Security

eBay dumps users into insecure authentication mechanism

Dump dongles and move to SMS, says tat bazaar, oblivious to deprecation advice

By Simon Sharwood

30 SHARE

Web tat bazaar eBay appears to be suggesting its readers adopt known-to-be-insecure practices when logging on to the service.

eBay has long offered customers the chance to get their hands on a hard token that generates one-time-passwords. But Krebs on Security reports that a reader received an email from eBay telling customers “We're going to make 2 step verification more convenient by texting you a PIN instead of having you use your token.”

On the face of it, that's not the worst idea in the world: it's easy to forget to bring a hard token with you, but who leaves the house without their phone? Hard tokens also cost money, need occasional battery replacements, can break and generate other administrivial chores.

But there's one big problem with eBay's plan, namely that two-factor authentication (2FA) over SMS messages has been shown to be insecure. So insecure that the United States National Institute for Standards and Technology (NIST) last year recommended it be abandoned as an authentication technique.

NIST's beef with 2FA-over-SMS is that TXT messages can be intercepted, making it possible for bad actors to sniff incoming one-time-passwords.

There's a moderately-happy ending to this story, because eBay told Krebs it's not giving up on other 2FA mechanisms and will shortly have more to say on the topic. ®

Sign up to our NewsletterGet IT in your inbox daily

30 Comments

More from The Register

Microsoft, IBM settle case over disputed diversity boss

McIntyre going to Redmond as non-compete case wraps up

IBM's chief diversity officer knows too much and must be stopped!

Microsoft hired her, but Big Blue sues to stop her exporting its succession planning secrets

Google Play Store spews malware onto 9 million 'Droids

How did these get through the net?

And lo! Tim Cook becometh tech Jesus. But with more awards

Comment Apple CEO decries the sins and moral turpitude of all tech companies but his own

IT bosses worried about network security reckon AI Jesus can save them, says Oracle survey

Of course Big Red finds another thing needing more automation

Nadella says senior management pay now linked to improving gender diversity

'Technology still has a long way to go'

Jesus walks away after 7,000lb pipe van incident

Local cops issue ticket afterwards

Windows 10 or Cisco Advanced Malware Protection: Pick one

Redmond warns that the malware tool doesn't play nice with the latest upgrade

Russian malware harvesting Telegram Desktop creds, chats

Python programmer may have outed himself on YouTube

James Damore's labor complaint went over about as well as his trash diversity manifesto

When the lawyer thinks you're cruel, that's Damore. When you're thrown on the street with a cloud at your feet...