Aaaah, very tricky phisher!

[EZ_E]

The key to this one is that once one clicks on the link for the transaction, you must then enter your login and password.

 

[bsshog40]

I got one of these the other day, from the same person, for a cell phone. Forward it to spoof@paypal.com

[cpm9ball]

EZ, I get these all the time and I report them to spoof@paypal.com

 

I doubt that much can be done about it. If these crooks are suspended or banned from eBay & Pay Pal, they just open another account under a new user name. If Pay Pal & eBay would require all users to provide their SSN, maybe they could counteract this problem. Of course, that would mean that they would have to check the SSN to verify the information. NOT!!

 

Chris

[EZ_E]

This is a good technique for a scammer. One sees the email, is pi$$ed and is not thinking properly and.....BAM!...he's given out all info necessary to be scammed.

 

Thanks for the forwarding address. I was wondering what it was.

 

Good morning, Chris.

[gedis3]

For those that missed it the first time we talked about it last week, make sure you check out PayPal's new Security Key program.

 

If you screw up and somehow give a phisher or scammer your PayPal login and password, it won't do them any good without the Number Generator... costs $5 and adds an extra hassle step to the login process, but isn't peace of mind worth it?

 

Click Here for Details: PayPal Security Key (BETA)

[EZ_E]

************************************************************************

Remember, PayPal will never ask you for your password in an e-mail.

There are no exceptions to this policy.

[DC Dawg]

For those that missed it the first time we talked about it last week, make sure you check out PayPal's new Security Key program.

 

If you screw up and somehow give a phisher or scammer your PayPal login and password, it won't do them any good without the Number Generator... costs $5 and adds an extra hassle step to the login process, but isn't peace of mind worth it?

 

Click Here for Details: PayPal Security Key (BETA)

COOL! PayPal now has SecurID! SecurID is a brand name of RSA Security. Although there are others who make this type of device, RSA is the most known and used. My company has been using SecurID to allow us to remotely access corporate resources for many years. My government clients use them, too (I carry two because of that).

 

For those of you not in the information security industry (and I think that's everyone here except me), it's a very simple concept to create strong authentication to ensure the user is who he/she claims. To create strong authentication, users can be identified by what they know, what they have, and who they are. These factors can be a pin or password (what they know), a token generator (the generic name for the device we're talking about), or biometrics (who they are). You need at least two of those factors for strong authentication, thus the name "two-factor authentication."

 

For PayPal, what you know will be your password. You identify who you are by entering your user name. To verify (authenticate) that identity, you enter your password. But that's only one factor. How do I know it is really you. Well, I gave you this device called a token generator. It's purpose is to be pre-programed to display a random number (between 000000-999999) every minute. I know the sequence of the token generator and the token generator knows its sequence. So after the user enters their name and password, the user looks on the device and type in the six digits that are on the little screen. If the information is entered correctly, you authenticated yourself by proving you know something (sometimes called a shared secret) and proved you had something the system knows you have.

 

The device changes the number every minute to one of 1 million possible numbers. The numbers never repeat. Thus the device will last only about 5 years. If the user is phished, the phisher has until the end of the minute to use the number or the number will change and no longer be valid. The information that is programmed into the token generator is not disclosed. It is nearly impossible to reproduce.

 

I love this concept. It is easy to implement and nearly fool proof--although a friend told me about an employee at his company to taped his pin to the bottom of the SecurID and lost the device. He wasn't pleased but we had a good laugh from that one!!

 

I would highly recommend that anyone who sells on eBay, especially those that take payments through PayPal, spend the $5 to be part of this program. It will be $5 piece of mind! I ordered mine.

 

Scott

[bsshog40]

One question on this, I presume it uses a battery? Will it last the 5 yrs or is it easily replaced with a watch battery or such like it?

[DC Dawg]

One question on this, I presume it uses a battery? Will it last the 5 yrs or is it easily replaced with a watch battery or such like it?

It's a sealed case. The device stops working if you open the case. Since it is a very low power device, it uses high capacity alkaline batteries that never run out--or at least not while the device is active.

 

In over 15 years of using these devices, I have never had a battery run out. In fact, I've washed them after leaving them in my pocket, and they continue to work. While I do not recommend running these things through the washer, it's nice to know that they can survive!

 

I have an old one at home (it expired). Maybe I will take it apart and take pictures.

 

Scott

[Zoins]

This device is pretty good protection but it's not complete protection because a man-in-the-middle attack would still allow an attacker to use your account every time you log into a phishing site for that session but they cannot log in again once the session has expired.

 

Instead of harvesting passwords for later use, the phisher can just execute a financial transaction immediately after you enter your one time password into their site.

 

Better but it's still best to just not fall for the phishing site in the first place.

[bsshog40]

thanks Scott!

[DC Dawg]

This device is pretty good protection but it's not complete protection because a man-in-the-middle attack would still allow an attacker to use your account every time you log into a phishing site for that session but they cannot log in again once the session has expired.

Umm... maybe. It depends on how the site is implemented. If you disable the use of the token number after use, then you mitigate the risk of the man-in-the-middle attack. Also, if the token number is entered over an encrypted session (e.g., over SSL), you also mitigate this risk. TLS and SSLv3 are resistant to man-in-the-middle attacks.

 

Instead of harvesting passwords for later use, the phisher can just execute a financial transaction immediately after you enter your one time password into their site.

This risk is very low if implemented over an encrypted session. I verified with PayPal that the authentication is over SSL/TLS.

 

Better but it's still best to just not fall for the phishing site in the first place.

That would be the scenario in a perfect world. In a perfect world, sellers wouldn't trade 1871 Trade Dollars as real!

 

Scott

[Zoins]

This device is pretty good protection but it's not complete protection because a man-in-the-middle attack would still allow an attacker to use your account every time you log into a phishing site for that session but they cannot log in again once the session has expired.

Umm... maybe. It depends on how the site is implemented. If you disable the use of the token number after use, then you mitigate the risk of the man-in-the-middle attack. Also, if the token number is entered over an encrypted session (e.g., over SSL), you also mitigate this risk. TLS and SSLv3 are resistant to man-in-the-middle attacks.

Disabling the token number after use won't work if the phishing server is implemented to log in using the number the very first time you submit it to the phishing server. It can simply give you a "bad code" error so you never get to log in. SSL/TLS doesn't really help because if the user is already falling for a bad domain name, the bad server can also get a SSL/TLS cert for their spoof domain. The SSL cert issuers don't really verify all that much.

Instead of harvesting passwords for later use, the phisher can just execute a financial transaction immediately after you enter your one time password into their site.

This risk is very low if implemented over an encrypted session. I verified with PayPal that the authentication is over SSL/TLS.

That's true if your SSL/TLS session is connecting to the PayPal server. It's not true if the user is connected to a phishing site because that server may either have it's own SSL/TLS cert or not use SSL/TLS to communicate with the user but use SSL/TLS when it connects to PayPal behind the scenes. As mentioned if the user is already fooled into accepting a bad domain name, they probably won't check for a bad SSL/TLS cert because the cert is tied to the domain name. In fact, if they are fooled by the domain name, checking the SSL/TLS cert won't work because it will be a legitimate cert for that domain.

Better but it's still best to just not fall for the phishing site in the first place.

That would be the scenario in a perfect world. In a perfect world, sellers wouldn't trade 1871 Trade Dollars as real!

True. All I'm saying is don't expect more protection than this really provides.