PayPal Key Fobs - Gone Phishing

I've just verified my Premier account with PayPal. I had all sorts of problems trying to confirm my location over the telephone, so eventually we reverted to confirming it by snail mail instead. I've always been very happy with the responsiveness and high level of service offered by PayPal.

Phishing, whereby fraudsters immitate a trustworthy business or individual in an attempt to acquire sensitive information online, is a huge problem for PayPal. Google estimate that 50% of all phishing sites target PayPal and eBay users. I have received several phishing emails apparently from PayPal but luckily I've been sharp enough to spot them and report them.

PayPal offer good advice on how to spot phishing emails. I'll summarise the key points here:
  • A genuine Paypal email will never ask you for your bank account details, identification documents, email addresses, passwords or name.
  • A genuine PayPal email will always start with your name (because they know what it is!)
  • A fake email normally has a generic greeting such as 'Dear PayPal User'.
  • A fake email may appear to come from a bone fide PayPal email address. Do not accept the 'From' email address as confirmation of the sender's identity.
  • A fake email sometimes has a false sense of urgency - for example, it may say 'if you don't provide these details within X hrs your account will be terminated'. This is a ploy to make you act in haste.
  • Watch for fake links. As with the 'From' email address the appearance of links can be very easily changed. Check the destination (right click > link properties) before clicking on the link.
  • If in any doubt report it to PayPal. Forward the entire suspect email to: You will get a reply within a few minutes confirming whether it is genuine or not.
The main purpose of this post was to tell you that PayPal have a new weapon in their arsenal against the phishers - an electronic key fob. The fob displays a six-figure security code, which is updated by radio signal every 30 seconds or so. The security code will have to be entered to successfully log in to your PayPal account. Two-factor authentication is useful because the PayPal account is still secure, even when one of the factors (eg. password) is compromised. Although the system wont stop every smooth talking scamster from hacking into PayPal, it certainly makes it more difficult. The system will be trialled by business customers in the US, Australia and Germany but should go global by mid 2007. The fob will be provided free of charge to business account holders and will cost USD $5 for everyone else.

It's reassuring to know that PayPal want their system to be as safe and secure as possible for their account holders.

No comments: