back to article eBay dumps users into insecure authentication mechanism

Web tat bazaar eBay appears to be suggesting its readers adopt known-to-be-insecure practices when logging on to the service. eBay has long offered customers the chance to get their hands on a hard token that generates one-time-passwords. But Krebs on Security reports that a reader received an email from eBay telling customers …

  1. Anonymous Coward
    Anonymous Coward

    administrivial..??

    Did you just make that up?

    1. Anonymous Coward
      Anonymous Coward

      Re: administrivial..??

      yes, but going forward expect it to be used when you touch base in your next collaboration huddle.

    2. Z80

      Re: administrivial..??

      Mailing list manager Majordomo has used the term "administrivia" for one of its list configuration options since the 1990s.

  2. GlenP Silver badge

    But...

    SMS Authentication is useless anyway if you live in an area with poor/no mobile reception.

    Last time I had to use it at home the code had to be entered within 10 minutes but texts can take up to 24 hours to arrive. So it was click the button, run upstairs, restart the phone, rinse and repeat until the SMS message arrived in time to run back down and complete the transaction.

    I'll stick to hardware 2FA.

    1. Anonymous Coward
      Anonymous Coward

      Re: But...

      h/ware 2FA ? sorry NO, I will stick to s/ware 2FA , unless you want to have a bucket full of h/ware fobs.

      Even then those h/ware tokens are not password/PIN protected, (with the exception of some of them with a tiny numeric pad). As for the SMS auth, they are fine if some people wake up and put a SIM PIN instead of the 0000, also I really hate some services (eg. Post Office) that sent them as Flash SMS!!

      1. Tom Paine
        Facepalm

        Re: But...

        (1) what's so bad about having a bucket full of old fobs?

        (2) and anyway, you should be able to just hand it back in (to employer) or post back to supplier, under the hated WEEE Directive; or just chuck it in your recycling with your other bits and pieces of waste electronics.

        SMS two-factor is a joke. Almost as bad as SSL "VPNs"... (and don't get me started on SSL VPNs that use SMS 2fa!)

  3. Anonymous Coward
    Stop

    Sorry...

    ..but 2FA using SMS is still better than a single password, depreciated or not.

    1. Anonymous Coward Silver badge
      Headmaster

      Re: Sorry...

      Or even deprecated

    2. big_D Silver badge
      Holmes

      Re: Sorry...

      It would be, if it was a legacy way of doing it, but they are moving users from a safe (but expensive for eBay*) method of 2FA to a "new" method, which was depricated, before they tried to move people to it!

      * The eBay "football", I believe, uses a Verisign service and eBay has to pay for each verification of a token. They want to therefore move to a cheaper solution, SMS is cheap, QED.

      That SMS was superceded years ago by better methods, such as an authenitcator app on a smartphone, seems to have escaped FleaBay in their timewarped dimension. I suppose we should be grateful that they use HTTPS...

      Although 2FA over a phone only works as long as you don't use the service on the same phone that the authentication is running over! E.g. running on a desktop, with authenticator app is fine, using the eBay app on the same phone as the authenticator (or where the SMS lands) negates having 2FA.

      SMS is worse, because you can easily subvert SMS.

      1. Tom Paine

        Re: Sorry...

        An attacker capable of intercepting the specific SMS with your PIN is very likely to be capable fo pwning your phone and intercepting the token generated by whatever pseudo-random authenticator app you use. In fact it's probably easier to pwn the phone to intercept the SMS than it is to physically travel to within a few hundred yards of your location, set up an IMSI catcher, and wait for your phone to connect (they have to know your phone's code or number to do that, too.) Or I suppose they could pwn the telco... but if your threat model includes GCHQ or the FSB, you won't be getting your security adv ice from El Reg in the first place.

        1. Orv Silver badge

          IIRC, one concern (besides interception) is that many phones now display SMS messages on the lock screen. So someone who has access to your phone can get the token, without having to unlock it.

          1. leexgx

            you can turn that feature off (display messages on lock screen)

      2. leexgx

        Re: Sorry...

        not sure why they just don't use 2FA via the authenticator app

        i would recommend the MS authenticator app assuming you have a MS email account as that enables Yes/No login like on yahoo mail app and google 2FA baked into the phone it self

        i wish google would Fix the recovery options on google as the account recovery is still 1FA (email or SMS) Yes you can remove it but then you have to prove that you own the account (google used to have a Master code like MS do where you have like a master code to get back into the account)

  4. Mage Silver badge

    Maybe not about 2FA?

    Perhaps they just want to know your number? Though normally they have that anyway.

    Certainly Facebook and Google just want your number.

    1. creepy gecko

      Re: Maybe not about 2FA?

      I use a cheap 2G phone on a PAYG tariff purely for two factor authentication texts. Inexpensive, and it avoids Google or Amazon or whoever from having my personal cell number.

