22
Mar 17

eBay Asks Users to Downgrade Security

Last week, KrebsOnSecurity received an email from eBay. The company wanted me to switch from using a hardware key fob when logging into eBay to receiving a one-time code sent via text message. I found it remarkable that eBay, which at one time was well ahead of most e-commerce companies in providing more robust online authentication options, is now essentially trying to downgrade my login experience to a less-secure option.

ebay2faIn early 2007, PayPal (then part of the same company as eBay) began offering its hardware token for a one-time $5 fee, and at the time the company was among very few that were pushing this second-factor (something you have) in addition to passwords for user authentication. In fact, I wrote about this development back when I was a reporter at The Washington Post:

“Armed with one of these keys, if you were to log on to your account from an unfamiliar computer and some invisible password stealing program were resident on the machine, the bad guys would still be required to know the numbers displayed on your token, which of course changes every 30 seconds. Likewise, if someone were to guess or otherwise finagle your PayPal password.”

The PayPal security key.

The PayPal security key.

I’ve still got the same hardware token I ordered when writing about that offering, and it’s been working well for the past decade. Now, eBay is asking me to switch from the key fob to text messages, the latter being a form of authentication that security experts say is less secure than other forms of two-factor authentication (2FA).

The move by eBay comes just months after the National Institute for Standards and Technology (NIST) released a draft of new authentication guidelines that appear to be phasing out the use of SMS-based two-factor authentication. NIST said one-time codes that are texted to users over a mobile phone are vulnerable to interception, noting that thieves can divert the target’s SMS messages and calls to another device (either by social engineering a customer service person at the phone company, or via more advanced attacks like SS7 hacks).

I asked eBay to explain their rationale for suggesting this switch. I received a response suggesting the change was more about bringing authentication in-house (the security key is made by Verisign) and that eBay hopes to offer additional multi-factor authentication options in the future.

“As a company, eBay is committed to providing a safe and secure marketplace for our millions of customers around the world,” eBay spokesman Ryan Moore wrote. “Our product team is constantly working on establishing new short-term and long-term, eBay-owned factors to address our customer’s security needs. To that end, we’ve launched SMS-based 2FA as a convenient 2FA option for eBay customers who already had hardware tokens issued through PayPal. eBay continues to work on advancing multi-factor authentication options for our users, with the end goal of making every solution more secure and more convenient. We look forward to sharing more as additional solutions are ready to launch.”

I think I’ll keep my key fob and continue using that for two-factor authentication on both PayPal and eBay, thank you very much. It’s not clear whether eBay is also phasing out the use of Symantec’s VIP Security Key App, which has long offered eBay and PayPal users alike more security than a texted one-time code. eBay did not respond to specific questions regarding this change.

Although SMS is not as secure as other forms of 2FA, it is probably better than nothing. Are you taking advantage of two-factor authentication wherever it is offered? The site twofactorauth.org maintains a fairly comprehensive list of companies that offer two-step or two-factor authentication.

Tags: , , , , , , , , ,

105 comments

  1. Great news; I can finally have 2FA on eBay without a silly fob.

    • Andrew Rossetti

      You always could. SMS based was always an option, it’s just that now it’s the ONLY option.

    • How cute. You actually believe that SMS is second factor (posession).

      To answer your question, yes, you can always trade security for convenience.

      • Of course it’s 2fa – it’s the ‘what I have factor’ (phone) with the ‘what I know’ factor (password). Now if want to argue improbable scenarios with the phone getting swiped, I can do the same with the fob but the fob is clearly impractical (not inconvenient), esp. since it’s just for one service of dozens that people might use. So the claim of trading security for convenience is just as false as the claim that it’s not 2fa.

      • Robert Russell

        From a time and cost perspective, it isn’t practical to attempt to mass intercept SMS messages at anything short of the Nation/State actor level and at that level you have a lot of other options to use. So while SMS 2FA isn’t as theoretically as secure as some other options it is a significant jump in difficulty and cost compared to just a password. You combine that with very cheap and easy implementation costs on the website side and it is nearly a no-brainer at this point for an out of the box requirement.

  2. IRS iTunes Card (real)

    Ebay needs to allow buyers and sellers to use Authy or Google Authenticater phone apps for their accounts

    • If you are able to use Symantec VIP app would you disable the SMS method and use VIP for 2FA only?

