In a curious move, eBay emailed users with Two-Factor Authentication (2FA) hardware devices they are doing away with them and asking users to switch to the less secure SMS based 2FA.
Previously, eBay received praise for offering the strong hardware key device to its users. The company was ahead of many in the industry in security.
Most major eBay sellers have probably seen how much successful hacking of accounts happens on eBay. So a downgrade in security, even if not widely used by most users, is still a bit perplexing at this time.
The timing of this announcement is even more curious as the National Institute for Standards and Technology (NITS) released a new draft outline that appears to be phasing out SMS based 2FA.
NIST said one-time codes that are texted to users over a mobile phone are vulnerable to interception… thieves can divert the target’s SMS messages and calls to another device (either by social engineering a customer service person at the phone company, or via more advanced attacks like SS7 hacks).
WHAT IS EBAY THINKING BY DOWNGRADING SECURITY?
Krebs on Security, the site that first reported this downgrade in security, had reached out to eBay for comment.
“As a company, eBay is committed to providing a safe and secure marketplace for our millions of customers around the world,” eBay spokesman Ryan Moore wrote. “Our product team is constantly working on establishing new short-term and long-term, eBay-owned factors to address our customer’s security needs. To that end, we’ve launched SMS-based 2FA as a convenient 2FA option for eBay customers who already had hardware tokens issued through PayPal. eBay continues to work on advancing multi-factor authentication options for our users, with the end goal of making every solution more secure and more convenient. We look forward to sharing more as additional solutions are ready to launch.”
It appears that eBay is trying to move away from a Paypal / eBay product developed by Verisign and bring security in-house.
However we wonder if they could have done this a little better and instead have a more robust 2FA product ready to go. Especially in light of NITS draft of removing SMS based 2FA from their recommended methods.
Of course any 2FA product is better than none, so we do recommend that you use 2FA SMS whenever possible.
To the topic of security we are wondering, do you use Two-Factor Authentication when offered as an option? Or do you consider it a pain and opt for lower simple security and accept the higher risk?