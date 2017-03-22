Ebay Asks Users To Downgrade Security (krebsonsecurity.com) 27
Ebay has started to inform customers who use a hardware key fob when logging into the site to switch to receiving a one-time code sent via text message. The move from the company, which at one time was well ahead of most e-commerce companies in providing more robust online authentication options, is "a downgrade to a less-secure option," say security reporter Brian Kerbs. He writes: In early 2007, PayPal (then part of the same company as Ebay) began offering its hardware token for a one-time $5 fee, and at the time the company was among very few that were pushing this second-factor (something you have) in addition to passwords for user authentication. I've still got the same hardware token I ordered when writing about that offering, and it's been working well for the past decade. Now, Ebay is asking me to switch from the key fob to text messages, the latter being a form of authentication that security experts say is less secure than other forms of two-factor authentication (2FA). The move by Ebay comes just months after the National Institute for Standards and Technology (NIST) released a draft of new authentication guidelines that appear to be phasing out the use of SMS-based two-factor authentication.
Where do you suggest I shop for my gray market crap?
Yes they do you fucking elitist bellend
What with all the "it's broken" scammers, and the gray market crap being peddled. Who still uses the former auction site?
Perhaps you're right.
After all, there's nothing but honest reviews at Amazon, with ethics ensuring no chance of grey-market product being sold there...
Ironic that... my eBay/PayPal keyfobs just died (Score:2)
I have had a few rebranded VASCO keyfob with eBay/PayPal's label on it. They tend to die after 2-3 years due to battery life, and recently, I was unable to find a link to buy a new one and activate it.
Yes, now we have Google Authenticator, Duo, and other items, but the simplicity of a keyfob which did nothing but display a six digit number made it decently secure, without having to reply on a phone, tablet, or other device.
Correction. My keyfobs didn't "just" die. It took them a few years to run out of battery life. However, it would be nice if they were still offered.
In had to double check the article, I couldn't believe an editor would fuck up something as basic as Krebs's name.
No it's really Brian Kerbs. He's an expert on the interface between road and pavement/sidewalk.
Get your mind OUT of the gutter!
No, that's Brian Curbs. I'm looking for "A Sale Of Two Titties" by Brian Kerbs, the well-known Dutch author.
Dey took our kerbs!
And the AP doesn't like their headline anymore. http://archive.is/zBZRx#select... [archive.is]
Flaws.. (Score:3)
Perhaps ebay have become aware of a security flaw in the keyfob, and are thus trying to migrate users away from them?
Any keyfob that just displays a different code over time depends on the security of the initial seed value... If these values were compromised then so are all the tokens, and it wouldn't be the first time something like this has happened.
The trouble with saying "less secure" is that it's highly subjective, even if you're in full possession of the facts (which we may not be)...
A lack of transparency is a problem as always... These companies are a black box, and we the users/customers are expected to just accept what they tell us without having any idea of their internal processes or code etc.
More Control (Score:2)
Since nobody ever actually reads the linked articles, here is what "Brian Kerbs" has to say:
I asked eBay to explain their rationale for suggesting this switch. I received a response suggesting the change was more about bringing authentication in-house (the security key is made by Verisign) and that eBay hopes to offer additional multi-factor authentication options in the future.
“As a company, eBay is committed to providing a safe and secure marketplace for our millions of customers around the world,” eBay spokesman Ryan Moore wrote. “Our product team is constantly working on establishing new short-term and long-term, eBay-owned factors to address our customer’s security needs.
Text messages almost always get sent to a cell phone, and in the US there really only are three or four mobile providers. If you have a phone number, you can often look up the provider in public databases, and if that doesn't work, you simply take a guess and call each of the major providers.
Time and time again, it has been shown that all mobile cell phone providers are easily attackable by social engineering. It takes very little effort to have them either redirect SMS or issue a new SIM card and mail it t
Let's stop bullshitting here. eBay knows few users give a shit enough to even want to deal with MFA, so they're doing this as a cost-saving measure, and nothing more.
If this in fact is the case, we could probably find evidence of an attack elsewhere. An void of evidence would tend to point at my initial statement above.
Fact: 99.999% of the devices that will provide the SMS authentication to support MFA are smartphones, and smartphones have a fucking horrible security record. They are constantly getting ha
Their flaw is that they are literally unbreakable, so they are moving to something entirely trivial for most big interested parties to intercept and decrypt. I wonder why?
