Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ebay Asks Users To Downgrade Security (krebsonsecurity.com)

Posted by msmash on from the security-woes dept.

Ebay has started to inform customers who use a hardware key fob when logging into the site to switch to receiving a one-time code sent via text message. The move from the company, which at one time was well ahead of most e-commerce companies in providing more robust online authentication options, is "a downgrade to a less-secure option," say security reporter Brian Kerbs. He writes: In early 2007, PayPal (then part of the same company as Ebay) began offering its hardware token for a one-time $5 fee, and at the time the company was among very few that were pushing this second-factor (something you have) in addition to passwords for user authentication. I've still got the same hardware token I ordered when writing about that offering, and it's been working well for the past decade. Now, Ebay is asking me to switch from the key fob to text messages, the latter being a form of authentication that security experts say is less secure than other forms of two-factor authentication (2FA). The move by Ebay comes just months after the National Institute for Standards and Technology (NIST) released a draft of new authentication guidelines that appear to be phasing out the use of SMS-based two-factor authentication.

2 of 72 comments (clear)

  1. Re:People still use Fleabay? by RightSaidFred99 · · Score: 5, Insightful

    A tremendously huge number of people, that's who. You're also "Windows?! Who still uses Windows!!?!" guy I bet, right?

  2. Flaws.. by Bert64 · · Score: 4, Insightful

    Perhaps ebay have become aware of a security flaw in the keyfob, and are thus trying to migrate users away from them?

    Any keyfob that just displays a different code over time depends on the security of the initial seed value... If these values were compromised then so are all the tokens, and it wouldn't be the first time something like this has happened.

    The trouble with saying "less secure" is that it's highly subjective, even if you're in full possession of the facts (which we may not be)...

    A lack of transparency is a problem as always... These companies are a black box, and we the users/customers are expected to just accept what they tell us without having any idea of their internal processes or code etc.

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!