eBay dumps users into insecure authentication mechanism

Dump dongles and move to SMS, says tat bazaar, oblivious to deprecation advice

By Simon Sharwood, APAC Editor


Web tat bazaar eBay appears to be suggesting its readers adopt known-to-be-insecure practices when logging on to the service.

eBay has long offered customers the chance to get their hands on a hard token that generates one-time-passwords. But Krebs on Security reports that a reader received an email from eBay telling customers “We're going to make 2 step verification more convenient by texting you a PIN instead of having you use your token.”

On the face of it, that's not the worst idea in the world: it's easy to forget to bring a hard token with you, but who leaves the house without their phone? Hard tokens also cost money, need occasional battery replacements, can break and generate other administrivial chores.

But there's one big problem with eBay's plan, namely that two-factor authentication (2FA) over SMS messages has been shown to be insecure. So insecure that the United States National Institute for Standards and Technology (NIST) last year recommended it be abandoned as an authentication technique.

NIST's beef with 2FA-over-SMS is that TXT messages can be intercepted, making it possible for bad actors to sniff incoming one-time-passwords.

There's a moderately-happy ending to this story, because eBay told Krebs it's not giving up on other 2FA mechanisms and will shortly have more to say on the topic. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Security bods liberate EITest malware slaves

Miscreants' command and control network traffic sent down sinkhole

Microsoft emergency update: Malware Engine needs, erm, malware protection

Stop appreciating the irony and go install the patch now

Taiwanese cops give malware-laden USB sticks as prizes for security quiz

What was second prize? We think we'd rather have that

DOJ convicts second bloke for helping malware go undetected

Scan scam? Scram

Hackers abusing digital certs smuggle malware past security scanners

No longer just a spy game

Russian malware harvesting Telegram Desktop creds, chats

Python programmer may have outed himself on YouTube

Malware-slinging scum copied D-Link's code-signing certificates to dress up PC nasties

Password-stealing backdoor lobbed at Windows boxes

US-CERT warns of more North Korean malware

'Typeframe' springs from the same den as 'Hidden Cobra'

FBI fingers North Korea for two malware strains

'Joanap' and 'Brambul' harvest info about your systems and send it home

Jesus walks away after 7,000lb pipe van incident

Local cops issue ticket afterwards