PayPal, eBay offer Security Key to U.S. customers

PayPal unveiled a new Security Key on Friday that will add an additional layer of security to user accounts and help prevent online criminals from gaining access to them. The PayPal Security Key is a small electronic token that generates a unique code that can be used in addition to a user name and password when users sign in to their PayPal account.

The company announced the news as part of eBay's week-long Developer Conference in Boston. It provides PayPal customers with so-called "two factor" authentication that makes it harder for online criminals to raid accounts, even if they do trick users into giving up their user name and password using online "phishing" scams, according to Michael Barrett, chief information security officer at PayPal.

"This is something that will help the community to be more secure," Barrett told InfoWorld.

PayPal and parent company eBay are top targets for online scam artists, who use dummy Web sites in so-called "phishing" attacks that attempt to trick users into revealing their user name and password. Those accounts can then be raided or used to fraudulently purchase goods.

The Security Key isn't a silver bullet for phishing attacks, but just one part of a multi-pronged defense by PayPal and eBay, Barrett said.

In recent months, the company has begun digitally signing all outbound e-mail messages and putting pressure on ISPs to take action on fraudulent mail that claims to come from both eBay and PayPal.

More recently, the companies have been working with two leading ISPs in a beta program to automatically block all non-signed e-mail that claims to come from eBay or PayPal, according to Barrett and eBay CTO Scott Thompson.

PayPal has been testing a beta version of the Security Key program in Germany and has already issued tens of thousand of the password tokens to its users. Already, the favorable response from users has been strong. "We never advertised this. It was all by word of mouth, but it's still been extremely popular," Barrett said.

Starting Friday, PayPal will begin making the Security Key, which is part of the VIP (VeriSign Identity Protection) Network, available to its U.S. customers for a one-time fee of $5.00. PayPal users in Germany and Australia will also have the option to receive a Security Key, and PayPal plans to add other countries in the near future, according to a PayPal statement. PayPal and eBay began working closely with VeriSign after a deal to buy VeriSign's payment gateway business in October, 2005.

PayPal has no plans to charge its customers for the token beyond the initial $5.00, which covers shipping and handling. Nor will the company levy a subscription fee for the two-factor authentication service.

"This isn't something we're making money on," Barrett said.