Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security Businesses Technology

Ebay Asks Users To Downgrade Security (krebsonsecurity.com) 72

Ebay has started to inform customers who use a hardware key fob when logging into the site to switch to receiving a one-time code sent via text message. The move from the company, which at one time was well ahead of most e-commerce companies in providing more robust online authentication options, is "a downgrade to a less-secure option," say security reporter Brian Kerbs. He writes: In early 2007, PayPal (then part of the same company as Ebay) began offering its hardware token for a one-time $5 fee, and at the time the company was among very few that were pushing this second-factor (something you have) in addition to passwords for user authentication. I've still got the same hardware token I ordered when writing about that offering, and it's been working well for the past decade. Now, Ebay is asking me to switch from the key fob to text messages, the latter being a form of authentication that security experts say is less secure than other forms of two-factor authentication (2FA). The move by Ebay comes just months after the National Institute for Standards and Technology (NIST) released a draft of new authentication guidelines that appear to be phasing out the use of SMS-based two-factor authentication.
This discussion has been archived. No new comments can be posted.

Ebay Asks Users To Downgrade Security

Comments Filter:
  • by ctilsie242 ( 4841247 ) on Wednesday March 22, 2017 @02:26PM (#54090495)

    I have had a few rebranded VASCO keyfob with eBay/PayPal's label on it. They tend to die after 2-3 years due to battery life, and recently, I was unable to find a link to buy a new one and activate it.

    Yes, now we have Google Authenticator, Duo, and other items, but the simplicity of a keyfob which did nothing but display a six digit number made it decently secure, without having to reply on a phone, tablet, or other device.

  • Flaws.. (Score:5, Insightful)

    by Bert64 ( 520050 ) <.moc.eeznerif.todhsals. .ta. .treb.> on Wednesday March 22, 2017 @02:42PM (#54090649) Homepage

    Perhaps ebay have become aware of a security flaw in the keyfob, and are thus trying to migrate users away from them?

    Any keyfob that just displays a different code over time depends on the security of the initial seed value... If these values were compromised then so are all the tokens, and it wouldn't be the first time something like this has happened.

    The trouble with saying "less secure" is that it's highly subjective, even if you're in full possession of the facts (which we may not be)...

    A lack of transparency is a problem as always... These companies are a black box, and we the users/customers are expected to just accept what they tell us without having any idea of their internal processes or code etc.

    • More Control (Score:5, Informative)

      by rudy_wayne ( 414635 ) on Wednesday March 22, 2017 @03:01PM (#54090793)

      Since nobody ever actually reads the linked articles, here is what "Brian Kerbs" has to say:

      I asked eBay to explain their rationale for suggesting this switch. I received a response suggesting the change was more about bringing authentication in-house (the security key is made by Verisign) and that eBay hopes to offer additional multi-factor authentication options in the future.

      “As a company, eBay is committed to providing a safe and secure marketplace for our millions of customers around the world,” eBay spokesman Ryan Moore wrote. “Our product team is constantly working on establishing new short-term and long-term, eBay-owned factors to address our customer’s security needs.

    • Re:Flaws.. (Score:5, Interesting)

      by markus ( 2264 ) on Wednesday March 22, 2017 @03:09PM (#54090853) Homepage

      Text messages almost always get sent to a cell phone, and in the US there really only are three or four mobile providers. If you have a phone number, you can often look up the provider in public databases, and if that doesn't work, you simply take a guess and call each of the major providers.

      Time and time again, it has been shown that all mobile cell phone providers are easily attackable by social engineering. It takes very little effort to have them either redirect SMS or issue a new SIM card and mail it to a random address. And this isn't even to talk about attacks on SS7, which more well-funded adversaries can pull off.

      So, now, the only real protection is whether the phone number can be found easily, if you already know the rest of the credentials. In most cases, that's unfortunately a really low hurdle.

      In other words, a half way determined and experienced attacker can subvert SMS authentication, if only they have enough of an incentive to spend the effort. There are countless reports of this attack succeeding. So, it's no wonder the US government (in this case NIST) discourages the use of SMS authentication.

      Fortunately, there is a modern alternative to the old token that EBay used to support. FIDO U2F tokens are cheap, you only need a single token for an arbitrary number of sites, they are provably secure against MitM and phishing attacks (something that EBay's old token didn't do), they are easy to use, they support having multiple backup tokens, and there are plenty of opensource implementations and very good documentation. There really isn't a good excuse not to implement FIDO U2F except for laziness.

