eBay dumps users into insecure authentication mechanism

Dump dongles and move to SMS, says tat bazaar, oblivious to deprecation advice

By Simon Sharwood


Web tat bazaar eBay appears to be suggesting its readers adopt known-to-be-insecure practices when logging on to the service.

eBay has long offered customers the chance to get their hands on a hard token that generates one-time-passwords. But Krebs on Security reports that a reader received an email from eBay telling customers “We're going to make 2 step verification more convenient by texting you a PIN instead of having you use your token.”

On the face of it, that's not the worst idea in the world: it's easy to forget to bring a hard token with you, but who leaves the house without their phone? Hard tokens also cost money, need occasional battery replacements, can break and generate other administrivial chores.

But there's one big problem with eBay's plan, namely that two-factor authentication (2FA) over SMS messages has been shown to be insecure. So insecure that the United States National Institute for Standards and Technology (NIST) last year recommended it be abandoned as an authentication technique.

NIST's beef with 2FA-over-SMS is that TXT messages can be intercepted, making it possible for bad actors to sniff incoming one-time-passwords.

There's a moderately-happy ending to this story, because eBay told Krebs it's not giving up on other 2FA mechanisms and will shortly have more to say on the topic. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

IT bosses worried about network security reckon AI Jesus can save them, says Oracle survey

Of course Big Red finds another thing needing more automation

Jesus walks away after 7,000lb pipe van incident

Local cops issue ticket afterwards

Russian malware harvesting Telegram Desktop creds, chats

Python programmer may have outed himself on YouTube

FBI fingers North Korea for two malware strains

'Joanap' and 'Brambul' harvest info about your systems and send it home

US-CERT warns of more North Korean malware

'Typeframe' springs from the same den as 'Hidden Cobra'

Advanced VPNFilter malware menacing routers worldwide

Cisco's Talos team says 500k already pwned and leaking data

Microsoft emergency update: Malware Engine needs, erm, malware protection

Stop appreciating the irony and go install the patch now

DOJ convicts second bloke for helping malware go undetected

Scan scam? Scram

Malware-slinging scum copied D-Link's code-signing certificates to dress up PC nasties

Password-stealing backdoor lobbed at Windows boxes

Fancy Bear still Putin out new modules for VPNFilter malware

Talos turns up obfuscation, lateral attacks, and proxies