Slashdot Mirror
Ebay Asks Users To Downgrade Security (krebsonsecurity.com)
Ebay has started to inform customers who use a hardware key fob when logging into the site to switch to receiving a one-time code sent via text message. The move from the company, which at one time was well ahead of most e-commerce companies in providing more robust online authentication options, is "a downgrade to a less-secure option," say security reporter Brian Kerbs. He writes: In early 2007, PayPal (then part of the same company as Ebay) began offering its hardware token for a one-time $5 fee, and at the time the company was among very few that were pushing this second-factor (something you have) in addition to passwords for user authentication. I've still got the same hardware token I ordered when writing about that offering, and it's been working well for the past decade. Now, Ebay is asking me to switch from the key fob to text messages, the latter being a form of authentication that security experts say is less secure than other forms of two-factor authentication (2FA). The move by Ebay comes just months after the National Institute for Standards and Technology (NIST) released a draft of new authentication guidelines that appear to be phasing out the use of SMS-based two-factor authentication.
I have had a few rebranded VASCO keyfob with eBay/PayPal's label on it. They tend to die after 2-3 years due to battery life, and recently, I was unable to find a link to buy a new one and activate it.
Yes, now we have Google Authenticator, Duo, and other items, but the simplicity of a keyfob which did nothing but display a six digit number made it decently secure, without having to reply on a phone, tablet, or other device.
In had to double check the article, I couldn't believe an editor would fuck up something as basic as Krebs's name.
Where do you suggest I shop for my gray market crap?
A tremendously huge number of people, that's who. You're also "Windows?! Who still uses Windows!!?!" guy I bet, right?
No cell for me at home and obly half the time at work, so at least SMS is falling off the preferred list.
Perhaps ebay have become aware of a security flaw in the keyfob, and are thus trying to migrate users away from them?
Any keyfob that just displays a different code over time depends on the security of the initial seed value... If these values were compromised then so are all the tokens, and it wouldn't be the first time something like this has happened.
The trouble with saying "less secure" is that it's highly subjective, even if you're in full possession of the facts (which we may not be)...
A lack of transparency is a problem as always... These companies are a black box, and we the users/customers are expected to just accept what they tell us without having any idea of their internal processes or code etc.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
And the AP doesn't like their headline anymore. http://archive.is/zBZRx#select...
Free hat!
Not only a longtime callback joke, but one that vastly improves on the troll-y original to be used *against* trolls. I heartily approve, Anonymous Sir.
I remember sigs. Oh, a simpler time!
Since nobody ever actually reads the linked articles, here is what "Brian Kerbs" has to say:
I asked eBay to explain their rationale for suggesting this switch. I received a response suggesting the change was more about bringing authentication in-house (the security key is made by Verisign) and that eBay hopes to offer additional multi-factor authentication options in the future.
“As a company, eBay is committed to providing a safe and secure marketplace for our millions of customers around the world,” eBay spokesman Ryan Moore wrote. “Our product team is constantly working on establishing new short-term and long-term, eBay-owned factors to address our customer’s security needs.
Although that doesn't fully explain why they felt the need to take things in-house. Possibilities that occur to me: 1. The backend they need to use for the old fobs is hellish to maintain. 2. Verisign charges them a lot of money and so some manager decided they should ditch the external methods for the sake of profit. Or some other sort of falling out between eBay and Verisign, but isn't it always about hope for higher profits? Speaking of... 3. It doesn't actually cost them much, but they want to develop their own in-house methods to then re-sell because upper management is still regretting spinning off PayPal and they want to create another such more universal middleman. Consider this the "??? Profit" possibility.
I remember sigs. Oh, a simpler time!
You still have a TV???
I got it for free way back when they first offered them.
Yes they do you fucking elitist bellend
What with all the "it's broken" scammers, and the gray market crap being peddled. Who still uses the former auction site?
Perhaps you're right.
After all, there's nothing but honest reviews at Amazon, with ethics ensuring no chance of grey-market product being sold there...
The rampant shill bidding was a deal killer for me. The place is a sick, pathetic joke.
PayPal and eBay shared the same keyfobs for a long time, but sometime about two years ago, PayPal logins stopped working for me and nobody from their side could figure out why. Long story short, the only fix was to turn off the keyfob and use PIN codes sent by SMS.
I am not sure if this really impacts security as PayPal was trivially easy to social engineer and have the keyfob taken off a target account, so having a keyfob on your account really didn't mean that much.
Now eBay is doing the same thing. Oh well.
Sig for hire.
Information is coming from a NSA whistle blower, not from FBI,CIA,NSA policiatial mouthpieces. Good job Democrats you turned the your Russian Unicorn into your own Watergate. https://www.c-span.org/video/?...
Yep, Amazon has a book I want - typically ships in 1 or 2 weeks.
Ebay has it for the same exact price and I ordered it last night and it's on the way. Ebay also had a better selection of Jeep Roofs, and my new one is at home waiting for a warm day for me to replace my old one.
As to the key fob versus text? they can't spam your keyfob.
_ _ _ Go for the eyes Boo! GO FOR THE EYES!
Hardly anyone ever tries to crack an eBay account. Why would they? What is there to gain? Hardly anything. So nobody would waste their time trying different passwords. A look at web server logs shows that this is indeed the case. And anybody who can steal a password can also probably steal a key fob.
We need to instigate a higher level of trust in society. Otherwise we will end up with the kind of society we have right now. We should be able to do a lot better. A good password should always be perfectly adequate.
>"Now, Ebay is asking me to switch from the key fob to text messages, the latter being a form of authentication that security experts say is less secure than other forms of two-factor authentication (2FA)."
It is not just that it is less secure... it is AN INVASION OF PRIVACY. There is absolutely NO WAY I am going to give my cell phone number to Ebay, Microsoft, Amazon, Bank of America, or any other company. It is a marketing wet-dream for them to get that information such that they can spam you with impunity in the most egregious and annoying way I can think of, and sell that information to others.
This is not a move to increase security or improve convenience for the end user. It is to lower THEIR cost and to increase THEIR knowledge about their users. And it is so common now it is shocking... and people just give it up!
True story- a group of us went to TGIFriday's for dinner last week. We approached the hostess and told her 4 people. We expected to get a pager/fob. Nope, she asked us for our phone number! Every one of us in the group said "you have to be kidding" not over our dead bodies! We asked her "seriously? People will give you their private cell number for this?" She said almost nobody bats an eye." Of course we declined and they had to physically come look for us when the table was ready.
Imagine in the future, that you have collected hundreds of fobs, just to get access to things.
Phone numbers are the new SSN. Particularly since telcos have been given immunity for handing your metadata over to every TLA and creditor that asks for it. Just try doing business with anyone and, when they ask for your phone number, just tell them you don't have one. Watch them shit themselves.
Have gnu, will travel.
This is not about security
Who the fuck still uses eBay?
It was the unevidenced assertions that did it for me.
What? Just a couple days ago, Nunes, Gowdy, et all were making sure the world knew that anyone leaking information should be going to jail. Suddenly Nunes is A-OK with a leaker from NSA? Republicans are a bunch of hypocrites as usual.
I've been a member since 1997. I have plenty of evidence.
Prove it.
_ _ _ Go for the eyes Boo! GO FOR THE EYES!
Anybody with a low level access to a phone network can steal anybody's phone number with ease. Russians used the fake roaming requests to force British Telecom into routing MPs phone numbers to a Russia. All you need to know is victims IMEI.
Well, this is the company that is still serving up malware injected ads.
The way 2FA is compromised, is when idiot users install apps on their phones bypassing recommended settings.
SMS proxy functionality is the issue, not the channel of 2FA itself.
to compromise 2FA sms - sms proxy trojan apps are in play. simple don't install CRAP.
so that said, this is a typical article that overstates the actual understanding of channel security vs PEBCAK (or in this case, between carrier and device).
flame on as much as you want, bottom line - the definition of insecure"implied here is typical of FUD BS rife in the industry .
I've discovered that anyone who uses a "cutsey" derogatory version of any name/person/thing is almost always worth completely ignoring. "Fleabay, Micro$oft, TeaBaggers, Republitards, Dumbocrats, MAFIAA" ... any of that equals a 1-way ticket to "your contribution is worthless"-ville.
PayPal have had this issue forever where the checkout page is unaware of 2FA and goes into a stall displaying a "waiting" rotating icon. PayPal support are really incompetent when this issue is brought up.
Maybe this is their "fix" for this issue.
This is an account of something that is really happening in Brazil, and so widespread that it was actually aired on prime national TV by the largest network in the country (Globo). It targets whatsup, but it would work on anything that uses SMS or voice calls as a 2FA, as the sole auth factor (whatsup before its 2FA feature), or as a password recovery option (facebook, google, and others when you provide them with your cellphone number and allow them to use it to help password recovery).
This episode in Brazil is likely one of the key drivers for why WhatsUp deployed 2FA *worldwide* out of the blue: they *knew* it was necessary *yesterday*, because it was being actively exploited by common criminals. And in fact, it really isn't everyday in Brazil that you get large TV networks *teaching* you to enable whatsup 2FA on prime time... there were a lot of victims.
The attack is exactly the scenario every security researcher has always warned about SMS-based auth: the risk of attackers being able to re-route (or otherwise read) the SMS contents (and often, voice calls) is both typically unknown, and likely to be medium or high. The current recommendation is to *disable* and remove any phone-based (SMS, voice, etc) auth or password recovery options on any service *and* use random, nonsense alphanumeric strings (such as piping 512 bytes of random data into a sha256 checksummer) as the replies for any "security questions".
And, it turns out, at least in Brazil, that risk of a cellphone line being easily rerouted was not medium, or even high, it was *extremely high* (and for all I know, it still is).
Unfortunately, the TV broadcast lost the opportunity to warn people away from any sort of SMS-based or cellphone voice-call based auth, likely because lots of shitcrap banks and internet services do it for many different reasons. Even Google and other supposedly-to-know-better services do some sort of phone callback-based auth. In Brazil, enabling SMS-based auth or phone-verification auth/password recovery on *anything worth of value* is actually putting your cellphone line at extreme risk of being temporarily stolen, i.e. it can actually decrease your overall security a lot...
Here's how (and why) it worked: turns out that *temporarily* stealing your cellphone number (and thus receiving all of your voice calls and SMS!) is actually safer and easier than stealing (and maybe unlocking) your cellphone. All you need is to bribe a lowly-paid employee of a cellphone operator's retail outlets (who can exchange SIM cards and enable new SIM cards). Really. And they won't charge much, either, US$ 50 or less would be expected.
In whatsup case, it was even easier to do because it was not yet SMS-based 2FA, it was SMS-based auth. So, you would activate an "illegal SIM" tied to the victim's phone number with the help of the bribed cellphone company employee (this causes service to get weird and eventually entirely disabled on the victim's phone), install whatsup and do the "new phone" procedure, download all previous whatsup data from the victim and store it, then destroy the illegal SIM and revert the SIMphone number binding. Wait enough time to break the time-casuality relationship in the victim's mind, and perform the second stage of the attack on the victim.
The scammers would use the stolen whatsup history to either blackmail the victims (not many reports of these, for the obvious reasons), or to learn enough background to help them tick the victims into sending them money. If you are going to go that target-specific for simple scams that will not net much more than US$ 5k, and often a lot less, you are also going to do it when you get spyware-sourced account information.
So, do yourself a favor, and ensure stealing authentication information from you is actually 2FA, which will *not be true* if all one needs is to reroute your phone number, and either directily or through the use of password recovery, get into your email or DNS accounts (typically to bypass further 2FA/password recovery on high-valued twitter/email/corporate accounts), etc.
Hey, the "Music And Film Industry Association of America" is a valid acronym!
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
It's not that it's being blocked, it's more that nobody really gives a shit.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Only ever 'Buy it now'. Just about given up on buying anything even remotely electrical from China or Malaysia. Don't know who's selling factory rejects among other issues.
Oh look, a comedian.
FBI, CIA, and NSA aren't political mouthpieces.
Comey hurt Clinton by blabbing about the email investigation right before the election, and he hurt Trump recently by denying agency involvement in "wiretapping". Fucking over both sides = not playing politics.
CIA and NSA keep to themselves. Not exactly a surprise there.