      • Re:Flaws.. (Score:4, Informative)

        by Hylandr ( 813770 ) on Wednesday March 22, 2017 @05:44PM (#54091899)

        To extend what you started with.

        Text messages almost always get sent to a cell phone,

        Most cell phones are also logged into the same mail service that the ebay account will be using for the lost password recovery tool.

        Now without the dongle, one lost or stolen phone will offer the keys to the kingdom.

      • True. Anybody with a low level access to a phone network can steal anybody's phone number with ease. Russians used the fake roaming requests to force British Telecom into routing MPs phone numbers to Russia. All you need to know is victims IMEI.

    • Perhaps ebay have become aware of a security flaw in the keyfob, and are thus trying to migrate users away from them?

      Let's stop bullshitting here. eBay knows few users give a shit enough to even want to deal with MFA, so they're doing this as a cost-saving measure, and nothing more.

      Any keyfob that just displays a different code over time depends on the security of the initial seed value... If these values were compromised then so are all the tokens, and it wouldn't be the first time something like this has happened.

      If this in fact is the case, we could probably find evidence of an attack elsewhere. An void of evidence would tend to point at my initial statement above.

      The trouble with saying "less secure" is that it's highly subjective, even if you're in full possession of the facts (which we may not be)...

      Fact: 99.999% of the devices that will provide the SMS authentication to support MFA are smartphones, and smartphones have a fucking horrible security record. They are constantly getting ha

    • Perhaps ebay have become aware of a security flaw in the keyfob, and are thus trying to migrate users away from them?

      Their flaw is that they are literally unbreakable, so they are moving to something entirely trivial for most big interested parties to intercept and decrypt. I wonder why?

    • On the contrary, there is no flaw. This is frustrating the NSA, which has asked eBay to be more Patriotic. Would be a shame if something were to happen to their nice website.

      Does eBay/PayPay have a warrant canary?

      • On the contrary, there is no flaw. This is frustrating the NSA, which has asked eBay to be more Patriotic. Would be a shame if something were to happen to their nice website.

        Does eBay/PayPay have a warrant canary?

        The NSA doesn't need your login credentials for eBay to see what you are buying. I cross the border from the US to Canada for summer vacation and on occasion I bring eBay items back for family members. Canada charges tax on goods crossing the border into Canada that are going to be left there. The tax amount is based on the value. I always declare anything I bring with me but they sometimes double-check to make sure. I've seen them access account details based on eBay member ID. If the Canadian border

    • I think they just want your cell phone number.
      • by ptaff ( 165113 )

        I think they just want your cell phone number.

        It's the obvious primary key that can directly link to most of your interesting accounts online (all of those online services who in the name of "security" force you to reveal your phone number) and offline (credit cards, public services accounts); remember the real name policy that Google+ had? so pointless now thanks to "security".

  • by Phil Urich ( 841393 ) on Wednesday March 22, 2017 @03:01PM (#54090795) Journal
    From TFA:

    I asked eBay to explain their rationale for suggesting this switch. I received a response suggesting the change was more about bringing authentication in-house (the security key is made by Verisign) and that eBay hopes to offer additional multi-factor authentication options in the future. âoeAs a company, eBay is committed to providing a safe and secure marketplace for our millions of customers around the world,â eBay spokesman Ryan Moore wrote. âoeOur product team is constantly working on establishing new short-term and long-term, eBay-owned factors to address our customerâ(TM)s security needs. To that end, weâ(TM)ve launched SMS-based 2FA as a convenient 2FA option for eBay customers who already had hardware tokens issued through PayPal. eBay continues to work on advancing multi-factor authentication options for our users, with the end goal of making every solution more secure and more convenient. We look forward to sharing more as additional solutions are ready to launch.â

    Although that doesn't fully explain why they felt the need to take things in-house. Possibilities that occur to me: 1. The backend they need to use for the old fobs is hellish to maintain. 2. Verisign charges them a lot of money and so some manager decided they should ditch the external methods for the sake of profit. Or some other sort of falling out between eBay and Verisign, but isn't it always about hope for higher profits? Speaking of... 3. It doesn't actually cost them much, but they want to develop their own in-house methods to then re-sell because upper management is still regretting spinning off PayPal and they want to create another such more universal middleman. Consider this the "??? Profit" possibility.

