[geeks] Interesting: hardware security token for PayPal
wa2egp at att.net
wa2egp at att.net
Sun Apr 1 14:08:46 CDT 2007
-------------- Original message ----------------------
From: Phil Stracchino <phil.stracchino at speakeasy.net>
>
> This is an interesting-looking gadget from PayPal:
>
> https://www.paypal.com/us/cgi-bin/webscr?cmd=xpt/cps/general/PayPalSecurityKey
>
> If the device generates a six-digit code "about every 30 seconds", then
> it takes it "about a year" to exhaust all possible codes and start over.
>
> However, the algorithm must necessarily be deterministic, or it wouldn't
> work. And if it's deterministic, and someone can learn (disassemble,
> reverse-engineer, whatever) the algorithm, and can get any single code
> that you used and when it was used, they may possibly (depending on the
> algorithm) be able to determine what code your token will generate at
> any specified time in the future, unless each token has some kind of
> unique-per-token salt.
My wife had a similar device when she signed in at work from home. The
system had a similar code which also changed every 30 seconds. It was
like having a new password evey half minute. Too bad if you typed
slow or was trying to use a PDA. :)
Bob
More information about the geeks
mailing list