Ebay Inc Identity Security Check Default PIN in 2021

New Ebay Inc Identity Security Check Default PIN in 2021

In the last weeks we have reviewed several identity security check mechanisms of large coporates. Due to that we figured out a funny case with ebay inc. Ebay inc owns a new security identity check function that uses a algorithm to calculate pins for the logins.

Lets start on the beginning of the story were ebay used to implement last year the full security check mechanic (multi factor auth) to approve identities of accounts. The method is used and implemented by ebay to ensure that in case an attacker stole an account a second factor is used to ensure the user is really the user that is allowed to login the account not the attacker. An attacker would need control about the second device to compromise the ebay account which is delivered by phone call or by sms. Attackers can not know the pin when hacking into the ebay account to compromise were the most attacks stop. So the pin must be a value, that is not known by the attacker that tries to compromise manually or automated by a pin bruteforce.

After changing the phone number of one of our long time used ebay accounts, we tested the ebay main login to access with the activated security check. Shortly after that a pin was delivered, that showed us a default pin of "1234".

To complete the action, we gave the current username and password to one of our employees who was not involved in the testing. He should simulate the hacker that compromised our account. He was then able to proceed to the point of identity verification after using the login credentials. The first PIN he used was of course "1234" and thus he only needed "1" try to identify the correct PIN that was valid for a few minutes to fully login.

At that point we would like to mention to modify the calculation with the algorithm for the pin to exclude default insecure pairs like 0000, 1111, 1234, 4321.

Watching banks or other companies in europe or the usa, you will never receive today a paypal or bank pin with "1234" default values. Otherwise you are still with a company that does not understand how to generate secure pins for identify verification process. Problems like that can only be identified by an audit that is processed for any new identity intergations and inbound security functions.

Ebay mostly cares really about customer security which we still know from earlier security related come togethers. Our report about the short incident should make visible that those pins doesn't ensure nobody can login with the actual configurations. In thus case it wasn't a best practise example by ebay inc and in future modification should take place to disallow this insecure pins. Therefore the algorithm needs to be modified that generates the pin for the identify check via phone or sms.

If you have concerns in the future because your ebay account has been stolen and compromised despite Multi Factor Auth, while ebay employees are trying to tell you that the fault lies with yourself, simply respond with these facts. The security issue has been reported to ebay. With this article we send some new year's greetings to ebay and hope for a soon improvement in the handling of pins for the identification of identities.