    • Totally agree. Only place I use Symantec VIP is Paypal used to use it for eBay but I stupidly removed it and now eBay does not respond to how to add it back in. Nor can I see how to do that on eBay.

      eBay needs to get their heads out of you know where. My god that place has had enough security issues over the years you would think that security is higher up on their list.

  3. wtf, they should move to s/ware 2FA , h/ware tokes are not the best solution just because you need to carry more that one when you use multiple services, so s/ware 2FA like google’s is fine and even can be run on non-smartphones that support java (j2me).

  4. Thanks Brian. Funny as I was thinking about this very thing this morning. I’ve enabled the confirmation pin on any sites that are sensitive (and that offer it). But would prefer to use a hard token.

    Do you recommend any hard token if we were to pick something up now?

  5. Just recently got a similar mail from ebay (Germany). My first thought was … ok, time to cancel my Paypal account if they downgrade security. Lets see whether they force me to switch over to that scheme. Interesting is also that they mentioned their app … lots of new business opportunities for the usual trouble makers.

  6. Even though I used the “football” for 2FA, I was hacked on PayPal. The case was bad enough that PayPal made security changes. My recollection is the last time I phoned PayPal, I had to prove a token from the football, leading me to suspect a little verbal social engineering was part of my hack. Obviously these firms tell you virtually nothing.

    Now to be fair, what aided the hack was an exploit in Roundcube. My email was totally pwned. So the hacker had access to my email which helped in resetting passwords. I always felt browser access to email was a security risk and never used Roundcube.

    One of the most interesting things I learned about PayPal security was at the time and might still be the case today is that you could use a credit card number known to PayPal to be stolen, and yet their software would accept it. How do I know this? Well it was my credit card number that was stolen.

    So I had the trifecta of being hacked. Stolen credit card, pwned email, and basically no security at PayPal.

    Other than intense aggravation, I suffered no financial harm because I received notifications from PayPal’s bot that my PayPal password was changed. However this was only because the hacker apparently could only read my email but not change the password.

    Following up on the ability of a hacker to be able to use a known stolen credit card number, it turns out at the time and perhaps true today is all PayPal did was run the number against whatever hash is used to verify the number COULD be one used. Because there was no 2FA on the phone to PayPal, the social engineer just gave the Pay0=” CSR my stolen credit card number.

    You can’t exist on ebay without PayPal. Thus I could drop them. I got the sysadmin of the hosting company to turn on logging and the IP of the hacker was logged and then blocked. Not exactly much security, but better than nothing. Roundcube was patched.

    Presently I run my own email server on a VPS. No browser access. Not to read or send email, or even to add accounts or change passwords. I do everything old school through SSH with a PKI login rather than a password and sshguard watching port 23. I also have a geographic block on my emails ports other than 25. The hacker was from Morocco. On a typical day I block about 30 IPs from email access.

  7. I agree with the other comment about linked with Google authenticator. I never did 2FA with eBay personally, so mobile text might be a step up security-wise. Also, I’d not considered the security ramifications of mobile text… is it that someone could man in middle your mobile number?

    • I too use Google Authenticator. Always thought it was silly to have the second factor running on the same device in which I type my password. If I’ve been powned, what’s to stop the bad guy. What I’ve done is put authenticator on an old Samsung Android phone. That phone is in airplane mode all the time except when I connect to my home network to sync the clock. I recharge it once a week.

    • Yes, or have your number ported to their phone.

      • Robert Russell

        Provided that you aren’t using a prepaid phone they would also need your account number and the last four of your SSN/port out password your account has. From the perspective of mass automation honestly intercepting Authy or Google Authenticator with on-device malware has a much better payoff for the effort required, or you could just hack the entire database of the hardware tokens.

  8. They should use yubikey?

  9. I suspect this was done as a money saving effort. Since they get the service from Verisign they have to pay for it and its use. By going to this method they save a money while putting the customer at more risk. If that is not the case, the move really shines a bad light on eBay security staff. If their security staff has been keeping up with what’s happening with two factor authentication using text messaging, then they would never have implemented this at this time; that’s if the really care about customer security!

    • “eBay-owned factors” sure smells of a business person looking at the bottom line and saying we could save x dollars here by phasing this out and just using something we own.

  10. I do 2F wherever possible as i’ve been hacked a number of times (CC’s, Paypal, Ebay, etc.)

    Heck, I have the 2F app for when I play Star Wars The Old Republic.

