PayPal, eBay Offer Security Key to U.S. Customers

PayPal unveiled a new security key on Friday that will add another layer of security to user accounts and help prevent online criminals from gaining access to them. The PayPal Security Key is a small electronic token that generates a unique code that can be used in addition to a user name and password when users sign in to their PayPal account.

The company announced the news as part of eBay’s weeklong Developer Conference in Boston. It provides PayPal customers with so-called “two factor” authentication that makes it harder for online criminals to raid accounts, even if they do trick users into giving up their user name and password using online “phishing” scams, according to Michael Barrett, chief information security officer at PayPal.

“This is something that will help the community to be more secure,” Barrett told InfoWorld.

PayPal and parent company eBay are top targets for online scam artists, who use dummy websites in so-called “phishing” attacks that attempt to trick users into revealing their user name and password. Those accounts can then be raided or used to fraudulently purchase goods.

The security key isn’t a silver bullet for phishing attacks, but just one part of a multi-pronged defense by PayPal and eBay, Barrett said.

In recent months, the company has begun digitally signing all outbound e-mail messages and putting pressure on ISPs to take action on fraudulent mail that claims to come from both eBay and PayPal.

More recently, the companies have been working with two leading ISPs in a beta program to automatically block all non-signed e-mail that claims to come from eBay or PayPal, according to Barrett and eBay CTO Scott Thompson.

PayPal has been testing a beta version of the Security Key program in Germany and has already issued tens of thousands of the password tokens to its users. Already, the favorable response from users has been strong. “We never advertised this. It was all by word of mouth, but it’s still been extremely popular,” Barrett said.

Starting Friday, PayPal will begin making the Security Key, which is part of the VeriSign Identity Protection Network, available to its U.S. customers for a one-time fee of $5. PayPal users in Germany and Australia will also have the option to receive a security key, and PayPal plans to add other countries in the near future, according to a PayPal statement. PayPal and eBay began working closely with VeriSign after a deal to buy VeriSign’s payment gateway business in October 2005.

PayPal has no plans to charge its customers for the token beyond the initial $5, which covers shipping and handling. Nor will the company levy a subscription fee for the two-factor authentication service.

“This isn’t something we’re making money on,” Barrett said.

That said, PayPal will be paying attention to the number of users who adopt the password token and to the company’s rate of fraud in an effort to figure out whether the tokens are worth the cost of the program, he said.

Currently, fraudulent transactions amount to about $35.2 million a year, or one-third of 1 percent of PayPal’s total global payment volume of $11 billion, Barrett said. Lowering that fraud rate even a little could offset the cost of the program.

PayPal is also taking cues from other online financial services firms like eTrade, which launched a program in 2005 to allow all its U.S. account holders to use an RSA SecurID token for two-factor authentication, Barrett said.

“eTrade has been pretty bullish about this,” he said. “One thing that they noticed is that the customers who have [the token] use their account more because they feel safer,” he said.

Even before the news was announced, PayPal and VeriSign were promoting the new program on the floor of eBay Live at the Boston Convention Center, and VeriSign employees were handing out free PayPal tokens to attendees and signing them up for the new program.

Charles Hu, an eBay Live attendee who sells concert tickets under the name “SummerComets” on the online auction website, said that he liked the idea of having an additional layer of security for his eBay account.

“I’m always worried that someone will steal my password,” Hu said. “I’ve seen [the password tokens] used in other industries, too.”

However, Hu wasn’t ready to sign up for the program because he was worried that doing so would lock his wife out of their eBay account.

“She’s back at the hotel, so if I sign up now and they change our account, she’s not going to be able to log in,” he said.

Barrett said that PayPal was prepared for the increased support calls that will come after the secure tokens are in widespread use but says that his company has a duty to protect customers from scams, even if it adds to the cost of doing business for PayPal and eBay.

“Customers have been telling us they want this, so we’re going to give it to them,” he said.

—Paul F. Roberts, InfoWorld (US)