Millions of people have a PayPal™ account. Most everyone on eBay uses PayPal™, and with good reason... unparalleled security. However, there IS a vulnerability with this system, and at the risk of educating potential criminals, I am going to expose that weakness and tell you how you can protect yourself against it.

      When you set up a PayPal™ account, it is wise to request a security key. Once activated, your account will require three pieces of information in order to gain access: 1) Your email address  2) Your PayPal password, and 3) The six random digits generated by your security key. If you activate your key for use on eBay, your eBay login will require use of the key as well. All well and good. A thief would find it all but impossible to "guess" a 9-digit number (a million combinations from 000000 to 999999), especially since a failed attempt to "guess" the number will result in the number changing.

      Online thieves have learned to gain access to PayPal™ accounts - even when they are secured with a security key. The most common method is to send you an email telling you that "your account has been suspended", or has had "unusual activity", or any number of legitimate-looking emails complete with the trademarked PayPal™ logo, and the "look and feel" of  PayPal's Web site. Most often the tip-off that you are dealing with a phishing email is that it will NOT address you by your registered PayPal™ user name; it will start off with "Dear PayPal Member" or "Dear PayPal user". If you are using Microsoft Outlook, right-click on the email and select "Junk email" / "Add sender to blocked senders list". If you are using SpamFighter, click the toolbar box titled "Block".

     If you respond to the message by clicking on a link in the email, you've opened yourself up not only for theft of your money, but for possible identity theft as well. Some of these sites are dead-ringer look-alikes for the genuine PayPal™ site. When you attempt to log on, the "phisher" will have your email (which he already had), your log-on password, and the next six digit random sequence from your security key. This information will only be useful to him IF he uses your six-digit log-on code IMMEDIATELY - or at least BEFORE you attempt to log on to PayPal™ or eBay™ using your key. Since you are "logging on" to a phishing site - believing you are logging into PayPal™ or eBay™, by the time you realize (if you ever do) that you've logged onto a phishing site, the scam artist will have already accessed your account using the information you provided.

     The security key is NOT tied to your computer in any way. It simply contains a LIST of numbers that are pre-generated and written to an EPROM in the key. When you press the button, the key simply reads and displays the next number in the list. When PayPal™ or eBay™ asks you for this number, it compares what you enter with the next number in a copy of the list, which is saved under your account name on their server. If the numbers match, the log-in succeeds; if not, you will be asked to enter the information again. The fact that the key doesn't actually GENERATE the number at random can be intuited by the fact that PayPal™ or eBay™ could not possibly know the next random number without some connection between your PC and the key - and there isn't any. This fact can be demonstrated by giving the key to a small child to play with for 5 minutes. After pressing the button - even ONCE - and NOT using that code to log in to either PayPal™ or eBay™, the list in the key and the copy of the list on the secure server are now out of sync. When you try to log on the NEXT time, you will get an "invalid security code" message, and asked to re-enter it. After two or more failed attempts, the PayPal™ system (which also provides the secure log-on for eBay) will ask you to re-synchronize your key. This is done by entering two six-digit codes in a row, which will now cause the number list in the key EPROM to be synchronized with the copy of the list on the server.

     Simple rule to protect yourself: NEVER respond to a PayPal email by clicking on a link in the email. If you get a message concerning some difficulty with your account, forward the email to spoof@paypal.com or spoof@ebay.com, then DELETE THE EMAIL IMMEDIATELY. If you clicked on any links in such an email, exit your browser immediately and clear your Prefetch directory. This can be done easily by using a simple DOS command: del C:\windows\prefetch\*.*  or  navigating to C:\windows\prefetch  and deleting all the files. This prevents your browser from fetching the look-alike page from the disk cache on your computer instead of requesting a fresh copy of the legitimate page from the server. IMMEDIATELY log on to your PayPal™ account and eBay account (if you have one). If your log-in is successful, chances are that the phisher has not attempted to log on to your account.... YET! You should now change your log-in password. However, if you attempt to log in to your PayPal™ or eBay™ accounts and your six-digit code is NOT accepted, and / or you are asked to re-synchronize your key, this could mean trouble. Go ahead and re-synchronize your key, then proceed and change your log-in password (see my password rules article). As a precaution, you should now CALL PayPal™ Customer Service (402) 935-2017 and tell them what happened.

     Create a shortcut on your desktop https://PayPal.com   or  https://eBay.com  and use ONLY those shortcuts to log on to PayPal™ or eBay™. Notice the "s" in https - using it ensures you are logged onto a secure server.