  11. 777 vor mir 5555

  12. Interesting you’re fob hasn’t expired after a decade. RSA SecurID fobs are good for ~ 3 years then need to be replaced.

    • Sorry … meant “your” not “you’re” … ha … RSA SecurID fobs have an expiry date on the back BTW. Also receiving a “too many requests” notice on your site so apologies if multiple posts appear

    • Probably why they used symantec/verisign fobs, not RSA. No expiration date, and mine lasted almost 10 years.

  13. My Paypal fob died earlier this year and it was rather challenging to attempt their “I-don’t-have-my-fob-with-me” authentication. I never got any text message with the 6-digit pin. I had to call into a human to answer questions regarding the account to get the 2FA removed

    • And the fact that you were able to do that over the phone while presenting no identification at all calls out the weakest link in all of these security systems: Humans

  14. Interesting your fob is still valid at 10 years of use. RSA SecurID fobs are good for ~ 3 years then need to be replaced (expiry date on back).

  15. Andrew Rossetti

    Thanks for covering this, Brian. I, too, was quite dismayed when I received the email. I’ve been using the VIP app for years now (I use it for my PayPal and online Banking account as well) and couldn’t believe, as you stated, that only months after NIST came down hard on SMS based solutions that eBay would make it the ONLY solution. Hopefully they’ll support my VIP app until they get around to offering some other OATH solution.

  16. I think the issue may be one of cost and ease of administration separate authentication devices get lost, broken, stolen or fail and each time that happens there is a significant cost to the network owner to give access to the network again. Authenticator apps are a good alternative but many people fail to record their access number so again if their device is lost, stolen, broken or fails the same issue applies and the problems are magnified each time this occurrs as more and more sites are using this method. Also authenticator apps will often reside on the same device the user is using to access the network these day so that also undermines the security as BK has highlighted. The ideal approach is to have authentication that is independent of devices to eliminate these costs but still having routines that will test the validity of the user to be authorised to access the network resources. This approach also reduces the need to issue new credentials. Some networks are moving to not allowing credentials changes but they fail to recognise the fact that devices fail, get broken, lost or stolen so without a method of authentication independent of the device the costs to network owners remain considerable to manage these issues. Of course all of this also conveniently ignores the issues of device compatibility & upgrade costs with changing network technologies which exacerbates the issues if the network has to rely on client side devices as part of their authentication processes and all the associated risks of malware, keylogging, session hijacking, credentials phishing etc.

  17. As far as I’m concerned paypal has had a horrible security record lately as well. For the longest time all you had to do was to add a few lines to the URL to bypass 2 factor. Also if you don’t have their fob, you’re forced to use text message authentication. They don’t even support Google authenticator.

  18. Will SMS-based auth be available for users outside the US as well? Their token-based auth was never available outside the US, something that they tried very hard to cover up until you actually tried to get a token to use and found, after multiple escalations, that you couldn’t.

    • @Dave

      You don’t need a hardware token. Although perhaps too late now for eBay users, one could always use the soft token equivalent app on a smartphone, as has been discussed herein. eBay uses/used Symantec/Verisign VIP as does PayPal. Follow the instructions here: https://vipmobile.verisign.com/home.v

      The new Symantec soft token includes some newer features (at least on iPhone) that make it comparable to those in LastPass’s Google authenticator.

      Note: When I just tried to log into my eBay account, after entering my password it still forwards to a 2nd screen requiring my 2FA PIN from Symantec VIP token/app.

  19. You know, I am a senior in a “senior living complex”. I haven’t a chance in Hades of ever understanding what you young folks are talking about here, but it sounds very serious!

    Perhaps, it’s best for those of us who use PayPal and eBay only on rare occasions, is to cancel our accounts and avoid what apparently is becoming epidemic…

    • Its generally a good idea for everybody to close any account they don’t need or use.

  20. They should go to U2F. They can support bring your own tokens like Google and Facebook do or sell a branded one at a premium. The server side infrastructure needed to support U2F is inexpensive and is brain dead simple. to setup. A database and a little Javascript/Python all of which is open source.

    • Agreed. I have a U2F (yubikey) and have played with it some. Not many places support it however, which is disappointing.

      The core issue that 2FA makes it too hard or inconvenient for people. So they don’t want to bother. The result is that crooks get their credit card info, and the Russians read their email.

