eBay security via the phone network

I went to sell some stuff on eBay today, for the first time in almost a year. Curiously my attempts to create a listing were intercepted by a page explaining that "eBay doesn't recognise your computer". As a techie I presume this means I didn't have a cookie they were expecting, even though I had just logged in.

To get the right credentials you're required to enter a PIN which will be sent to you via an automated voice message. This can be sent to the phone number already in your eBay account profile, or to a new number. Entering a new number requires the correct answer to your secret question. It wouldn't accept my mobile number.

An automated process then calls the nominated number and it was quite strange as it does not say anything until you say something. I sat there in silence for a few seconds before attempting a "hello?", as I had expected it to just blurt out the required PIN. It asks if you had expected to receive the call. I pressed 1 (yes), and it goes into an endless loop of "Your PIN is xxxx".

I'm not really whether this adds much in the way of security. Its a barrier presented only to sellers - I could apparently bid on items without the same credentials. I guess it aims to mitigate the risk of stolen accounts being used to perpetrate fraudulent sales of high value items like laptops.

The situation would be that either your username & password have been compromised, in which case I'd hazard a guess that your secret question & answer have probably also been stolen (via phishing, and maybe re-used answers from other sites). Or, someone's driving your PC, maybe through malware, or maybe you left yourself logged in at an internet cafe or other shared PC.

Now given that the act of listing an item results in an email being sent to your account I question what the phone check adds. You can buy a VoIP number online easily so a phone number doesn't provide any link to a real person (either financially, or physically). So a fraudster can, with your secret answer, change your profile phone number and sell stuff as you.

So it boils down to whether your secret question & answer have been compromised, in which case why not just ask for the secret answer and save the phone hassle?

This is a genuine question, I think I must be missing something in this process.

I went to sell some stuff on eBay today, for the first time in almost a year. Curiously my attempts to create a listing were intercepted by a page explaining that \"eBay doesn't recognise your computer\". As a techie I presume this means I didn't have a cookie they were expecting, even though I had just logged in.\n\nTo get the right credentials you're required to enter a PIN which will be sent to you via an automated voice message. This can be sent to the phone number already in your eBay account profile, or to a new number. Entering a new number requires the correct answer to your secret question. It wouldn't accept my mobile number.\n\nAn automated process then calls the nominated number and it was quite strange as it does not say anything until you say something. I sat there in silence for a few seconds before attempting a \"hello?\", as I had expected it to just blurt out the required PIN. It asks if you had expected to receive the call. I pressed 1 (yes), and it goes into an endless loop of \"Your PIN is xxxx\".\n\nI'm not really whether this adds much in the way of security. Its a barrier presented only to sellers - I could apparently bid on items without the same credentials. I guess it aims to mitigate the risk of stolen accounts being used to perpetrate fraudulent sales of high value items like laptops.\n\nThe situation would be that either your username & password have been compromised, in which case I'd hazard a guess that your secret question & answer have probably also been stolen (via phishing, and maybe re-used answers from other sites). Or, someone's driving your PC, maybe through malware, or maybe you left yourself logged in at an internet cafe or other shared PC.\n\nNow given that the act of listing an item results in an email being sent to your account I question what the phone check adds. You can buy a VoIP number online easily so a phone number doesn't provide any link to a real person (either financially, or physically). So a fraudster can, with your secret answer, change your profile phone number and sell stuff as you.\n\nSo it boils down to whether your secret question & answer have been compromised, in which case why not just ask for the secret answer and save the phone hassle?\n\nThis is a genuine question, I think I must be missing something in this process.

eBay security via the phone network

No TrackBacks

Search

Recent Entries

Monthly Archives

About this Entry