Ebay Asks Users To Downgrade Security

Ebay has started to inform customers who use a hardware key fob when logging into the site to switch to receiving a one-time code sent via text message. The move from the company, which at one time was well ahead of most e-commerce companies in providing more robust online authentication options, is "a downgrade to a less-secure option," say security reporter Brian Kerbs. He writes: In early 2007, PayPal (then part of the same company as Ebay) began offering its hardware token for a one-time $5 fee, and at the time the company was among very few that were pushing this second-factor (something you have) in addition to passwords for user authentication. I've still got the same hardware token I ordered when writing about that offering, and it's been working well for the past decade. Now, Ebay is asking me to switch from the key fob to text messages, the latter being a form of authentication that security experts say is less secure than other forms of two-factor authentication (2FA). The move by Ebay comes just months after the National Institute for Standards and Technology (NIST) released a draft of new authentication guidelines that appear to be phasing out the use of SMS-based two-factor authentication.

Re:People still use Fleabay?

[RightSaidFred99]

A tremendously huge number of people, that's who. You're also "Windows?! Who still uses Windows!!?!" guy I bet, right?

Re:Brian Kerbs?

[TechyImmigrant]

In had to double check the article, I couldn't believe an editor would fuck up something as basic as Krebs's name.

No it's really Brian Kerbs. He's an expert on the interface between road and pavement/sidewalk.

Flaws..

[Bert64]

Perhaps ebay have become aware of a security flaw in the keyfob, and are thus trying to migrate users away from them?

Any keyfob that just displays a different code over time depends on the security of the initial seed value... If these values were compromised then so are all the tokens, and it wouldn't be the first time something like this has happened.

The trouble with saying "less secure" is that it's highly subjective, even if you're in full possession of the facts (which we may not be)...

A lack of transparency is a problem as always... These companies are a black box, and we the users/customers are expected to just accept what they tell us without having any idea of their internal processes or code etc.

Re:Flaws..

[markus]

Text messages almost always get sent to a cell phone, and in the US there really only are three or four mobile providers. If you have a phone number, you can often look up the provider in public databases, and if that doesn't work, you simply take a guess and call each of the major providers.

Time and time again, it has been shown that all mobile cell phone providers are easily attackable by social engineering. It takes very little effort to have them either redirect SMS or issue a new SIM card and mail it to a random address. And this isn't even to talk about attacks on SS7, which more well-funded adversaries can pull off.

So, now, the only real protection is whether the phone number can be found easily, if you already know the rest of the credentials. In most cases, that's unfortunately a really low hurdle.

In other words, a half way determined and experienced attacker can subvert SMS authentication, if only they have enough of an incentive to spend the effort. There are countless reports of this attack succeeding. So, it's no wonder the US government (in this case NIST) discourages the use of SMS authentication.

Fortunately, there is a modern alternative to the old token that EBay used to support. FIDO U2F tokens are cheap, you only need a single token for an arbitrary number of sites, they are provably secure against MitM and phishing attacks (something that EBay's old token didn't do), they are easy to use, they support having multiple backup tokens, and there are plenty of opensource implementations and very good documentation. There really isn't a good excuse not to implement FIDO U2F except for laziness.

Re:Flaws..

[Hylandr]

To extend what you started with.

Text messages almost always get sent to a cell phone,

Most cell phones are also logged into the same mail service that the ebay account will be using for the lost password recovery tool.

Now without the dongle, one lost or stolen phone will offer the keys to the kingdom.

Re:Brian Kerbs?

[FatdogHaiku]

In had to double check the article, I couldn't believe an editor would fuck up something as basic as Krebs's name.

No it's really Brian Kerbs. He's an expert on the interface between road and pavement/sidewalk.

Get your mind OUT of the gutter!

More Control

[rudy_wayne]

Since nobody ever actually reads the linked articles, here is what "Brian Kerbs" has to say:

I asked eBay to explain their rationale for suggesting this switch. I received a response suggesting the change was more about bringing authentication in-house (the security key is made by Verisign) and that eBay hopes to offer additional multi-factor authentication options in the future.

“As a company, eBay is committed to providing a safe and secure marketplace for our millions of customers around the world,” eBay spokesman Ryan Moore wrote. “Our product team is constantly working on establishing new short-term and long-term, eBay-owned factors to address our customer’s security needs.

So, why?

[Phil+Urich]

From TFA:

I asked eBay to explain their rationale for suggesting this switch. I received a response suggesting the change was more about bringing authentication in-house (the security key is made by Verisign) and that eBay hopes to offer additional multi-factor authentication options in the future. âoeAs a company, eBay is committed to providing a safe and secure marketplace for our millions of customers around the world,â eBay spokesman Ryan Moore wrote. âoeOur product team is constantly working on establishing new short-term and long-term, eBay-owned factors to address our customerâ(TM)s security needs. To that end, weâ(TM)ve launched SMS-based 2FA as a convenient 2FA option for eBay customers who already had hardware tokens issued through PayPal. eBay continues to work on advancing multi-factor authentication options for our users, with the end goal of making every solution more secure and more convenient. We look forward to sharing more as additional solutions are ready to launch.â

Although that doesn't fully explain why they felt the need to take things in-house. Possibilities that occur to me: 1. The backend they need to use for the old fobs is hellish to maintain. 2. Verisign charges them a lot of money and so some manager decided they should ditch the external methods for the sake of profit. Or some other sort of falling out between eBay and Verisign, but isn't it always about hope for higher profits? Speaking of... 3. It doesn't actually cost them much, but they want to develop their own in-house methods to then re-sell because upper management is still regretting spinning off PayPal and they want to create another such more universal middleman. Consider this the "??? Profit" possibility.

Re:Brian Kerbs?

[bobdehnhardt]

No, that's Brian Curbs. I'm looking for "A Sale Of Two Titties" by Brian Kerbs, the well-known Dutch author.