22
Mar 17

eBay Asks Users to Downgrade Security

Last week, KrebsOnSecurity received an email from eBay. The company wanted me to switch from using a hardware key fob when logging into eBay to receiving a one-time code sent via text message. I found it remarkable that eBay, which at one time was well ahead of most e-commerce companies in providing more robust online authentication options, is now essentially trying to downgrade my login experience to a less-secure option.

ebay2faIn early 2007, PayPal (then part of the same company as eBay) began offering its hardware token for a one-time $5 fee, and at the time the company was among very few that were pushing this second-factor (something you have) in addition to passwords for user authentication. In fact, I wrote about this development back when I was a reporter at The Washington Post:

“Armed with one of these keys, if you were to log on to your account from an unfamiliar computer and some invisible password stealing program were resident on the machine, the bad guys would still be required to know the numbers displayed on your token, which of course changes every 30 seconds. Likewise, if someone were to guess or otherwise finagle your PayPal password.”

The PayPal security key.

The PayPal security key.

I’ve still got the same hardware token I ordered when writing about that offering, and it’s been working well for the past decade. Now, eBay is asking me to switch from the key fob to text messages, the latter being a form of authentication that security experts say is less secure than other forms of two-factor authentication (2FA).

The move by eBay comes just months after the National Institute for Standards and Technology (NIST) released a draft of new authentication guidelines that appear to be phasing out the use of SMS-based two-factor authentication. NIST said one-time codes that are texted to users over a mobile phone are vulnerable to interception, noting that thieves can divert the target’s SMS messages and calls to another device (either by social engineering a customer service person at the phone company, or via more advanced attacks like SS7 hacks).

I asked eBay to explain their rationale for suggesting this switch. I received a response suggesting the change was more about bringing authentication in-house (the security key is made by Verisign) and that eBay hopes to offer additional multi-factor authentication options in the future.

“As a company, eBay is committed to providing a safe and secure marketplace for our millions of customers around the world,” eBay spokesman Ryan Moore wrote. “Our product team is constantly working on establishing new short-term and long-term, eBay-owned factors to address our customer’s security needs. To that end, we’ve launched SMS-based 2FA as a convenient 2FA option for eBay customers who already had hardware tokens issued through PayPal. eBay continues to work on advancing multi-factor authentication options for our users, with the end goal of making every solution more secure and more convenient. We look forward to sharing more as additional solutions are ready to launch.”

I think I’ll keep my key fob and continue using that for two-factor authentication on both PayPal and eBay, thank you very much. It’s not clear whether eBay is also phasing out the use of Symantec’s VIP Security Key App, which has long offered eBay and PayPal users alike more security than a texted one-time code. eBay did not respond to specific questions regarding this change.

Although SMS is not as secure as other forms of 2FA, it is probably better than nothing. Are you taking advantage of two-factor authentication wherever it is offered? The site twofactorauth.org maintains a fairly comprehensive list of companies that offer two-step or two-factor authentication.

Tags: , , , , , , , , ,

105 comments

  1. in the world is sucker born every hour

    • I also ordered the PayPal keyfob when it became available years ago. But one time I didn’t have it with me, and I was able to click on a “forgot my keyfob” link and login with just my password!!! It sent an alert email, but that was it. It didn’t seem worth carrying it around after that. Does it still have that bypass option?

      • I work for a large international corporation’s security division and I can confidently say that they checked your login pattern, IP address, purchase history etc. and it did not trigger any security flags, that’s why you were able to login successfully, even without your token, just using your password. Nothing to worry about it. You have buyer protection, seller protection and unauthorized purchase protection there.

  2. Brian,

    I remember your Washingtonpost Post article about these fobs way back in the day, and it prompted me to order one for $5. Like your fob, mine is still working great, a decade later. I use it for both PayPal and EBAY. I too received the email from EBAY about the “switch”, and just deleted the email. Like you said, this seems like a security downgrade.

    • Was going to say, I obtained mine thanks to Krebs way back when, and also added it to my Paypal account.

      I wonder how much longer they’ll function? No doubt they stop, we’re SOL and get “downgraded” to Internet-based security instead of something totally out of band and offline.

  3. Crazy Prediction: I can see a strong business model for consumer focused federated identity services where someone could subscribe to a service that 1) verifies (proofing) your identity, 2) issues a PKI token (software or hardware), and 3) negotiates federated trust to web services of all shapes and sizes to allow subscribers to authenticate using their token.
    I have a feeling Google is likely working on that kind of service, along with the folks at Facebook. But I do not think we have yet seen the full package that may come of their efforts.

    Note: I am partial to PKI based tokens because such an implementation could also be leveraged to provide digital identity and data encryption/decryption capabilities.

    Imagine a token that allows you to
    1) authenticate to many different resources in a fairly secure manner
    2) digitally sign anything
    3) encrypt an email that only the receiver(s) could decrypt

    I would pay for that kind of service.

    • That doesn’t sound crazy. Make the government the CA and store the token on NFC-enabled government ID cards (e.g. your driver’s license).

      • I think there was resistance to government level identity management in the past. Even the “Real ID” initiative at the state level has had it opponents and resistances. Nobody trusts the government.
        What I think could happen is that a new industry will arise around maintaining trusted identities for personal commerce, communications, and other independent activities.
        Certainly, governments could establish standards for which they accept identities maintained by these independent service providers (FIPS 201-2 style PIV-I standards).
        Time will tell… but I think the pressure for such services is rising fast.

        • There is already a government-level identity management process in place, it’s just not digitized in a way that’s usable in a PKI (yet?). An RA managing certificate creation for a person would require some form of government-issued ID to prove who that person is anyway, most likely. I would certainly hope they don’t just require a Facebook or Google profile, which presents a host of other problems (e.g. fake profiles, requiring PII on social networks, etc.).

          “Trust” is a whole other discussion. You say nobody trusts the government, but most people trust a driver’s license as a form of ID, which is government-issued. It would be just as easy to say nobody trusts a corporation, which of course is what Google and Facebook are.

          • I agree and know very well that the US government has the proven model. However, Joe public may not want that at the electronic level.
            Case in point, the Real ID initiative had original intentions to create digital identities as part of the model. Resistance to that aspect was vehement.
            Have a read on this section in Wikipedia for the various angles that opponents have to a national ID system:
            https://en.wikipedia.org/wiki/REAL_ID_Act#Controversy_and_opposition
            And that is just in the US. The EU privacy world is even more difficult to navigate.

            From a different, business focused angle – If a business model is developed to provide digital identity proofing, lifecycle management, and federated trust support services that has no borders (or at least less borders), then the digital identity can have a greater extensibility than if a specific government issued the digital identity. Although politics could still become an issue for such a model, from a commerce standpoint that is less likely than if a business manages the identity.

            As for trusting businesses versus the government, look no further than our credit card industry. Credit card companies and services track all our transactions and sell that data to other businesses for profit… with our permission!
            But if the government tracks our activities, even inadvertently while looking for criminals, lawyers start coming out of the woodwork.

            It would be an interesting experiment to have a government service and a similar commercial service stand up registration booths next to each other and see where the customers go with.
            Hard to say which would win. I put my money on most people applying for both, each for different reasons.

      • Anderer Gregor

        The German “Personalausweis” (ID card, basically compulsory for each German to have) has this function for several years now:
        https://en.wikipedia.org/wiki/German_identity_card#Chip
        (Sorry, the German page has a lot more information, esp. about using Pseudonyms, a PIN code, the “Ausweis App”, etc. )
        I have never heard of anyone using it — neither major companies, nor citizen. People don’t trust it, companies don’t think it’s worth the effort.

  4. I’d like to see laptops (& desktops) get built-in fingerprint scanners, like iphones have. You could then use your finger to login where ever without all this nonsense. Perhaps have a password as backup in case your finger isn’t available.

    • How about both? Fingerprints are easy to hack. I like that my Android will require a swipe password after it has been fully drained or gone below a certain power threshold, and not just a fingerprint.

    • Most major laptop manufacturers have had that functionality available for selection for years. Though I would perhaps argue that it is not the best form of authentication…

    • AmericaWhereAreYou

      Biometrics are evil. How does one change them when they get compromised?

      • This. Well, maybe not ‘evil’ but still pretty stupid – why gamble so much technology and infrastructure and UE redesign against someone’s ability to hack what is effectively a static password?

      • Use another finger :)

      • For the fingerprint readers (at least the ones I’m familiar with), if the fingerprint isn’t recognized, it moves on to Windows password credentials. So, you still have a way to login to the machine if the fingerprint fails. Once you’re back in, you can edit/recreate the fingerprint if required. But in my experience, a simple reboot and “retry” of the fingerprint will get it working again.

  5. It’s not about security, it’s about Marketing.
    They would then have your cell phone number, which can be added to a great telemarketing database.

  6. @BB my 6 year old HP laptop has a finger print scanner……..

