done.

I said you ALSO have to type in the PIN =p

Do you have links to any of these documents?

[thej3w]

You can even set it up for use with your OpenID.

http://www.solo-tech...id-integration/

[riscphree]

You can find docs on the system here:

http://www.verisign....entication.html

Quote

I said you ALSO have to type in the PIN =p

Sorry, I read your post too fast.

[trem]

One of my instructors used to do security for a bank, I guess they use something similar to this.

[djfred]

I got one back when paypal started there Beta its a really nice feature.

Apple (MAC) has something similar for there REPS.
It generates an ID # with Letters if I'm not mistaking.
Same concept.