Pages

Monday, November 24, 2008

PayPal Introduces Text Authentication

Finextra: PayPal introduces SMS-based authentication
PayPal introduces SMS-based authentication


Person-to-person online payments outfit PayPal has introduced an optional SMS text message-based two factor authentication system for customers logging into their accounts.

The PayPal SMS Security Key sends a six-digit code to users' mobile phones before they log in to their accounts. The customer then uses the code, along with their username and password, to sign in.

The system uses the same infrastructure as PayPal's Security Key offering. Developed by VeriSign and rolled out in the US last year, this provides customers with a small authentication token which displays a new one-time six-digit password every 30 seconds.  (Editor's Note:  I believe these are classified as "short-codes...here's some more info on "short codes")
Public Knowledge  are "confusing text messaging and provision of common short codes," Verizon said in its filing. Short codes are not a transmission-based service, and are not subject to the Communications Act, Verizon said. Short codes are six-digit numbers used for text messaging. Ever voted for American Idol on your cell phone, texted Google for directory assistance, or signed up for one of those monthly horoscope, ringtone or joke services advertised on TV?  Chances are you typed in a short code instead of a full-length phonen.  There are two different types of short codes – standard and premium rates.
Michael Barrett, chief information security officer, PayPal, says: "PayPal was built from the ground up with security in mind, and we've always been committed to using cutting-edge technology to protect our customers' accounts. Now, we're taking the additional protection provided by two-factor authentication and delivering it to something most people don't leave home without - their mobile phones."

Both the SMS code and security token systems are available to PayPal customers in the US, Australia, Austria, Canada and Germany.

PayPal says it does not charge for delivery of security codes to handsets but the mobile provider's standard text messaging charges will apply. Editor's Note:  Technically, PayPal can say they're not charging for delivery, but there's a revenue sharing plan I'm sure they are set up for, so don't believe that they aren't making anything. AT&T's standard rate is .20 cents per message, so if you buy something for $10.00 on PayPal, you're paying a 2% fee.  I'd like to learn more to see if they charge premium short code rates.  Anyway...the Finextra article continues:
The firm has been a popular target for cybercriminals. Back in 2006 IT security firm Sophos reported that over 75% of all phishing e-mails were aimed at users of PayPal or its parent company eBay.
Reblog this post [with Zemanta]