Why ebay does not care about security

The Past

I have been on eBay since 1997.

For the past ten years, I have been using two-factor authentication to protect my eBay, Paypal and other accounts.

It started with the Paypal Security Key, also affectionately known as the “Paypal Football” because of its shape.

Introduced in 2007, the football is a $5 hardware device that displays a quasi-random six-digit number when the button is pressed. The code changes every thirty seconds and makes it impossible to get into your Paypal account without the “Football”, which lived on my Key-ring and went everywhere with me. When eBay bought Paypal, the football could be used to protect access to my eBay account as well.

Four years went by. The battery in the football ran down, and the device fell to pieces when I tried to replace it. Alarmingly, eBay no longer offered the “Football”, offering instead A Credit-Card device that fulfilled the same function at the somewhat higher price of $30.Getting the feeling that eBay was trying to turn a profit out of (in)security, I looked elsewhere… and found the Yubikey VIP.

I had been using a Yubikey in the past to protect, among other things, my Gmail account (The epic Hack of the famous Wired Journalist Mat Honen, could have been thwarted, by his own admission, had he done the same). Now the good folks at Yubico were offing a Yubikey that also doubled as a Verisign VIP key (the technology that PayPal used in the football). I purchased one and have used it ever since. I am still using it to this day.

The Present

I got the following email from them yesterday.

Let me be clear: This is a really, really bad idea for a whole bunch of reasons. Let me enumerate a few:

  1. Texting is insecure. SMS is not encrypted, and SMS messages can be readily intercepted with the right equipment. Using SMS as a one-off mechanism to sign up for something is not too bad, but sending out a text every time you want to log in is a really bad idea.
  2. Not everybody has a texting plan. I am on Verizon’s ancient (not offered since 2012) un-capped, un-throttled, un-limited data plan. Verizon charges extra for text messages, so I have disabled text messaging.
  3. My phone is not always available. I may be able to take a call. I may be in a meeting. I may be in a basement or out of coverage. I may be overseas.
  4. I purposefully purchased serious securityand now eBay are replacing it with something that is less secure.

In an age where websites are becoming more and more secure, this is a retrograde step. So why did eBay do this astoundingly bone-headed thing?

  1. Money. It is my understanding that eBay have to pay Verisign to use this system, while a text message/voice system would be far cheaper.
  2. Support: Security, it is said, is the enemy of convenience. The previous system had some potential shortcomings that allowed users to easily revert to less secure options (“secret questions”, etc) if they didn’t have their hardware token with them. A properly-designed secure system would make it impossible to turn off two-factor authentication without extended vetting… which means hiring Customer Service people to establish the identity of the customer. Given the choice between “good” security and “CHEAP” security, it is hardly surprising that eBay went with the “less-good-but-dirt-cheap” option.

So what *should* ebay be doing?

  • If it ain’t broke… offer the $5 footballs again, or admit that you don’t know or care about security.
  • Use a known and trusted out-of-band key-generation system: If you don’t want to pay Verisign, use the Google Authenticator system, which runs in software, and is already trusted with Google, WordPress, DropBox and others who apparently care about security more than you do.
  • Roll your own like Blizzard and others. The technology is tried and trusted. Just do it.

But what if…What if the user cannot, for one reason or another, use the second factor? In addition, it should be possible to allow the users print out a set of recovery codes to use when the second factor is unavailable. Talk to Google about this; they obviously know something you don’t.

Advertisements
Post a comment or leave a trackback: Trackback URL.

Comments

  • Wizard Prang  On May 23, 2018 at 2:07 PM

    Additional: eBay’s “experts” told me that it is “spam”… right before they sent me another one.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: