Why ebay does not care about security

The Past

I have been on eBay since 1997.

For the past ten years, I have been using two-factor authentication to protect my eBay, Paypal and other accounts.

It started with the Paypal Security Key, also affectionately known as the “Paypal Football” because of its shape.

Introduced in 2007, the football is a $5 hardware device that displays a quasi-random six-digit number when the button is pressed. The code changes every thirty seconds and makes it impossible to get into your Paypal account without the “Football”, which lived on my Key-ring and went everywhere with me. When eBay bought Paypal, the football could be used to protect access to my eBay account as well.

Four years went by. The battery in the football ran down, and the device fell to pieces when I tried to replace it. Alarmingly, eBay no longer offered the “Football”, offering instead A Credit-Card device that fulfilled the same function at the somewhat higher price of $30.Getting the feeling that eBay was trying to turn a profit out of (in)security, I looked elsewhere… and found the Yubikey VIP.

I had been using a Yubikey in the past to protect, among other things, my Gmail account (The epic Hack of the famous Wired Journalist Mat Honen, could have been thwarted, by his own admission, had he done the same). Now the good folks at Yubico were offing a Yubikey that also doubled as a Verisign VIP key (the technology that PayPal used in the football). I purchased one and have used it ever since. I am still using it to this day.

The Present

I got the following email from them yesterday.

Let me be clear: This is a really, really bad idea for a whole bunch of reasons. Let me enumerate a few:

1. Texting is insecure. SMS is not encrypted, and SMS messages can be readily intercepted with the right equipment. Using SMS as a one-off mechanism to sign up for something is not too bad, but sending out a text every time you want to log in is a really bad idea.
2. Not everybody has a texting plan. I am on Verizon’s ancient (not offered since 2012) un-capped, un-throttled, un-limited data plan. Verizon charges extra for text messages, so I have disabled text messaging.
3. My phone is not always available. I may be able to take a call. I may be in a meeting. I may be in a basement or out of coverage. I may be overseas.
4. I purposefully purchased serious security… and now eBay are replacing it with something that is less secure.

In an age where websites are becoming more and more secure, this is a retrograde step. So why did eBay do this astoundingly bone-headed thing?

1. Money. It is my understanding that eBay have to pay Verisign to use this system, while a text message/voice system would be far cheaper.
2. Support: Security, it is said, is the enemy of convenience. The previous system had some potential shortcomings that allowed users to easily revert to less secure options (“secret questions”, etc) if they didn’t have their hardware token with them. A properly-designed secure system would make it impossible to turn off two-factor authentication without extended vetting… which means hiring Customer Service people to establish the identity of the customer. Given the choice between “good” security and “CHEAP” security, it is hardly surprising that eBay went with the “less-good-but-dirt-cheap” option.

So what *should* ebay be doing?

• If it ain’t broke… offer the $5 footballs again, or admit that you don’t know or care about security.
• Use a known and trusted out-of-band key-generation system: If you don’t want to pay Verisign, use the Google Authenticator system, which runs in software, and is already trusted with Google, WordPress, DropBox and others who apparently care about security more than you do.
• Roll your own like Blizzard and others. The technology is tried and trusted. Just do it.

But what if…What if the user cannot, for one reason or another, use the second factor? In addition, it should be possible to allow the users print out a set of recovery codes to use when the second factor is unavailable. Talk to Google about this; they obviously know something you don’t.

Google Goes Googly

I’ve been a “fan” of Google for more than ten years. However, they just did something that made me feel very uncomfortable.

They recently updated their YouTube App, but when I went to The Android Market Google Play store I was confronted with the following horror-show:

That’s a bloody awful lot of permissions!

Why all the new permissions? Why does YouTube need access to my contents (which they already own) device info (which they already know) and Contacts (which they already store)?

But wait! There’s more! A few days later they replaced the “Not Now” link (why not a button?) on the nag screen nag screen with a thirty-second countdown timer:

Update Or else

This screen comes up every time the app is started, which is extremely annoying, Google are playing hardball in their attempt to get you to get you to upgrade… and sign away a load of your personal information for which they have no clearly explained need.

Unlike most users, I do not use my main account to watch YouTube, so it doesn’t affect me. Instead, I use a secondary account with no Contacts for them to scarf, so updating is no big deal for me. I advise other users to do the same. But it is enough to make one wonder…

Google, what on Earth are you playing at?

Hobson’s Choice

An oldie but a goodie: I no longer have the phone but I found this screenshot:

So where’s the “Cancel” Button?

Imperfect Ten

I have written before about Microsoft pushing the Windows 10 upgrade on users of Windows 7 and 8.1. I also showed how to uninstall and hide the “Security Updates” that try to shoehorn Microsoft’s latest offering on not-always-willing users.

I have nothing personal against Windows 10, I just don’t want it. However, this unwanted upgrade has brought me much additional income as a computer-fixer-person from folks who upgraded (or, more accurately, were upgraded) and then found that peripherals such as printers no longer worked. I do, however, question the need to upgrade an operating system that is still supported and works well. I also find the determination of Microsoft to upgrade users almost against their will quite disturbing.

The Bad News: Microsoft won’t take no for an answer. On at least three occasions I have “hidden” the update that pushes Windows 10 onto the machine, and each time Microsoft “accidentally” un-hides it and includes and selects itself on the next patch Tuesday. These folks won’t take no for an answer.

The Good News: To keep the Corporate and business customers happy, Microsoft has implemented a workaround that disables the upgrade. However, they do not make it easy for the uninformed user to implement this, as it involves changes to the Windows Registry. If you don’t know what that is, you *definitely* don’t want to monkey with it.

The Great News: Steve Gibson has written a tiny little program called “Never10” that makes the task trivial. Get it here.

Open letter to Verizon: It’s *my* phone

Dear Verizon

I have had a love-hate relationship with you for well over a decade.#In that time I have gone through several varieties of flip phones and two smart phones — and am about to move to my third. I have found your service to be first-rate — I can drive from my house to Florida, a journey of nearly a thousand miles — without losing voice or data connectivity. Bravo.

When I started with you many years ago, I found you to be both reasonable and proactive. Your Customer Service was matchless; when you made a billing error on your favor, you refunded me twice the difference. I have not seen that before or since. Bravo.

However, my recent experiences with you have left me wondering if you are suffering from some form of corporate form of megalomania.

My first Smartphone was a Motorola Droid X2. I had opted for an Android-powered phone as I knew that Android was an “open” system. Unlike most others, which are shrouded in secrecy, the Android Operating System is “open-source” which means that the source code for the operating system was freely available for download, which means that members of the public can access the source code and “roll their own” operating systems — and before long, communities of folks appeared on the internet who love to do just that. As a tinkerer, this appealed to me. As a consumer, I saw that this made it possible to extend the life of a phone beyond the date at which the manufacturer will support it.

This was particularly important in the case of the Droid X2: while on paper, this was an excellent piece of kit (it was one of the earliest phones to have a dual-core processor), it suffered from reliability/heat problems. One of its favorite party pieces was to freeze/lock-up/reboot while on the road while I was using it for navigation.#Being the adventurous type, I looked around for the solution to this problem, and I found it in the form of “rooting”. I have already written on this subject of rooting, so I will not bore you with the details. Any road up, with a little research, a lot of reading and a bit of work, I was able to “root” the phone and disable or remove unnecessary software. This made the phone run faster, more reliably and with less overheating and fewer freezes.

But time marches on, and so does Android; The phone went through several updates, from Android version 2.2 (“Froyo”) to 2.3.5 (“Gingerbred). Like all Android updated, these changes originated from Google, but went through you before they got to your phone. And you could not resist the temptation to add little “gifts” in the form of “security enhancements” — and it seems that the removal of root access was always at the top of your list. As a result, every time an Over-The-Air update (“OTA”) became available, I had to avoid, delay or turn off the update mechanism until some bright spark could figure out if this update broke root, and how to get the useful Android updates that I wanted without losing the control of the phone that I had worked so hard to obtain.

Time went by, and I outgrew the DX2; it was no longer man enough for some of the tasks that it was being called upon to perform. So I upgraded to a Samsung Galaxy S3. This one started at Android 4.0.4 (“Ice Cream Sandwich”), and this time you saw fit to “lock” the bootloader in an attempt to prevent S3 owners like me from actually doing what they wanted with their phones. But thanks to some innovative hackery, the bootloader was speedily unlocked, and the phone was liberated from your shackles. Naturally, I rooted it right out of the box. Further updates came — Android 4.3 (“Jellybean”) and 4.4 (“Kitkat”), and at every turn you kept finding new and innovative ways to lock down my phone and make it ever more unhackable — all in the name of “security”.

Eventually I tired of fighting with your destructive updates and installed a Custom ROM. Yes, you don’t approve. I get that. Yes, that means that you won’t support it; I guess that’s the price of freedom.

The Samsung Galaxy S3 is now three years old, and one of the best-selling Android phones in history. But time marches on, and newer, faster phones have become available. I just purchased a used S4, and this will be my third smartphone. It will be placed into service in a few weeks, as soon as:

1. I have a case for it, and
2. I have found way to root it and remove all of your shovelware.

I am not your typical user. I understand that 99% of your user base neither need nor want rooted phones; I get that. For the majority of users, rooting is giving them more power than they need. And I understand that your Customer Support folks do not want to deal with a thousand hacked variants of every phone on the market. It is not unrealistic to insist that these phones be tamper-proofed while under warranty, and it is not unreasonable to deny support for tampered phones if the tampering is the cause of the problem. I get that. But this is a problem that can be solved to everyone’s satisfaction.

This is not without precedent. Until recently, you, like all cell phone carriers, locked your phones to prevent them from being connected to other carriers; nobody wanted to be the first to find their phones being connected to competing services. But Congress has recently ruled that all cell phone companies should unlock phones on demand. This has the effect of making phones more useful and extending their lives, rather then becoming expensive doorstops.

Yours is the only major cellphone company in the world that goes to such extraordinary lengths to lock down your phones. For the vast majority of your users, this is understandable, but for the 1% of technically competent users who wish to exercise control of their phones at the expense of warranty support, you should allow unlocking of bootloaders and allow those of us who wish to tinker with our phones the freedom to do so.

After all. It’s my phone.

Microsoft as Chicken Little

I just got this notification from Microsoft on one of my Windows XP machines:

Naturally I installed it, only to find out that now Microsoft Security Essentials (MSE) never goes green. It goes orange – the color that it uses to alert the user of a problem. What’s worse, on every boot, it nags me about XP going out of support on April 8th – even though MSE will be supported until July 2015.

Given that Microsoft last month released an “urgent-but-pointless” update to XP to remind users that Windows XP is about to be “End-Of-Lifed”, this update is completely unnecessary. To make matters worse, they made this “update” impossible to install by itself.

Sickening

The only good news is that it is fairly simple to uninstall and reinstall MSE, which does not (yet) include this update.

As the go-to- guy for my friends and family, I am sick and tired of having to deal with Microsoft’s fearmongering. While Windows 7 is reputedly more secure than XP (though most exploits are common to all versions of Windows), the fact is that most ten-year-old computers are not man enough to run Windows, and until users can afford a machine that is, my advice is simple:

• Keep your system patched
• Don’t install anything you didn’t go looking for.
• Don’t go surfing for porn, warez, illicit MP3s or stuff like that.
• Keep good backups and fear no evil.

Now I have to add “Don’t install KB2949787” to the list.

Microsoft, you have crossed the line with this one.You have scared users without needing to – and worse, you have pissed me off.

I view this as a mean-spirited, cynical, dishonest and borderline evil move by Microsoft to scare people into upgrading to Windows 7 or 8. Apparently I am not the only person who feels this way.

Just Say No.

The Second Factor

Or: How to prevent your online accounts from getting hacked.

Every now and them I get an e-mail from someone know, with no message but a cryptic link. That’s right, someone’s e-mail account has been hacked, hijacked or compromised in some way. It is almost always a Yahoo address.

For those of us who just use e-mail to circulate gossip and cat pictures, this is not a big deal.However, if you do your banking online, a hacked e-mail account is a quick way to have your accounts drained.

The problem is that the standard method for resetting your password is an “e-mail loop”. It works like this: you go your bank’s website, click the “forgot your password” link, and a reset e-mail is sent to… your e-mail address… which has been compromised. Now they have the ability to change your password and lock you out of your account. Next thing you know, your hard-earned money is winging its way off to a parts unknown, never to return.

It’s not just banking. Some years ago, my brother found a bunch of bogus auctions on his eBay account, and he had to get in touch with eBay to have them stopped. A few days earlier, while on a business trip, he had used a hotel’s computer to access his eBay account. Evidently the computer had been compromised with a keylogger, which enabled bad actors (villains, that is – not William Shatner!) to get his username and password, and once in his account they could post bogus auctions on his account. If they can succeed in changing eBay’s email address for his account then they could also make off with the money.

So how to stop this? The banks’ came up with the idea of “secret questions”. We’ve all seen this at some time or other; they ask you to answer questions such as “What was your mother’s maiden name?“, etc. But when you think about it, this is just another “something you know”. In other words, it is effectively another password. And since the “secret questions” and answers are stored in the bank’s databases, they too are vulnerable to the kind of “exfiltration” (a posh word for theft of data) that seems to be happening on a monthly, if not weekly, basis,

The banks love this approach for one simple reason — it’s cheap. With security, as with so many other things, there is “Good” security, and there is “Cheap” security. Guess which one corporations prefer. Guess which one works best.

Remember when Bank of America came up with Credit Cards with your picture on it? Ever wonder why they don’t do that anymore? Because they found out that 1) Putting the pictures on the cards cost more than the losses due to to fraud, and 2) most cashiers don’t look at the picture anyway. Which made it 1) Expensive and 2) Not very effective.

The good news is that many big players on the Internet are finally adopting good security. One approach is to use a code transmitted to a cellphone by voice call or text message. The good news is that this approach requires that you have your phone. The bad news is that… this approach requires that you have your phone. If you lose or misplace it, you are stuck until you have jumped through several hoops. And if your phone is stolen and is not protected by a PIN lock, they may be able to crack a whole bunch of accounts at once – the holy grail of identity theft.

Another approach is to use a code generator; a device that generates a unique code each time it is used. This can be done using a hardware device (like the Paypal “Football ” code generator) or a software-based code generator like Google’s Authenticator, which generates a new code every thirty seconds. The cool thing about this is that if a bad guy steals your password, they still can’t get in. And even if they steal the key as well, and is invalid thirty seconds later. I am not even sure if a key can be re-used, but if you are paranoid about re-use (which I am not), you can just wait until it is just about to expire before you use it. Google uses this to secure their e-mail accounts; I used this. If Mat Honen, senior writer with Wired Magazine, had used this approach, the epic hacking of his Apple account could have been easily avoided.

The best security of all requires the use of a dedicated hardware token, such as a swipe card or a cryptographic key. My weapon of choice is a YubiKey – I’ve been using it for some years and it YubiKey guards access to my PayPal account and my password manager.

So there you have it: If you don’t want to get hacked, Get a YubiKey or some other form of hardware-based second-factor authentication. It’s that simple.

Rumbled!

A few days ago I received an email from eBay.

Apparently someone had clicked the “forgot my password” link, which triggered an email. Since I knew that I had not clicked on that link, I was somewhat concerned. What was noteworthy, however, was the ip address from which the request originated.

That’s right, this was being done by someone in China.  Suddenly my antennae were up and quivering.

Most websites’ “forgot my password” links work by sending an e-mail to your account’s “registered e-mail address”. If the hacker can break into your e-mail address and access that e-mail message, all is lost. They can change your e-mail password (locking you out of your account) change the website’s password, log into the site (in this case eBay) and hijack your account. Mat Honan found this out the hard way last year. Takeaway quote: “Had I used two-factor authentication for my Google account, it’s possible that none of this would have happened”

Fortunately, my e-mail login is protected by two-factor authentication, so I have little to worry about on that front. eBay, however, is another matter. What if they are able to successfully guess the password? The solution was easy enough; I simply logged onto eBay, and turned on two-factor authentication there.

So, my little yellow friend, you are out of luck. Please go away and bother somebody else. Thanks!

Going Dark

Or: I have nothing to hide, but I’m hiding it anyway

“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.” – The 4th amendment of the U.S. Constitution.

The recent revelations that the US Government has been spying on its citizens has come as no surprise to me. As a technologist, I am familiar with what is possible and what is not. And the Snowden revelations have not only proven that the tinfoil-hat mob were right all along, but the extent to which they were correct surpassed even their wildest ravings.

The intelligence community have a hard job; to keep America safe from enemies foreign and domestic. Giving them the resources to store and search through Internet communications is not unreasonable. What is unreasonable is the lack of due accountability.

What pushed me to this point, however, was the saga of Ladar Levison of LavaBit, a Texas-based company that supplied secure-e-mail to its clients. Over the years, the FBI have presented warrants to obtain data on individual clients, and LavaBit has always complied. This is right and reasonable. But earlier this year, they demanded that LavaBit hand over their SSL keys – the same technology that banks use to safeguard out transactions online. This allows them to eavesdrop on all of LavaBit’s clients, whether under active investigation or not. After being compelled by a secret court to turn over the keys and legally bound to not tell anyone that he had done so. Ladar found himself in a dilemma; the service that he was selling to his clients was secrecy, but with the SSL keys in the hands of the government, he could no longer deliver on this promise. So he closed down the company – an act that has gotten him into even more trouble.

I have no problem with targeted surveillance; I appreciate that we need this for national security. What I have a problem with, however, is blanket surveillance – the collection of all information in case it is needed some day. There are three reasons for this:

1. “It’s impossible to build an Internet where the good guys can eavesdrop, and the bad guys cannot“. (Bruce Scheneier)
2. It is obvious to me that “Search and seizure” occurs when the data (in this case) is collected – not when it is subsequently inspected. So collecting information and then requiring a warrant to query it is clearly wrong by this test.
3. Since the average person commits three felonies a day, the collection of pervasive data is a boon to prosecutors, who can go back through our online histories and find evidence to charge us with any of a number of crimes and use that to pressure a person into “copping a plea” on a lesser charge.

The only check on “infinite surveillance” is the time-honored search warrant, issued by an independent court that requires a burden of proof or reasonable suspicion. In response, recent laws have established secret courts that issues warrants to search records. But the security community seem to think that this is too much to ask for. That they should have the right to search what they want, where they want, without limitation — and without having to ask for a judge for a warrant.

I have no problem with wiretapping. But I have a big problem with warrantless wiretapping.

The final straw was when the Director of National Intelligence told Congress that they were not spying on the American people. When the Snowden revelations put the lie to this, his excuse was “I forgot about section 215 of the Patriot Act“.  To add insult to injury, he got to keep his job. I doubt that such an excuse would serve to keep any of the rest of us out of jail.

It has become clear to me that the intelligence community has no respect for the same Constitution that the President and I – along with all of our men and women in uniform – swore to uphold and defend.

And so I have made the reluctant decision to encrypt my communications as a matter of policy wherever possible. Not because I have anything to hide, but because I believe that the too many of our rights have already been taken from us, and peaceful protest is the only course of action left open to me.

“But what do you have to hide?” some of you may ask with a sneer. That’s not the point. But I will answer that with a question of my own: “Do you want a surveillance webcam installed in your bathroom/shower/bedroom?” I don’t think so. Contrary to popular belief — and a wrong-headed and stupid Supreme Court ruling, we *do* have a right to privacy; the only point of argument is where we choose to draw the line. My answer is simple: “I have nothing to hide from those whom I trust”.

I am not your enemy. And I shall prove this to you – just bring me a warrant.

The Ten Commandments of Computer Security

1. Never install anything that you did not go looking for.
2. If you don’t use it and you don’t know what it’s for, remove it.
3. Never “Blind-install” – always go the “custom” route and un-check any “hitch-hikers” that you see.
4. Remove Trialware, shovelware and Ad-ware with extreme prejudice
5. Never click a link in an e-mail from someone that you were not expecting.
6. Patch your Operating system.
7. Patch common sources of vulnerability, such as Adobe Reader (or remove and replace with Foxit) and Adobe Flash.
8. Do not patch Java – remove and replace it, as “upgrading” auto-installs sneaky hitch-hikers.
9. Friends don’t let friends use Internet Explorer – use Firefox (with NoScript) or Chrome (with NotScript)
10. Don’t let children run as Administrator (also known as “Kiddie see/kiddie click/computer borked/no-one knows how it happened”)