  7. What is also troubling is that Twitter accounts have been highjacked in the past. Twitter supposedly support using 2FA via Google / Microsoft Authenticator. Problem is that it does not work. Their system continues to use SMS to send the codes rather than relying on the rolling token from the Authenticator app.

    Repeated attempts to contact support at Twitter regarding this resulted in zero responses. Its not just my experience others have had the same result after supposedly setting up Google/Microsoft Authenticator on Twitter accounts.

  8. But is SMS 2FA really much less secure? I just have a hard time buying that. The other hardware device is equally susceptible to social engineering, realistically, what is the chance of someone intercepting my 2-factor SMS?

    With less effort they could steal more money buying a batch of stolen cards. And I mean waaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaay less effort. Like the coordination required for this attack is ridiculous. I would speculate that the security community is being incredibly unrealistic in saying SMS 2FA is an issue. If I took a bunch of potential hacks and ranked them by their cost-benefit it would obviously be very near the bottom of all financial fraud hacks.

    I could see it being a problem in the future but I doubt there is currently economic incentive for an attacker to pursue that. My perception is that the majority of ‘hackers’ have no real software engineering skills so until someone comes along and builds them a toolkit to execute such an attack I doubt it is really much of a risk, at least relative to other options.

    • “SMS 2FA is an issue” – for normal consumers at least. If you’re a high profile target logging into a government service, OK, then I would agree there is some real risk there.

      But the cyber criminals engaging in financial fraud, I can’t see them going down this road unless the current landscape changes dramatically.

    • You’re 100% right. It’s impossible to see SMS in transit unless you’re on the operator’s network already with the decryption keys. At that point, you can decode any wireless traffic to the device. At which point, a 2FA compromise is probably the smallest thing to worry about.

      I haven’t heard one person give an actual argument, backed up by evidence, that 2FA over SMS is less effective than fob-based.

    • Andrew Rossetti

      It’s trivial for a criminal to social engineer a carrier into “upgrading” your line, send a new SIM with your number, and once the criminal has that and activates it, your old device stops working and the new one gets the two factor codes.

      With token or authenticator app, the second factor is immune to this type of trivial attack.

      • At which point it’s no longer an interception of your 2FA, it’s a phishing attack, and one you can at least attempt to defend from. Someone stealing the serial of your fob, or phishing eBay and having them add in a second or replace your fob with their own would be a better analogy in that case.

      • Robert Russell

        That form of social engineering attack is getting significantly more difficult as at least one major US carrier, T-Mobile now requires you to verify either an SMS One Time Pin sent to the phone or what I had to do because my phone was lost is go to a physical store to update the SIM card to the SIM card I got with the insurance phone.

  9. I use Authy, 2FA app that mimics Google’s Authenticator. While it is an occasional PITA, I really appreciate the protection. What bugs me are that more and more sites are pushing their own 2FA apps and not accepting others. I don’t want to have 50 2FA apps on my phone!

    • That is basically the problem that U2F was designed to solve. But it only solves the problem if there is universal adoption of the standard.

      There are too many rookies out there trying to roll their own, and too many 3rd party vendors pushing proprietary solutions. And the vast majority of the users just don’t want to be bothered.

      • That can said for the payment side, too many people pushing for different formats instead of the standard NFC.

    • This is why I use SMS rather than App based 2FA – I would not be able to stand having a different app for every website. (not to mention, forever being short of space on my phone!) As I am certainly not a high-profile target, I think the level of protection it gives is more than adequate.

  10. Show me the update that I can rely on for protection here.

    Show me a truly secure eBay….with or without a fob….with or without a finger print scanner….with or without SMS.

  11. Scott Buchanan

    I wonder if this is related to lingering separation processes from PayPal. If these tokens were initially offered by PayPal, then eBay likely had an agreement to retain access for a time, but that may be coming to an end. Krebs interprets their statement about bringing security in house in contrast to being tied to Verisign, but it may be in contrast to being tied to PayPal.

    Full disclosure: I worked for eBay at the time of the separation from PayPal, but I no longer do, I never had access to any information regarding this.

  12. On PayPal, the Symantec VIP app is not supported anymore, at least for setup (existing settings may still work)
    I found this out the hard way: On Android, the VIP app is tied to the device id. After a device factory reset, the devise id changes on Android, which requires reinstalling the VIP app, which in turn requires setting up 2FA again with eBay and PayPal.
    For PayPal, that errors out, since about the beginning of the year. Their customer support people have no clue about it and were most unhelpful.

    • @Joe,
      Same thing here – last year my Physical VIP card stopped working on both ebay and paypal. I was able to download the VIP app and re-enable it with Ebay, but PayPal errors out and SMS is the only 2FA that still works.