      1. petef

        Re: Maybe not about 2FA?

        SMS is generally 1½FA. If your smartphone is compromised then its new pwner will get access to your eBay app and SMS. That applies to email too.

  5. pavel.petrman

    One laugh of a security measure

    For the last two or so years eBay has been pushing me to fill in three of those 'security' questions, like 'what is your surname'. Choice from ten similarly dumb and inherently insecure questions with no given possibility to override either a particular question nor the requirement itself. Yet a very simple trick is enough to circumevnt the requirement (or at least to defer it to later time, only to be deferred again). Combination of these two does tell much about how eBay does security.

    1. Anonymous Coward
      Anonymous Coward

      Re: One laugh of a security measure

      Just have a list of fictitous but easy to remember answers. Indeed a whole alternative background history:

      Q: What is your mother's maiden name? A = Budgie-Mangler

      Q: What is your pets name? A = Victor the Vulture

      You get the idea

      1. Alister

        Re: One laugh of a security measure

        Hang on, your mother's maiden name was Budgie-Mangler?

        We must be related...

        1. Anonymous Coward
          Anonymous Coward

          Re: One laugh of a security measure

          My mother's maiden name was hunter1

          1. Anonymous Coward
            Anonymous Coward

            Re: One laugh of a security measure

            They allow asterisks on birth certificates?

      2. Tom Paine

        Re: One laugh of a security measure

        Yeah, but you've got to remember all your lies. I've got an official birthday I use for websites that ask for it but don't need it (that's pretty much all the ones that ask for it, except HMRC, DVLA etc), and that's easy enough to remember, but adding up all the unique "security questions" various sites ask for... that's a lot of gibberish to remember.

        Perhaps someone should write a BullshitSafe application...

        1. ma1010

          Re: One laugh of a security measure

          I like the idea of "BullshitSafe"! I do something like that with keepass. It has a "comment" field where you can store those little fictions, and I've used it for that.

  6. imanidiot Silver badge

    Or.. You know.

    You could NOT store your payment information in your ebay account. Then what are they going to do with it? Good luck with the knowledge I ordered a 10 pack of NRF24L01+ knockoffs yesterday. And a batch of cheapo illuminated momentary push buttons last week.

  7. batfastad

    SMS 2FA insecure?

    SMS 2FA insecure? Someone needs to tell HMRC that.

    Since a couple of months back it's now impossible to login to the personal tax portal without setting up SMS-based 2FA.

    As someone who changes SIM cards a few times a year depending on which provider offers enough ooodlebytes of data for the least money, this is a no-go. TOTP FTW.

    1. leexgx

      Re: SMS 2FA insecure?

      poor excuse

      PAC code ? keep your number

      lots of data = 3 AYCE

  8. Anonymous Coward
    Anonymous Coward

    Wish there was a way to use a standard 2FA app

    You install your 2FA app, and if you want to 2FA with a new service they give you something you can install into it to provide the 'seed' then when you want to login to e.g. eBay you pull up the 2FA app, click on the icon for eBay, and it spits out the code for you to input on the web site. If you are logging in to eBay on your phone it could put the code in your clipboard automatically so you can simply paste it in.

    The company I'm consulting for now has several possible methods to access their VPN. One, using a smart card built into your laptop or USB attached where the card is your username and your PIN is your password. Two, using a smart card on an external PIN based reader you have to carry with you with the same PIN is your password and you enter your login, and they recently added number three, texting you a SMS code and entering that along with your login and password.

    Guess they didn't listen to NIST, and because it is more convenient than pulling out the external PIN based reader they gave me, I'm using the SMS option myself. If they had an app I could use that, but if it is their own app I probably can't install it on my iPhone without making it part of their MDM which I would not want and they probably wouldn't do. If there was a standard app they could provide a little blob to me to install in it, that would be the preferred option.

    1. Anonymous Coward
      Anonymous Coward

      Re: Wish there was a way to use a standard 2FA app

      The VeriSign VIP tokens are technically regular OATH-TOTP, I've successfully used someone's script (vipaccess) to "sign up" and get a regular Qr code.

      Except of course that's when I found out that neither eBay nor PayPal offer the 2FA feature in my country. Why the *bloody hell* is such a service USA-only? The SMS method might very well be, but there aren't any excuses for doing the same with tokens.

  9. EnviableOne
    FAIL

    its not hard

    Come on ebay get with the times, everyone is using OAUTH-TOTP

  10. Alistair
    Windows

    Dunno about anyone else here, but all the hardware tokens I've had required a pin *in addition* to the number on the hardware token. Usually 4, in one case 6 digits, randomly generated or from a previous numeric string.

    1) something you know

    2) something you have

    3) something unique

    -> know password, -> have token (in some cases certificate) -> unique pin

    On a phone? ick.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like