I think the PayPal security key-fob (RSA) isn't so secure


Apr 8, 2001
I just got one of these:


It works at eBay and PayPal, so far.

For those not in the know, this is a (modified?) RSA SecurID unit. I've previously worked for an online entity that used these, yet were still RSA branded. At any rate, you login with l/p and then it asks you for the security code on your keyfob which changes every 30 seconds.

The thing is, over 80% of the time I use it I get repeating digits which makes me think something is fishy with the Al-Gore-rhythm (algorithm!).

Repeating as in "553835" (extreme case) or "625692"

I dunno about this damn thing. For $5 it's stylish though, it's nice to have one of these again.
It's secure.

The repeating digits is due to probability and having only 10 possible digits to put into 6 spots.

P[repeating digits] = 1 - P[no repeating digits]

=1 - [1 * .9 * .8 * .7 * .6 * .5] = 1 - .1512 = .8488

So there's a 84.88% chance that you'll have at least one pair of numbers being repeated. This is assuming that the numbers are randomly distributed, which they're not because they follow an algorithm instead of being randomly drawn. However, given enough data samples you could determine the randomness of the variables then use that to determine the overall probability of getting repeating numbers. Which involves way more math and time than I have the sanity to get into this late.
Ah! I just never seem to remember when I worked for Company X that it never repeated, but maybe I didn't pay attention that much. Afterall, it was a work device :D