      Google authenticator or Authy would be better – SMS messages cost me money.

    • I had similar experience with Symantec VIP app. Initially when I set up 2FA on PayPal when I implemented the use of Symantec VIP app its usage also applied to to eBay.

      Then one day I attempted to login to my PayPal account. Repeatedly entering the VIP token ID did not work. I deactivated the app and deleted it after finally getting into my account via secret security questions. I set up SMS verification and only after that did I get a notification from eBay about reverting to the less secure SMS 2FA.

      I contacted PayPal and they provided me instructions on how to setup VIP again on PayPal which I did. I just checked and the VIP token still works.

      I then contacted eBay via Twitter. Was told that SMS 2FA is the only one they support and that I can not go back to VIP Tokens. They then proceeded to DM me a boilerplate reply

      “eBay is committed to providing a safe and secure marketplace for our millions of customers around the world…”

      Sigh guess they did some risk management analysis and came to the conclusion that SMS is good enough for the information that they are protecting.

  13. I recently attended a conference where one of the speakers decried, “the password is dead!” His inference is that passwords are not an adequate form of authentication and do not add any value.

    He further went on the say that we only use 2FA because the first authentication factor is known to be bad. 2FA is simply a quick fix solution for something that was rubbish to begin with.

    Why not just use a single secure authentication factor that can’t be compromised or stolen? If you have that, then 2FA is redundant.

  14. Biggest problems with SMS are:-

    – if you live in a Mobile Phone reception black zone (totally useless)
    – in Australia it’s way to easy for someone to port your phone illegally
    – I’ve had SMS messages arrive hours or even days late, especially a problem if you’re overseas at the time!!!

    +1 on Google Authenticator, at least they can’t port that with the phone

  15. U2F can’t become mainstream fast enough!

  16. My question is ? Whats the trend now days ?
    I remember back in a days was bank transfers.
    what is now? Isit Dumps? Transfers? paypal.? dating jobs?
    So what kind of jobs are nowdays???

  17. One of the issues with many 2FA systems is what do you do to regain control when you lose the token. With the decentralized nature of the web there isn’t a place you go – they have to resort to using knowledge based questions, but even that process can be hijacked with social engineering.

    Using the cellphone has one advantage. If you lose your phone, you have to physically go to your carrier, prove who you are, and you can regain control over your phone number.

    Now piggybacking 2FA on top of SMS is far from ideal, but it has the advantage that websites like eBay don’t need to deal with procedures for what happens when you lose your token.

  18. I feel like I’m always missing something here. How exactly does the key fob work? I know that you press the button and get a random code, but how does the computer/website know that you’re typing what is displayed? I’ve read that key fobs aren’t usually connected to the computer via bluetooth or anything like that, so I’m confused how that code is validated upon typing it in.

    • Typically the tokens are time-synced to the authentication server so they generate the same set of passwords every minute based on a shared algorithm and key. The trick is they need to keep the same time over a span of years – this often requires the occasional resync.
      https://en.wikipedia.org/wiki/Security_token

  19. I tried to figure out how to add 2FA to my eBay account, and could not find even a hint. Then I came across this article. It clearly demonstrates how eBay has made it extremely unlikely that anyone will use 2FA without a huge struggle. Sad.

    https://nakedsecurity.sophos.com/2016/07/15/setting-up-two-factor-authentication-on-ebay-harder-than-it-should-be/

  20. You’re going to trust VeriSign / Symantec?

    Google takes Symantec to the woodshed for mis-issuing 30,000 HTTPS certs | Ars Technica
    https://arstechnica.com/security/2017/03/google-takes-symantec-to-the-woodshed-for-mis-issuing-30000-https-certs

  21. It would be nice if they were moving away from the VIP tokens to U2F, but I don’t think that is what they are doing.

  22. RSA tokens are the best … eBay trying to reduce costs of distributing these useful tools by switching to an SMS code? The make money at all costs mentality has no bounds…

  23. yeah true..Ebay has started to inform customers who use a hardware key fob when logging into the site to switch to receiving a one-time code sent via text

  24. Wouldn’t a software-based token be a viable middle-ground? Hardware based tokens have a shelf-life; the battery will only last so long. I use a couple different authentication applications (lastpass authenticator, google authenticator) and, as far as I can tell, they provide the same protection (2nd factor, “something you have”) as a hardware-based token. To me, the software-based token, on a phone, provides even more protection assuming your phone auto-locks and has a good password. A hardware-based token, if lost, provides no such protection.