Ebay Asks Users To Downgrade Security

Ebay has started to inform customers who use a hardware key fob when logging into the site to switch to receiving a one-time code sent via text message. The move from the company, which at one time was well ahead of most e-commerce companies in providing more robust online authentication options, is "a downgrade to a less-secure option," say security reporter Brian Kerbs. He writes: In early 2007, PayPal (then part of the same company as Ebay) began offering its hardware token for a one-time $5 fee, and at the time the company was among very few that were pushing this second-factor (something you have) in addition to passwords for user authentication. I've still got the same hardware token I ordered when writing about that offering, and it's been working well for the past decade. Now, Ebay is asking me to switch from the key fob to text messages, the latter being a form of authentication that security experts say is less secure than other forms of two-factor authentication (2FA). The move by Ebay comes just months after the National Institute for Standards and Technology (NIST) released a draft of new authentication guidelines that appear to be phasing out the use of SMS-based two-factor authentication.

Re:Flaws..

[markus]

Text messages almost always get sent to a cell phone, and in the US there really only are three or four mobile providers. If you have a phone number, you can often look up the provider in public databases, and if that doesn't work, you simply take a guess and call each of the major providers.

Time and time again, it has been shown that all mobile cell phone providers are easily attackable by social engineering. It takes very little effort to have them either redirect SMS or issue a new SIM card and mail it to a random address. And this isn't even to talk about attacks on SS7, which more well-funded adversaries can pull off.

So, now, the only real protection is whether the phone number can be found easily, if you already know the rest of the credentials. In most cases, that's unfortunately a really low hurdle.

In other words, a half way determined and experienced attacker can subvert SMS authentication, if only they have enough of an incentive to spend the effort. There are countless reports of this attack succeeding. So, it's no wonder the US government (in this case NIST) discourages the use of SMS authentication.

Fortunately, there is a modern alternative to the old token that EBay used to support. FIDO U2F tokens are cheap, you only need a single token for an arbitrary number of sites, they are provably secure against MitM and phishing attacks (something that EBay's old token didn't do), they are easy to use, they support having multiple backup tokens, and there are plenty of opensource implementations and very good documentation. There really isn't a good excuse not to implement FIDO U2F except for laziness.