Gartner has estimated that phishing attacks cost the US something in the region of $2.8 billion last year, a problem that is growing fast as proved by the statistic showing the average individual loss per attack has risen from $256 in 2005 to a staggering $1244 in 2006. Banks are taking these kind of figures very seriously indeed, as you might imagine, and one of the security solutions attracting their interest is the so called ‘two-factor authentication’ device.

This takes the form of the usual username and password style login, together with a second layer of user authentication. Some banks have chosen to adopt the ‘random digits from a long PIN’ approach whereby you choose an 8 digit number and after the first login stage are asked to input the 2nd, 4th and 7th digits (or whatever) in order to gain access to your account. Even if your username and password were compromised, the attacker would have to know your ‘long PIN’ as well in order to fully penetrate your defenses.

Of course, if the attacker had phished the username and password out of his victim the chances are pretty high he could have got that PIN data as well. Which is why the banks with a better understanding of risk tend to look towards hardware tokens when it comes to the second authentication factor.

And so it is that PayPal, one of the biggest targets of phishing attacks along with parent company eBay, is opting to roll out hardware based security keys to users who choose to take this $5 route (and free to business account holders) to increased security. And oh boy do they need it. Take a cursory look at the Google anti-phishing blacklist logs and you will see that between them they account for pretty much half of all phishing scams.

Based upon the VeriSign One-Time Password Token and looking for all intents and purposes like a new take on the old Tamagotchi craze, this small device is designed as a key-fob and simply calculates a new six-digit numeric password using a complex algorithm that is unique to your device, every 30 seconds. You can see a demo of it in action here.

The device is due to be rolled out to US PayPal and eBay customers shortly, making eBay transactions a whole lot safer. Of course, such hardware token based key fobs are no cast iron guarantee against phishing attack, as Citibank has already discovered.

Last year a Russian phishing gang managed to use a spoof site asking for the authentication token code along with the usual login details, and construct a ‘man in the middle’ attack on the Citibank accounts within the timeout period. As usual, this relies upon the gullibility of the victim in the first place, but it also goes to prove that any kind of security that requires stupid user input is only ever as clever as that stupid user. Not that I am knocking PayPal here, far from it, I applaud them for taking the phishing issue seriously enough to invest in current technology such as this in order to add a layer of protection that will do just that for the vast majority of its users.

I am just mindful that if you are of the ilk who believes you have won a fortune on a lottery with a ticket you never bought in a country you have never visited, then a clever key-fob is not going to save you from yourself…

About the Author

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

the only reason PP gets the biggest share of phishing victims is because they target the big fat underbelly of the internet, the gullible computer illiterate masses who are the preferred victims of phishing attacks (as anyone with more common sense doesn't fall for them).