Slashdot Mirror
Ebay Asks Users To Downgrade Security (krebsonsecurity.com)
Ebay has started to inform customers who use a hardware key fob when logging into the site to switch to receiving a one-time code sent via text message. The move from the company, which at one time was well ahead of most e-commerce companies in providing more robust online authentication options, is "a downgrade to a less-secure option," say security reporter Brian Kerbs. He writes: In early 2007, PayPal (then part of the same company as Ebay) began offering its hardware token for a one-time $5 fee, and at the time the company was among very few that were pushing this second-factor (something you have) in addition to passwords for user authentication. I've still got the same hardware token I ordered when writing about that offering, and it's been working well for the past decade. Now, Ebay is asking me to switch from the key fob to text messages, the latter being a form of authentication that security experts say is less secure than other forms of two-factor authentication (2FA). The move by Ebay comes just months after the National Institute for Standards and Technology (NIST) released a draft of new authentication guidelines that appear to be phasing out the use of SMS-based two-factor authentication.
I have had a few rebranded VASCO keyfob with eBay/PayPal's label on it. They tend to die after 2-3 years due to battery life, and recently, I was unable to find a link to buy a new one and activate it.
Yes, now we have Google Authenticator, Duo, and other items, but the simplicity of a keyfob which did nothing but display a six digit number made it decently secure, without having to reply on a phone, tablet, or other device.
A tremendously huge number of people, that's who. You're also "Windows?! Who still uses Windows!!?!" guy I bet, right?
In had to double check the article, I couldn't believe an editor would fuck up something as basic as Krebs's name.
No it's really Brian Kerbs. He's an expert on the interface between road and pavement/sidewalk.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
Perhaps ebay have become aware of a security flaw in the keyfob, and are thus trying to migrate users away from them?
Any keyfob that just displays a different code over time depends on the security of the initial seed value... If these values were compromised then so are all the tokens, and it wouldn't be the first time something like this has happened.
The trouble with saying "less secure" is that it's highly subjective, even if you're in full possession of the facts (which we may not be)...
A lack of transparency is a problem as always... These companies are a black box, and we the users/customers are expected to just accept what they tell us without having any idea of their internal processes or code etc.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
In had to double check the article, I couldn't believe an editor would fuck up something as basic as Krebs's name.
No it's really Brian Kerbs. He's an expert on the interface between road and pavement/sidewalk.
Get your mind OUT of the gutter!
You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
Not only a longtime callback joke, but one that vastly improves on the troll-y original to be used *against* trolls. I heartily approve, Anonymous Sir.
I remember sigs. Oh, a simpler time!
Since nobody ever actually reads the linked articles, here is what "Brian Kerbs" has to say:
I asked eBay to explain their rationale for suggesting this switch. I received a response suggesting the change was more about bringing authentication in-house (the security key is made by Verisign) and that eBay hopes to offer additional multi-factor authentication options in the future.
“As a company, eBay is committed to providing a safe and secure marketplace for our millions of customers around the world,” eBay spokesman Ryan Moore wrote. “Our product team is constantly working on establishing new short-term and long-term, eBay-owned factors to address our customer’s security needs.
Although that doesn't fully explain why they felt the need to take things in-house. Possibilities that occur to me: 1. The backend they need to use for the old fobs is hellish to maintain. 2. Verisign charges them a lot of money and so some manager decided they should ditch the external methods for the sake of profit. Or some other sort of falling out between eBay and Verisign, but isn't it always about hope for higher profits? Speaking of... 3. It doesn't actually cost them much, but they want to develop their own in-house methods to then re-sell because upper management is still regretting spinning off PayPal and they want to create another such more universal middleman. Consider this the "??? Profit" possibility.
I remember sigs. Oh, a simpler time!
Yes they do you fucking elitist bellend
No, that's Brian Curbs. I'm looking for "A Sale Of Two Titties" by Brian Kerbs, the well-known Dutch author.
PayPal and eBay shared the same keyfobs for a long time, but sometime about two years ago, PayPal logins stopped working for me and nobody from their side could figure out why. Long story short, the only fix was to turn off the keyfob and use PIN codes sent by SMS.
I am not sure if this really impacts security as PayPal was trivially easy to social engineer and have the keyfob taken off a target account, so having a keyfob on your account really didn't mean that much.
Now eBay is doing the same thing. Oh well.
Sig for hire.
Yep, Amazon has a book I want - typically ships in 1 or 2 weeks.
Ebay has it for the same exact price and I ordered it last night and it's on the way. Ebay also had a better selection of Jeep Roofs, and my new one is at home waiting for a warm day for me to replace my old one.
As to the key fob versus text? they can't spam your keyfob.
_ _ _ Go for the eyes Boo! GO FOR THE EYES!
>"Now, Ebay is asking me to switch from the key fob to text messages, the latter being a form of authentication that security experts say is less secure than other forms of two-factor authentication (2FA)."
It is not just that it is less secure... it is AN INVASION OF PRIVACY. There is absolutely NO WAY I am going to give my cell phone number to Ebay, Microsoft, Amazon, Bank of America, or any other company. It is a marketing wet-dream for them to get that information such that they can spam you with impunity in the most egregious and annoying way I can think of, and sell that information to others.
This is not a move to increase security or improve convenience for the end user. It is to lower THEIR cost and to increase THEIR knowledge about their users. And it is so common now it is shocking... and people just give it up!
True story- a group of us went to TGIFriday's for dinner last week. We approached the hostess and told her 4 people. We expected to get a pager/fob. Nope, she asked us for our phone number! Every one of us in the group said "you have to be kidding" not over our dead bodies! We asked her "seriously? People will give you their private cell number for this?" She said almost nobody bats an eye." Of course we declined and they had to physically come look for us when the table was ready.