  • by RubberDogBone ( 851604 ) on Wednesday March 22, 2017 @03:54PM (#54091189)

    PayPal and eBay shared the same keyfobs for a long time, but sometime about two years ago, PayPal logins stopped working for me and nobody from their side could figure out why. Long story short, the only fix was to turn off the keyfob and use PIN codes sent by SMS.

    I am not sure if this really impacts security as PayPal was trivially easy to social engineer and have the keyfob taken off a target account, so having a keyfob on your account really didn't mean that much.

    Now eBay is doing the same thing. Oh well.

    • by mhkohne ( 3854 )

      PayPal and eBay shared the same keyfobs for a long time, but sometime about two years ago, PayPal logins stopped working for me and nobody from their side could figure out why. Long story short, the only fix was to turn off the keyfob and use PIN codes sent by SMS.

      I am not sure if this really impacts security as PayPal was trivially easy to social engineer and have the keyfob taken off a target account, so having a keyfob on your account really didn't mean that much.

      Now eBay is doing the same thing. Oh well.

      Interesting - my fob never stopped working. I changed over to using the android app instead of the physical fob (because my old fob looked like it had been through the wash too many times), but I've never had a problem with it.

      My guess is that Paypal/Ebay don't actually know enough to debug subtle problems with the system, so you got screwed.

      Annoying, and now we all get to be annoyed.

      Note that so far my sign-in still works with the app - they haven't actually started forcing people off of the fob yet.

    • I'm still using the same keyfob that I got when they were first offered. eBay still asks for the code but a year or two ago Paypal changed their setup. Now when I log in to them I have to type in my password with the code tacked onto the end. (example: password123456) Perhaps your email client ate the memo?
    • by sidetrack ( 4550 )

      I had the same problem with paypal tokens stopping working. Paypal and ebay tech support were clueless...

      I eventually stumbled on the fix by clearing all paypal / ebay cookies from my browser.

      It'd be nice if they took up Fido U2F, since they're part of the bloody standards group for Fs sake... https://www.paypal-engineering.com/tag/fido/

  • by markdavis ( 642305 ) on Wednesday March 22, 2017 @05:06PM (#54091675)

    >"Now, Ebay is asking me to switch from the key fob to text messages, the latter being a form of authentication that security experts say is less secure than other forms of two-factor authentication (2FA)."

    It is not just that it is less secure... it is AN INVASION OF PRIVACY. There is absolutely NO WAY I am going to give my cell phone number to Ebay, Microsoft, Amazon, Bank of America, or any other company. It is a marketing wet-dream for them to get that information such that they can spam you with impunity in the most egregious and annoying way I can think of, and sell that information to others.

    This is not a move to increase security or improve convenience for the end user. It is to lower THEIR cost and to increase THEIR knowledge about their users. And it is so common now it is shocking... and people just give it up!

    True story- a group of us went to TGIFriday's for dinner last week. We approached the hostess and told her 4 people. We expected to get a pager/fob. Nope, she asked us for our phone number! Every one of us in the group said "you have to be kidding" not over our dead bodies! We asked her "seriously? People will give you their private cell number for this?" She said almost nobody bats an eye." Of course we declined and they had to physically come look for us when the table was ready.

    • Yuuup. And it's not the first time, either. Try sending a GPG-signed email via ebay. You'll get a response back telling you that your email has been blocked "for security reasons".

    • But of course they get a phone number from me. Same way they get an email address. Every single one gets a different one. And when a telemarkedroid calls, you know exactly which company is insecure enough to hand it over, and who not to trust with any actually critical information.

  • Imagine in the future, that you have collected hundreds of fobs, just to get access to things.
    • by markus ( 2264 )

      That's why you don't implement some random proprietary protocol, but instead go with a standard like Fido U2F. You only need a single token for an arbitrary number of sites

  • ... this means they'll need your phone number.

    Phone numbers are the new SSN. Particularly since telcos have been given immunity for handing your metadata over to every TLA and creditor that asks for it. Just try doing business with anyone and, when they ask for your phone number, just tell them you don't have one. Watch them shit themselves.

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (10) Sorry, but that's too useful.

Working...