The Security Mentor

PayPal passwords get stolen all the time by crooks who set up fake Paypal login screens.

So PayPal, to their credit, is testing a new system to be rolled out to customers later in which a customer can set their account to require both a password and a constantly changing number from a small hardware device in order to log in.

The advantage is that even if someone does steal your password, and even if they record the number from your small hardware device, within 30 seconds the number will no longer be valid and the stolen password alone won't let the crook log in.

Sounds great, right?

Unless the crook uses the stolen password and the perishable number immediately. A computer can do that. For crooks who don't know how to program, there's a ready-made kit to let them set up a fake site that passes requests through to the real site while recording credentials and maybe adding some new transactions.

The arms race between crooks and good guys is fun to watch but what you need to do remains the same: always go to finance sites from your own bookmark.

Secure Computing has an article about the "Universal Phishing Kit".