eBay have announced their detection of a personal information leak. They have reassured users that the information obtained contained encrypted passwords and non-financial information.
Am I reassured?
It appears that the leak occurred between late February and early March and has only just been publicised. The information had been obtained though theft (I assume) of “a small number of employee log-in credentials”. How this intrusion had been detected has not been released and if it was noticed by activity pattern detection. It appears that the security used to protect this login information to sensitive information was static, otherwise key generation methods would also have been needed.
So do I take the advice just to change my password?
It might protect me for an undefined period into the future. eBay appears to have checked for any abnormal activity on their sites which may have occurred using the information obtained and has not found any evidence. But the information obtained would have more value for other activities related to identity which eBay has no ability to monitor. At best, my privacy remains compromised.
So where is the link between eBay and PayPal?
In most markets PayPal remains the payment method of choice by most eBay users. Its “pay as you go” model and convenience are attractive to small users and helps to outweigh its higher transaction cost. In common with all online services, eBay have paid attention to the user journey experience to minimise any disruption in checkout experience. PayPal likewise are making considerable investments in making the PayPal experience ubiquitous, whatever the purchase experience the consumer undertakes.
FirstPartner has undertaken a number of studies to examine how this user journey experience impacts the security methods used and how this balance is being managed. In these studies, the linking of an individual’s eBay account with their PayPal account has been examined. This linking makes PayPal the minimum click option for checkout to provide a similar experience to Amazon.
To achieve this linking, eBay must “transparently” login to PayPal to remove this step. This pushes the authentication step back to the eBay login. Some security is provided at this point by the ability to assign trusted devices from which the auto login step will only be performed. Does this provide the level of security necessary to avoid exploitation of the payment link?
PayPal in common with most online payment services has implemented the extra security feature of 2 factor authentication. Some sites refer to this as 2 step verification to try and make it appear more user friendly, but it remains a user option. All major consumer services appear to be struggling with how to make 2 factor authentication a reliable and user friendly experience. In our experience, Google has tried hardest to make this more user friendly with their 4 step enablement process. It fails by raising all the possible ways mobile based verification could fail, and the different methods to counter this just after the user has enabled it. Result – panic and find out how to turn it off!
Will the consumer link eBay and PayPal?
eBay will be rushing to perform damage limitation to their reputation. The lasting damage could be if the consumer links the reputation of eBay with PayPal and questions the integrity of the security measures of both organisations.
The ongoing issue for the industry is how the federated and linked identity management between these services can be secured to prevent increasing consequences of these post managed breaches. The balance becomes increasingly difficult when the user experience journey and abandonment is factored into the criteria.