  21. Interesting banner ad on this page “The future of MFA is tokenless”. Maybe eBay is ahead of the curve? Not!!

  22. About “secret” questions a user chooses and provides answers to while setting up an account–I choose the questions and I provide the answers. However, the answers I provide never has anything to do with the question I selected.

    Providing an unrelated answer to a question gives me a huge number of possibilities to select from.

    And, oh yes, I save the account’s login information the good, old-fashioned way. I use paper and pencil.

    • I do the same thing. There was something I signed up for recently (United Airlines) where they had a specific set f questions, and for each potential question there was a pulldown list of “answers” that you had to choose from. So you could not provide a total random and nonsequitor answer – the best you could do is provide an answer that someone who knows you would consider to be unlikely.

  23. Peter B in Florida

    I too have had the Paypal fob for at least a decade, and it’s worked well, despite one or two minor hiccups when Paypal “improved” their login page and broke 2FA.

    I don’t have a cell (landline is VoIP through the cable company and fine for my purposes, but isn’t text capable – no screen) so using an app is probably not going to work for me (as I keep telling CVS when they send me interminable emails telling me I can get benefits if I would only download their app).

    I really don’t need to be connected 24/7 – and my entire life since my 30s has been IT-oriented and ‘Net-based, and I’m 64 now, so it’s not like I’m a Luddite.

    I received what looked like a phish recently supposedly from eBay (who sends their warnings from an address that begins “no.reply”???) and although I reported it to their spoof address there’s been no response, leaving me in the dark. The email also contained links – isn’t Rule #1 that customers shouldn’t click on links in emails like this???

    Many firms like Paypal and eBay seem to be becoming dumber at security as time goes by, rather than smarter – or is it just me?

    • FWIW, you should be able to get a Google Voice number (they’re free, they can direct SMS to your gmail box, and they can direct inbound calls to your landline).

      • Peter B in Florida

        I do have a Google phone account (two, in fact – one of which I’ve had for several years now and use primarily for recruiters to leave messages for me) and originally they were required to be connected to a “real” phone number, but at some point there was a hiccup and one of them became separated from its (now dead) real number, but still functions. I don’t know how long that situation will last.

        I’ve used them for communications via texting to contacts (allowing me to get the best of both worlds – a pseudo-phone that I don’t have to answer, and a web front end for texting so my thumbs don’t get worn down :)) and lately I’ve been exploring using a dead cellphone that still has wifi capability, to try and make voice calls via Hangouts (with the help of an app). It’s had mixed results – my landline (in reality VoIP through our cable provider) refuses to accept the connection initially but then allows voicemail to be left, which is a little weird.

        Of course that only works if I’m connected to my router, but it’s possible it might work for public hotspots – my next avenue to explore.

        It’s allowing me to use 2FA (foblessly, if that’s a word) after a fashion, in that I can give out a pseudo-phone number for sites to send a token either as text or as voicemail, but I have to get into email via computer in order to pick up the token, and occasionally network bottlenecks stymie that process.

        The slightly bizarre problem occasionally arises when a site refuses to accept the Google phone number for 2FA, saying it cannot accept VoIP connections – but then happily takes the VoIP number that’s provided by our cable company.

        Yahoo! is a particular offender in that regard (no surprises there, then).

  24. Sounds to me like the cost of the Verisign HW might be the motivating factor

  25. Andrew Jamieson

    This is probably not coincidental: https://fidoalliance.org/ebay-joins-fido-alliance-and-announces-fido-certified-open-source-authentication-server-and-android-client/

    A FIDO compliant solution would be neater anyway, IMHO. Yubikeys FTW.

  26. What ebay needs to do, is provide security for their sellers. The people who pay their bills, put food in their mouths, pay for their vacations etc….. They need to bring back, that sellers can leave negative feedback for those scrub buyers. Buyers have it so easy to leave a negative on a broken, or even a used item these days. So quick to leave negatives thanks to the smartphone. Seller can’t do nothing but leave them a positive? How secure is that?

  27. A bank did this to me – made me do SMS 2FA instead of a using a temporal key fob. Not only is it less secure, now I get tons of SMS Spam from the bank.

  28. What really makes me disappointed is that in 2017, Paypal/ebay doesn’t offer a real 2FA login. Outside US the text token is even not available

  29. PrivacyParanoid

    This allows them to sell better information about your buying habits because it correlates your network use/location with your cell phone number