Rant: Paypal Security Key and Ebay

[Gillbot]

Ok, this is a warning to those who got in on the Paypal Security Key when they had it available. As far as I know this only applies to Ebay but watch your Paypal account as well!

I attached the security key to my ebay account thinking it would help keep my account secure, boy was I mistaken! Yesterday I got an email notifying me of a bid I placed on a pair of underwear. Thinking it was a spoof or joke, i ignored and deleted the email. Today I find that many more pair of underwear have been bid on using my name. I find it ironic that without the security key, I can't access my ebay account yet somehow someone else has managed to get in and place multiple bids.

After fighting to get contact info for ebay which requires you to log in ironically, I get through to the change password page which works without the key. Ok, I think it will allow me to change the password but i'll need the key to log in... NOPE! It let me right in without the key. What a completely useless "secure" system! For some reason, there are holes in the security that allow logging in without the key. This is just one of them, I'm sure there are more as someone obviously got into my account without the key.

Keep an eye out and don't think your account is secure even if you DO have the key.

 

[Q]

I like your Camaro.

Would be 2x better with a white racing stripe down the middle though.

 

[Gillbot]

NTY, Orange and stripes don't look well. Back on topic though.....

 

[Nitemare]

Sure you didn't sleep walk and order some draws?

 

[Gillbot]

No, my key is packed away currently. I find it ironic I am now logged in to my Ebay account and someone else was as well but ebay refuses to accept there is a security hole/flaw with the active security key.

 

[markgm]

Yeah, it was published awhile ago that it can be bypassed.

 

[daveshel]

The only safe paypal account is a closed paypal account.

 

[Gillbot]

Originally posted by: markgm
Yeah, it was published awhile ago that it can be bypassed.

Do you have a link?

 

[markgm]

http://www.channelregister.co....ypal_security_key_bug/

 

[TheTony]

Originally posted by: markgm
http://www.channelregister.co....ypal_security_key_bug/

That flaw exists but does not expose the authentication credentials. In order for someone to bypass it, they'd still need to know some level of your authentication, whether by phishing or otherwise.

 

[Joemonkey]

I have mine linked to paypal and ebay, and every time I log into paypal I need the key and every time I make a bid on ebay I need the key as well

 

[Gillbot]

Interesting read though I know for sure I haven't given out any of my security question answers. I'm just having a hard time understanding HOW they accessed my account without the key yet ebay acts as though it's all my fault and due to a phishing site or malware. Even if This were the case, how did they get the 6 digit number to gain access, log in and bid?

 

[Gillbot]

Originally posted by: Joemonkey
I have mine linked to paypal and ebay, and every time I log into paypal I need the key and every time I make a bid on ebay I need the key as well

You would think but apparently someone big on 5 items using my account without the key.

 

[TheTony]

Originally posted by: Gillbot
Interesting read though I know for sure I haven't given out any of my security question answers. I'm just having a hard time understanding HOW they accessed my account without the key yet ebay acts as though it's all my fault and due to a phishing site or malware. Even if This were the case, how did they get the 6 digit number to gain access, log in and bid?

Per the above flaw, they wouldn't need it. They would, however, need one of your other credentials.

 

[spidey07]

Originally posted by: Gillbot
Interesting read though I know for sure I haven't given out any of my security question answers. I'm just having a hard time understanding HOW they accessed my account without the key yet ebay acts as though it's all my fault and due to a phishing site or malware. Even if This were the case, how did they get the 6 digit number to gain access, log in and bid?

According to that article they don't NEED the keyfob number. Just username/pass and a security question answer - eaisiy gained by phishing or malware.

Apparently from what I gleaned of the article all somebody has to do is not present their site key (cookie) and be challenged to prove identity (security question).

Have you ever used ebay on public or unsecure wifi?

 

[Gillbot]

I haven't logged into my ebay account in quite a while and I have not even accessed my security questions. I'm still failing to see how they got in.

 

[spidey07]

Originally posted by: Gillbot
I haven't logged into my ebay account in quite a while and I have not even accessed my security questions. I'm still failing to see how they got in.

Obviously they have your username, password and answered a security question correctly - that's all they need.

 

[markgm]

Originally posted by: Gillbot
Interesting read though I know for sure I haven't given out any of my security question answers. I'm just having a hard time understanding HOW they accessed my account without the key yet ebay acts as though it's all my fault and due to a phishing site or malware. Even if This were the case, how did they get the 6 digit number to gain access, log in and bid?

I think that from the link above it's obvious that the 'security' key isn't really implemented correctly to prevent unauthorized access. It's a feel good tool that you get to pay for!

 

[Gillbot]

Mine was free, i never paid for it. I'm just trying to understand HOW they got in. My password has been changed so that should keep them out for now but since the key is still active and I packed it away, I can't even get back in to my account to change anything else!

 

[markgm]

Originally posted by: Gillbot
Mine was free, i never paid for it. I'm just trying to understand HOW they got in. My password has been changed so that should keep them out for now but since the key is still active and I packed it away, I can't even get back in to my account to change anything else!

What do you need changed in your account? I have a few minutes, I can log in and do it for ya.

:evil:

 

[Gillbot]

Apparently I need to change my security question/answer! Though everytime I type in an incorrect number I get this:
Your security code is incorrect. Please try again.

 

[Gillbot]

Originally posted by: markgm

Originally posted by: Gillbot
Mine was free, i never paid for it. I'm just trying to understand HOW they got in. My password has been changed so that should keep them out for now but since the key is still active and I packed it away, I can't even get back in to my account to change anything else!

What do you need changed in your account? I have a few minutes, I can log in and do it for ya.

:evil:

Why were you using my account to bid on underwear?!?!?!?!?!

 

[EagleKeeper]

Originally posted by: Gillbot

Originally posted by: markgm

Originally posted by: Gillbot
Mine was free, i never paid for it. I'm just trying to understand HOW they got in. My password has been changed so that should keep them out for now but since the key is still active and I packed it away, I can't even get back in to my account to change anything else!

What do you need changed in your account? I have a few minutes, I can log in and do it for ya.

:evil:

Why were you using my account to bid on underwear?!?!?!?!?!

Because you would not order it for your wife?

 

[Gillbot]

It was mens underwear though!!!! :shocked:

 

[SunnyD]

Originally posted by: daveshel
The only safe paypal account is a closed paypal account.

Here here! :beer: