Ebay SCAMS?

[jpanhalt]

I understand the need for safety, but just like face masks, I am skeptical every "enhancement" actually helps much.  I don't mean some predicted advantage, but rather actual data.

Case on point, PayPal (USA) will not let you sign on to your account using either e-mail or landline to one's registered address.  It must be a text capable mobile device.  Any data to support that?

[bd139]

Yes. That’s usually a separate physical device.

So the credentials are something YOU know.

The SMS is delivered to something YOU have.

Some dude in North Korea does not have your phone.

[AVGresponding]

Yes. That’s usually a separate physical device.

So the credentials are something YOU know.

The SMS is delivered to something YOU have.

Some dude in North Korea does not have your phone.

SIM cloning is a thing. The safest thing is to never assume you are safe, and to keep an eye on your paypal account etc.

[bd139]

Yes. That’s usually a separate physical device.

So the credentials are something YOU know.

The SMS is delivered to something YOU have.

Some dude in North Korea does not have your phone.

SIM cloning is a thing. The safest thing is to never assume you are safe, and to keep an eye on your paypal account etc.

That's very bad security advice.

SIM cloning is not a concern. It requires physical access to the SIM card. The point of this is to prevent remote attacks to your credentials by physically partitioning them. The guy in North Korea can't clone your SIM when your phone is in your pocket but he can rip off your leaked credentials. But they are absolutely no good if you have your SIM in your device.

Also if all of your credentials are exposed then you are 100% compromised already. Your money is gone. And Paypal and eBay have no liability to give it back because you handed the keys over with your bad security posture. And if you just have a username and password then you're already exposed.

This is why 2FA is important and SMS is good enough.

For ref I use a Yubikey authenticator - that's a completely physically isolated factor.

[jpanhalt]

Some dude in North Korea does not have your phone.

Probably not, but some dude in Chicago might.  Cell phones are often stolen or lost.  My home landline is buried up to the house and then screwed to its walls.

What's the difference between sending to a cell phone and sending to my registered PC? 

And finally, you are talking theory, not data.  What the incidence of fake sign-ins from registered PC's or landlines v. cell phones?

[jpanhalt]

If Yubikey is so good, why doesn't PayPal recognize or use it?
https://www.yubico.com/

[AVGresponding]

Yes. That’s usually a separate physical device.

So the credentials are something YOU know.

The SMS is delivered to something YOU have.

Some dude in North Korea does not have your phone.

SIM cloning is a thing. The safest thing is to never assume you are safe, and to keep an eye on your paypal account etc.

That's very bad security advice.

SIM cloning is not a concern. It requires physical access to the SIM card. The point of this is to prevent remote attacks to your credentials by physically partitioning them. The guy in North Korea can't clone your SIM when your phone is in your pocket but he can rip off your leaked credentials. But they are absolutely no good if you have your SIM in your device.

Also if all of your credentials are exposed then you are 100% compromised already. Your money is gone. And Paypal and eBay have no liability to give it back because you handed the keys over with your bad security posture. And if you just have a username and password then you're already exposed.

This is why 2FA is important and SMS is good enough.

For ref I use a Yubikey authenticator - that's a completely physically isolated factor.

Your SIM might be safe from some NK rando, but how about the person in the shop you bought the phone from? Or when you have it repaired? It might be rare but it's not unknown. Being a pauper and buying the cheapest phone in the range probably protects me from such, but I certainly never take it for granted.
Also ISTR you have a low opinion of the security on Android phones in general (not related to SIM cloning I know, but still a possible route to overconfidence re 2FA?)...

[bd139]

Probably not, but some dude in Chicago might.  Cell phones are often stolen or lost.  My home landline is buried up to the house and then screwed to its walls.

Oh an "expert". Here we go.

If your cell phone is lost / stolen, then one factor is lost. The other two are completely useless without it. Thus the security model is intact.

Your land line can be unburied. I used to be a phone phreaker and have tapped a few phone lines in my time. All you require is a linesman's set on copper pairs and you can make and receive calls outside the premises. If it's like the UK, you can even crack the box open down the road and tap there or just dig the lines up.

A land line is NOT secure at all. In fact it's 10x worse than a mobile phone because if your phone isn't a piece of crap you can destroy it remotely and the PIN is tarpitted so you can't get through it (caveat: don't buy an Android phone).

What's the difference between sending to a cell phone and sending to my registered PC? 

1. You access your paypal account from your registered PC. That means there's not a second factor thus 2FA is pointless. You have all your credentials in one place. The point of 2FA is to separate them.
2. Pushing notifications to PCs is somewhat more difficult than mobile devices.

And finally, you are talking theory, not data.  What the incidence of fake sign-ins from registered PC's or landlines v. cell phones?

No this is not theory at all. It is a security practice REQUIRED by every financial company in the EU as an example. The reason it exists is because there is data. Lots of it.

See: https://ec.europa.eu/info/law/payment-services-psd-2-directive-eu-2015-2366_en

If you know better, that's up to you...

Edit: to note if you think you know better, when you get ripped off your bank will laugh and put the phone down on you because it's your fault not theirs so the liability is shifted (always think in terms of who is liable in financial transactions).

[bd139]

If Yubikey is so good, why doesn't PayPal recognize or use it?
https://www.yubico.com/

It does. Paypal uses TOTP as a standard so you need an authenticator app. In that case I use Yubico Authenticator with my phone: https://www.yubico.com/products/yubico-authenticator/ ... this integrates with the yubikey.

[bd139]

Your SIM might be safe from some NK rando, but how about the person in the shop you bought the phone from? Or when you have it repaired? It might be rare but it's not unknown. Being a pauper and buying the cheapest phone in the range probably protects me from such, but I certainly never take it for granted.
Also ISTR you have a low opinion of the security on Android phones in general (not related to SIM cloning I know, but still a possible route to overconfidence re 2FA?)...

You're not wrong. This is why I use a physical hardware key. Also because my risk profile is huge and may result in court if I fuck up

The main thing we have here is not to have perfect security but a defence against common problems. If it's 99.9% effective, which basic SMS 2FA is, that reduces the risk for the majority of users and the risk to the business and the costs of handling claims etc.

As for Android, the problem is that you can root an Android intentionally or otherwise without too much of an issue. At that point the hardware and software integrity is gone which means anything on the device could read or generate 2FA tokens or data from messages.

Edit: On iOS there's a physically separate device in the hardware that contains keys which cannot be arbitrarily extracted. Worth reading: https://support.apple.com/en-gb/guide/security/sec59b0b31ff/web

Edit 2: my objections to Android are mostly due to the absolute lax update cycle, attention from vendors and cheap ass SoC implementations, the play store being chock full of malware including fake 2FA apps that steal your bank details (google it) and general user arrogance that it's fine. It's not.

[AVGresponding]

Your SIM might be safe from some NK rando, but how about the person in the shop you bought the phone from? Or when you have it repaired? It might be rare but it's not unknown. Being a pauper and buying the cheapest phone in the range probably protects me from such, but I certainly never take it for granted.
Also ISTR you have a low opinion of the security on Android phones in general (not related to SIM cloning I know, but still a possible route to overconfidence re 2FA?)...

You're not wrong. This is why I use a physical hardware key. Also because my risk profile is huge and may result in court if I fuck up

The main thing we have here is not to have perfect security but a defence against common problems. If it's 99.9% effective, which basic SMS 2FA is, that reduces the risk for the majority of users and the risk to the business and the costs of handling claims etc.

As for Android, the problem is that you can root an Android intentionally or otherwise without too much of an issue. At that point the hardware assurance is gone which means anything on the device could read or generate 2FA tokens.

Yes! I certainly don't lose any sleep over it though. And I believe my particular flavour of Android phone has the ability to shred its contents either remotely or by failure to input the correct PIN x number of times.
I do miss the simplicity of the UI on the older Samsung phones though.

[bd139]

Yes! I certainly don't lose any sleep over it though. And I believe my particular flavour of Android phone has the ability to shred its contents either remotely or by failure to input the correct PIN x number of times.
I do miss the simplicity of the UI on the older Samsung phones though.

Yeah that's a reasonable configuration to set up.

To note my ex-father-in-law was ripped off for £10k because Halifax didn't have 2FA on their online banking and he accidentally got a keylogger malware downloading porn. They gave it back but realistically all customers pay for that outcome. 2FA would have saved him.

[jpanhalt]

@bdi39
Re: Second factor

This is the EU regulation I found here:https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L2366&from=EN
Paragraph 96 includes the following:

Those measures typically include encryption systems based on personal devices of
the payer, including card readers or mobile phones, or provided to the payer by its account servicing payment
service provider via a different channel, such as by SMS or email.

So, it appears email is accepted.  My gripe is the requirement of a mobile phone per se, not the need for a different channel.  A landline should also suffice and satisfy the need for a second channel.

[bd139]

Email is a weak and stupid idea. I'm not sure why they included that. Don't use it.

Think of these vectors:

1. Your email credentials are compromised. You reused the same credentials for your online banking. Owned.
2. Your email credentials are compromised. You did not reuse the same credentials but the highjacker resets your online banking password and confirms via email. Owned.
3. Your computer has a keylogger installed on it. They now have access to all of your factors.

You need a separate physical device. The mobile phone is the best one we have out there.

I'm not sure what your objection is with respect to a mobile phone.

A landline is possible. eBay and Amazon AWS both can use land lines for validation. But it's less secure than a physical device.

Edit: point though on usability... some security is better than none or too much:

[jpanhalt]

I'm not sure what your objection is with respect to a mobile phone.

I don't have one and don't intend to get one.  It would be a waste of money.  I refuse to use one while driving or in any public place.  I don't want to be tracked like an animal.

As for the landline, yes, that is my preferred method.  Maybe I was unclear on that.  Every other financial with which I deal (including at least 7 very large ones) uses landline authentication.  PayPal is the sole exception I know of to date.

[bd139]

Ok so you’re a self inflicted outlier. That’s fine.

[thm_w]

Yes, accounts get hacked to place fraudulent listings. That is always the case with these kind of scam listings that have been going on for at least a decade. A tell-tale sign is that suddenly the seller starts selling completely different items. Nothing new here really.

Yeah easily 10+ years same thing.
And they are so strict with new sellers, ban legitimate sellers and freeze their accounts. So its not like they are loose with the rules. They just don't care to do it right.

Once you add the newly required taxes and fees, its about 25%. Better to not sell on Ebay unless you absolutely have to.

[bd139]

Nah you just have to know how to play it. I've sold 700 items on eBay with no problems at all. If you list on certain days and stick around for the offers you hardly pay anything. I don't have access to another market I can get a return on that is as good including all the appropriate charges.

Typical example is I sell something for £500, I pay £20 on charges and charge the buyer for the courier. Problem? Add £20 to the asking price!

[thm_w]

Nah you just have to know how to play it. I've sold 700 items on eBay with no problems at all. If you list on certain days and stick around for the offers you hardly pay anything. I don't have access to another market I can get a return on that is as good including all the appropriate charges.

Typical example is I sell something for £500, I pay £20 on charges and charge the buyer for the courier. Problem? Add £20 to the asking price!

Yeah my mistake, YOU don't pay taxes but the buyer has to. So they are actually paying £600 for your item right (20% tax)?

[bd139]

No. There's no taxes on private sales at least here. Unless you exceed your capital gains limit and that's up to you to declare.

[tautech]

Nah you just have to know how to play it. I've sold 700 items on eBay with no problems at all. If you list on certain days and stick around for the offers you hardly pay anything. I don't have access to another market I can get a return on that is as good including all the appropriate charges.

Typical example is I sell something for £500, I pay £20 on charges and charge the buyer for the courier. Problem? Add £20 to the asking price!

Yep, just what we do here with NZ Trademe as there is no eBay here as Trademe headed them off at the pass by getting a good following here in the early days however their fees are on the steep side so they get tacked onto the asking price !

To add some credence to our listings we add our company name for prospective buyers to find us elsewhere and maybe get a better price. 

[EEVblog]

For ref I use a Yubikey authenticator - that's a completely physically isolated factor.

I also use Yubikey for accounts were possible. Haven't actually looked into if ebay supports it though.

[thm_w]

For ref I use a Yubikey authenticator - that's a completely physically isolated factor.

I also use Yubikey for accounts were possible. Haven't actually looked into if ebay supports it though.

Looks like they offer 2F Email, Ebay app, or Security key options. But they definitely do not push using them.

At the top left of the Ebay site, where you see your name, click the arrow to bring up a drop down menu and click Account settings.
Under Personal Info, click Sign in and security.
Find the Security key sign in row near the bottom and click Turn on.

[manicdoc]

The problem with smartphones is that you have to be disciplined to use them as a distinct separate factor. In that, you actually use it as an additional factor and do not use eBay on that device.

Email can be used as an authentication vector but this needs to be proportional to what it is protecting. Also, behind the scenes, there might be other secondary checks done that are not obvious to the end user. For instance, the geo region you are signing in matches whoever clicked the link. Your time of action is consistent with past behavior etc...

[RolandK]

Whenever you use the same device for both parts of 2FA it is per se vulnerable.This is the scenario which hijacker try to get control of. Keylogger plus remote control plus the right exploit. Your encryption HW wont help. They just use it.

Only different hardware is safe. Eg. use an old phone for the key sms where you have no other apps. Use a different email account only on a non-surf and work device without stored password for all financial account reset possibilities, e.g on an old pc.

There is just too much illegal money for those who succeed. It is not the question if, but when. The system must only be very common to be a lucrative target. If you believe the propaganda, that this can't happen, this is your first mistake.