eBay — “We Don’t do 2 Factor Round ‘ere…”
The dust is is settling on the recent reports of those digital scallywags making off with eBay’s user data. No doubt you have read the amusing and conflicting stories of eBay’s poor advice for making a secure password just in case yours was compromised.
This incident again brings into sharp focus the questions around ‘how secure is secure’? This applies both to the security and encryption/hashing used by the hosting database that stores your personal data and of course your own ability to secure your account using security measures provided.
Consider 2 factor authentication. This is not a new concept and requires two things from you, something you have and something you know. ATM Bank Machines have used this approach to secure your account for decades. An ATM requires your bank card and your PIN, something you have and something you know.
2 factor authentication is readily used for accessing your online banking site often using a Smart Card reader or similar App on your phone to generate a secure code. So the question is simply this… does eBay use this tried and tested approach? The answer? well, yes and no.
PayPal (an eBay company) has used 2 factor authentication for a while now, albeit an optional function to be enable by the user if they wish. In this instance PayPal will text you a random code to a phone you have pre-registered to confirm the ‘Something you have’ part of the authentication model. This approach makes it almost impossible for a hacker who has managed to un-encrypt your password from gaining access to your sensitive data via the front-door so to speak.
eBay has been around since 1995 and that’s some some tenure in the technology world to say the least and should suggest a very mature security approach. It’s fair to say I don’t actually know anyone who does not have an eBay account. So given recent security blunders, has eBay done anything to improve their security model such as allowing 2 factor authentication to protect my family and friends from hacking attempts?
Well, having spoken recently to eBay’s online support team it is apparent they are also unsure why this mature and tested security model is unavailable when their own sister company PayPal have it in use already.
Fear not though, I was given reassurance by eBay’s support person that the padlock next to the URL ensures my security… of course without 2 factor authentication the same padlock (SSL Encryption) will also ensure the security of my hacker friend who is now logged on to my account using my compromised password…
So it seems eBay is not really concerned about providing the right tools to secure customers accounts after all, but then again if they can’t prevent hackers making off with our personal data from right under their noses then perhaps I am expecting too much…
Gareth Baxendale FBCS CITP
Head of Technology NIHR Clinical Research Network.
Vice Chair BCS Health and Care Executive