PayPal users to get pass-code device

eBay is getting ready to offer its PayPal users a password-generating key fob that promises to increase the security of the online payment service.

The device displays a new one-time password in the form of a six-digit code about every 30 seconds. PayPal clients who opt to use the device will enter this password along with their regular credentials when signing into the service. The key fob is meant as another weapon in the battle against data-thieving phishing scams.

A PayPal spokeswoman said: "If a fraudulent party somehow got hold of a person's username and password, they still wouldn't be able to get into the account because they don't have the six-digit code. This by no means is a silver bullet that is going to stop fraud. This is just another layer of protection."

The "PayPal Security Key" will cost $5 for personal PayPal accounts but will be free for business accounts, the spokeswoman said. PayPal has been testing the device with employees for a couple of months and plans to start trials with customers in the next month or so, she added. As of 30 September, there were nearly 123 million PayPal accounts, according to eBay.

PayPal users in Australia, Germany and the US will be able to sign up for the trial through a special website, the spokeswoman said. "Based on the response, we look forward to eventually rolling it out in other countries," she added.

The password-generating device is based on technology from VeriSign, with which eBay entered into a security partnership in 2005. Such key fobs are also used for added security by large corporations for access to corporate resources, and some banks and brokerage companies offer them to clients with a high net worth. Other companies that supply the password gadgets include RSA and Vasco.

eBay and PayPal are common phishing targets. These prevalent scams typically use fraudulent websites made to look like legitimate sites and spam email to trick people into giving up their personal information such as login names and passwords.

In a recent survey of Google's public blacklist of phishing sites, security researcher Michael Sutton found that nearly half of all the active phishing sites targeted either eBay or PayPal. The Google blacklist is used in Google's Toolbar for Firefox and the Firefox 2.0 browser.

Joris Evers writes for CNET News.com