January 18, 2007

Add to del.icio.us     Digg this

Hoping to significantly increase consumer confidence in its online payment gateway, and wishing to reduce phishing attacks aimed at some of its users, PayPal is to begin offering users the option of utilizing a password-generating device to better protect them.

PayPal's newly proposed payment application will use a new secure key, known as the PayPal Security Key, an electronic key that can be clipped onto a key chain and can generate a random six-digit security code every 30 seconds.

In order to log onto their PayPal accounts, users will have to enter the code with their ID and password.

Business users will be given the key, made for eBay/Paypal by VeriSign free of charge. Non-business users will pay a one-time charge of US$5.

Although the actual security improvements will be minimal, PayPal's new two-factor authentication system could enhance security considerably for PayPal users. Overall, PayPal customers are a favorite target of potential hackers and phishing scams, in which fraudulent emails claiming to be from PayPal encourage users to enter their IDs, passwords and other data into a fake or spoofed website that has nothing to do with eBay and/or PayPal.

Even if a phishing attack tricked a user into turning over all three forms of identification, the new random passcode would expire by the time the phisher attempted to access the user's PayPal account.

The use of random password generators has found a niche in some corporate and government settings as a much more secure alternative to more advanced technology, such as fingerprint readers or retina scanners.

Despite all these new measures, there will still be some high-profile security breaches and consumers are not yet clamoring for more security.

Overall, banks and other financial institutions are among those that must lead the way toward more robust online security solutions. Some banks currently require a second password or ask customers to designate a specific computer as a single access point for online banking, said Gartner analyst Avivah Litan.

"As a whole, banks are recognizing that they must move beyond simple passwords," Litan said. While still viable for less sensitive Web sites and transactions, passwords alone are "no longer adequate for Internet banking." she added.

While all of this is happening, the growing occurence of phishing attacks has become troubling for many in the eCommerce community, in which identity theft is seen as a potential drag on the growth of online business, especially in convincing reluctant consumers to shop online for the first time.

Statistics show that more than 50 percent of the millions of malicious emails intercepted each month are now phishing-related, according to security firm MessageLabs.

PayPal regularly ranks at or near the top of all companies that have their email addresses spoofed by phishers and online fraud artits. Banks are also a favorite target because they offer attackers the opportunity to gain direct access to a user's financial information if the attack is successful.

The number of phishing attacks has more than doubled in the past 2 1/2 years. Whereas most such attacks fail to hit their mark, the successful ones can result in significant losses of more than $1,200 for every single attack.

According to Gartner, in 2006 alone, banks racked up more than $2.7 billion worth of direct losses, such as fraudulent credit card payments that are written off the books.

"There is also the risk of additional losses due to lower confidence in the security of the online world," Litan added.

eBay says its new PayPal Security Key is now in beta testing, primarily by eBay employees, but should be widely available in the U.S. and other select countries within two months.

Overall, industry reaction in the eCommerce sector on eBay message boards has been largely positive, though some commented that eBay should give the new secure key away for free, as they are likely to boost sales by increasing the buyer's sense of overall security.

Add to del.icio.us     Digg this

Source: eCommerce Times

Advertise on E-Commerce News