Awareness of two-factor authentication (AKA “2FA”) is growing among the increasingly security-conscious public. Many companies including Google, Facebook, Microsoft, Twitter, and many others have been implementing 2FA support lately. Interestingly, eBay and PayPal were actually on the forefront of this trend and started supporting 2FA in 2007 with the introduction of a physical security token. Today, besides a physical Symantec VIP Security token or card, PayPal supports 2FA using SMS as well as the Symantec VIP Access soft token app available on smart phones (iOS, Android, Windows Phone, BlackBerry), feature phones, and even desktop PCs.
For PayPal, the physical token is perhaps the most secure option, but it currently costs $30 (the original key fob was a more reasonable $5). The SMS option is actually only free if you have an unlimited text plan (though maybe it would work with VoIP services offering free text-to-email like Google Voice), and has the downside of requiring phone reception to use. I found very little information about using the VIP Access soft token with PayPal, even on the PayPal web site. This is unfortunate since this option is free and simple to use, and offers similar functionality and security as the physical token.
When it comes to PayPal scams, most crooks are focused on low-hanging fruit: accounts that can be easily compromised, especially en masse using automated tools or scripts. Enabling 2FA on an account won’t guarantee it will be completely safe. A determined attacker specifically targeting a particular account might be able to break in, as Forbes recently reported. However, it does add another layer of security to break. It will make an account more difficult to compromise, or at least make it different than compromising most accounts, so most crooks will simply ignore accounts with 2FA enabled and move on to the next.
In any case, setting up your PayPal account with VIP Access is very simple. First, install the free VIP Access app on your phone. For smart phones, find it by searching the app store or by browsing to m.vip.symantec.com. For desktops or feature phones, check the VeriSign ID Protection web site for instructions. Once it is installed, log on to PayPal, navigate to Settings, More Settings, and under Security key click Get started. Under Order or activate a security key, click Get security key. On the next screen, shown below, click Activate your Security Key.
On the final screen, under Serial number input the Credential ID from VIP Access, input two sequential 6-digit numbers from VIP Access, and click Activate.
That’s it! Logging in to your PayPal account will now require both the password and the 6-digit code generated by VIP Access. PayPal supports multiple security keys, so VIP Access can be installed on multiple devices. But don’t stop with your PayPal account. Many web sites support VIP Access, including eBay, and many others support other forms of two-factor authentication. With minimal effort you can add this layer security to many of your accounts.
Very strange thing about VIP implementation at PayPal, they leak out the serial number after the password has been entered. So not only do they provide no additional security, they compromise the very VIP I use with other sites.
Pingback: Revisiting Two-Factor Authentication on PayPal | Kirk Kosinski