Did you just make that up?
Web tat bazaar eBay appears to be suggesting its readers adopt known-to-be-insecure practices when logging on to the service. eBay has long offered customers the chance to get their hands on a hard token that generates one-time-passwords. But Krebs on Security reports that a reader received an email from eBay telling customers …
SMS Authentication is useless anyway if you live in an area with poor/no mobile reception.
Last time I had to use it at home the code had to be entered within 10 minutes but texts can take up to 24 hours to arrive. So it was click the button, run upstairs, restart the phone, rinse and repeat until the SMS message arrived in time to run back down and complete the transaction.
I'll stick to hardware 2FA.
h/ware 2FA ? sorry NO, I will stick to s/ware 2FA , unless you want to have a bucket full of h/ware fobs.
Even then those h/ware tokens are not password/PIN protected, (with the exception of some of them with a tiny numeric pad). As for the SMS auth, they are fine if some people wake up and put a SIM PIN instead of the 0000, also I really hate some services (eg. Post Office) that sent them as Flash SMS!!
(1) what's so bad about having a bucket full of old fobs?
(2) and anyway, you should be able to just hand it back in (to employer) or post back to supplier, under the hated WEEE Directive; or just chuck it in your recycling with your other bits and pieces of waste electronics.
SMS two-factor is a joke. Almost as bad as SSL "VPNs"... (and don't get me started on SSL VPNs that use SMS 2fa!)
It would be, if it was a legacy way of doing it, but they are moving users from a safe (but expensive for eBay*) method of 2FA to a "new" method, which was depricated, before they tried to move people to it!
* The eBay "football", I believe, uses a Verisign service and eBay has to pay for each verification of a token. They want to therefore move to a cheaper solution, SMS is cheap, QED.
That SMS was superceded years ago by better methods, such as an authenitcator app on a smartphone, seems to have escaped FleaBay in their timewarped dimension. I suppose we should be grateful that they use HTTPS...
Although 2FA over a phone only works as long as you don't use the service on the same phone that the authentication is running over! E.g. running on a desktop, with authenticator app is fine, using the eBay app on the same phone as the authenticator (or where the SMS lands) negates having 2FA.
SMS is worse, because you can easily subvert SMS.
An attacker capable of intercepting the specific SMS with your PIN is very likely to be capable fo pwning your phone and intercepting the token generated by whatever pseudo-random authenticator app you use. In fact it's probably easier to pwn the phone to intercept the SMS than it is to physically travel to within a few hundred yards of your location, set up an IMSI catcher, and wait for your phone to connect (they have to know your phone's code or number to do that, too.) Or I suppose they could pwn the telco... but if your threat model includes GCHQ or the FSB, you won't be getting your security adv ice from El Reg in the first place.
not sure why they just don't use 2FA via the authenticator app
i would recommend the MS authenticator app assuming you have a MS email account as that enables Yes/No login like on yahoo mail app and google 2FA baked into the phone it self
i wish google would Fix the recovery options on google as the account recovery is still 1FA (email or SMS) Yes you can remove it but then you have to prove that you own the account (google used to have a Master code like MS do where you have like a master code to get back into the account)
For the last two or so years eBay has been pushing me to fill in three of those 'security' questions, like 'what is your surname'. Choice from ten similarly dumb and inherently insecure questions with no given possibility to override either a particular question nor the requirement itself. Yet a very simple trick is enough to circumevnt the requirement (or at least to defer it to later time, only to be deferred again). Combination of these two does tell much about how eBay does security.
Yeah, but you've got to remember all your lies. I've got an official birthday I use for websites that ask for it but don't need it (that's pretty much all the ones that ask for it, except HMRC, DVLA etc), and that's easy enough to remember, but adding up all the unique "security questions" various sites ask for... that's a lot of gibberish to remember.
Perhaps someone should write a BullshitSafe application...
SMS 2FA insecure? Someone needs to tell HMRC that.
Since a couple of months back it's now impossible to login to the personal tax portal without setting up SMS-based 2FA.
As someone who changes SIM cards a few times a year depending on which provider offers enough ooodlebytes of data for the least money, this is a no-go. TOTP FTW.
You install your 2FA app, and if you want to 2FA with a new service they give you something you can install into it to provide the 'seed' then when you want to login to e.g. eBay you pull up the 2FA app, click on the icon for eBay, and it spits out the code for you to input on the web site. If you are logging in to eBay on your phone it could put the code in your clipboard automatically so you can simply paste it in.
The company I'm consulting for now has several possible methods to access their VPN. One, using a smart card built into your laptop or USB attached where the card is your username and your PIN is your password. Two, using a smart card on an external PIN based reader you have to carry with you with the same PIN is your password and you enter your login, and they recently added number three, texting you a SMS code and entering that along with your login and password.
Guess they didn't listen to NIST, and because it is more convenient than pulling out the external PIN based reader they gave me, I'm using the SMS option myself. If they had an app I could use that, but if it is their own app I probably can't install it on my iPhone without making it part of their MDM which I would not want and they probably wouldn't do. If there was a standard app they could provide a little blob to me to install in it, that would be the preferred option.
The VeriSign VIP tokens are technically regular OATH-TOTP, I've successfully used someone's script (vipaccess) to "sign up" and get a regular Qr code.
Except of course that's when I found out that neither eBay nor PayPal offer the 2FA feature in my country. Why the *bloody hell* is such a service USA-only? The SMS method might very well be, but there aren't any excuses for doing the same with tokens.
Dunno about anyone else here, but all the hardware tokens I've had required a pin *in addition* to the number on the hardware token. Usually 4, in one case 6 digits, randomly generated or from a previous numeric string.
1) something you know
2) something you have
3) something unique
-> know password, -> have token (in some cases certificate) -> unique pin
On a phone? ick.