PayPal's New Authentication Scheme - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Government // Cybersecurity

PayPal's New Authentication Scheme

EBay's payment arm test-drives random-number generator

2:55 PM -- When I'm not working on stories about IT security (only a few minutes each day, I promise), I have a side business buying and selling sports trading cards on eBay. So you can imagine my consternation as I'm bombarded each day by reports of spam and phishing attacks on eBay and its online payment subsidiary, PayPal.

EBay and PayPal are, in fact, the number one targets of phishers. In fact, any bozo can now buy a kit that provides the logos and information needed to disguise oneself as one of those entities. Researchers at Trend Micro reported last month that a PayPal ID and password can now be purchased on the black market for just seven bucks. (See How Much Is That Exploit in the Window?)

But it looks like PayPal -- finally -- is fighting back. According to a report today on, PayPal is beta testing a new random number generator that will add an additional factor of authentication to its arsenal.

For five bucks, PayPal users can now buy a keychain fob that generates an additional passcode every 30 seconds which must be entered before a user can access a PayPal account. This means attackers must now not only have a password, but also a token before they can penetrate a user's account.

You could certainly argue PayPal's choice of technologies. Random number generators have been infamously cracked in the past, and they probably will be again in this case. There's also the question of whether PayPal users -- many of whom are a few cards short of a set -- will be able to hold onto a token, or remember how to use it properly.

Whatever you think of PayPal's approach, though, you have to give the company credit for doing something to stem the rising tide of phishing going on at its site. Most banks and financial institutions have already moved to two-factor authentication as part of the mandated FFIEC guidelines. PayPal should have made this move long ago.

Like a locked car door or a home alarm system, PayPal's random number generator won't stop determined identity thieves, but it may just discourage some of the bozos. And as somebody who does business on the site, I definitely won't miss them.

— Tim Wilson, Site Editor, Dark Reading

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Becoming a Self-Taught Cybersecurity Pro
Jessica Davis, Senior Editor, Enterprise Apps,  6/9/2021
Ancestry's DevOps Strategy to Control Its CI/CD Pipeline
Joao-Pierre S. Ruth, Senior Writer,  6/4/2021
IT Leadership: 10 Ways to Unleash Enterprise Innovation
Lisa Morgan, Freelance Writer,  6/8/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll