Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ebay Asks Users To Downgrade Security (krebsonsecurity.com)

Posted by msmash on from the security-woes dept.

Ebay has started to inform customers who use a hardware key fob when logging into the site to switch to receiving a one-time code sent via text message. The move from the company, which at one time was well ahead of most e-commerce companies in providing more robust online authentication options, is "a downgrade to a less-secure option," say security reporter Brian Kerbs. He writes: In early 2007, PayPal (then part of the same company as Ebay) began offering its hardware token for a one-time $5 fee, and at the time the company was among very few that were pushing this second-factor (something you have) in addition to passwords for user authentication. I've still got the same hardware token I ordered when writing about that offering, and it's been working well for the past decade. Now, Ebay is asking me to switch from the key fob to text messages, the latter being a form of authentication that security experts say is less secure than other forms of two-factor authentication (2FA). The move by Ebay comes just months after the National Institute for Standards and Technology (NIST) released a draft of new authentication guidelines that appear to be phasing out the use of SMS-based two-factor authentication.

2 of 72 comments (clear)

  1. More Control by rudy_wayne · · Score: 5, Informative

    Since nobody ever actually reads the linked articles, here is what "Brian Kerbs" has to say:

    I asked eBay to explain their rationale for suggesting this switch. I received a response suggesting the change was more about bringing authentication in-house (the security key is made by Verisign) and that eBay hopes to offer additional multi-factor authentication options in the future.

    “As a company, eBay is committed to providing a safe and secure marketplace for our millions of customers around the world,” eBay spokesman Ryan Moore wrote. “Our product team is constantly working on establishing new short-term and long-term, eBay-owned factors to address our customer’s security needs.

  2. Re:Flaws.. by Hylandr · · Score: 3, Informative

    To extend what you started with.

    Text messages almost always get sent to a cell phone,

    Most cell phones are also logged into the same mail service that the ebay account will be using for the lost password recovery tool.

    Now without the dongle, one lost or stolen phone will offer the keys to the kingdom.

    --
    ~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.