Businesses urged to adopt 2FA after eBay breach

News by Doug Drinkwater

As news emerges that eBay's data breach - affecting some 145 million users worldwide - was caused by hackers stealing employee credentials, the industry rallies businesses to adopt two-factor authentication.

On Wednesday eBay confirmed in a press release that it had been compromised by hackers who had - by obtaining a “small number of employee log in credentials”- gained access to user details including names, home and email addresses, phone numbers and dates of births.

The firm also lost “encrypted” passwords (these were seemingly not hashed or salted) but stressed that financial records had not been taken.

“There is no evidence that any financial information was accessed or compromised; however we are taking every precaution to protect our customers,” eBay spokesperson Kari Ramirez told at the time.

And while the company has called for all 145 million eBay users to change their passwords instantly, some in the information security field believe that two-factor authentication should be adopted to guard employees and businesses against poor passwords and advanced phishing attacks.

Phishing attacks aren't at this time thought to have caused the credentials theft, although they are an increasingly common method of attack via email and social media. In addition, experts believe that they could be used by opportunistic hackers seeking to take advantage of eBay account holders waiting to receive eBay's security advice by email.

Just this week, fraudsters exploited a redirection vulnerability in a PayPal website in an attempt to steal Apple IDs. They sent out phishing emails disguised as receipts from iTunes for expensive items, enticing victims to try and cancel the fake orders.

Lucas Zaichkowsky, enterprise defence architect at digital forensics and incident resolution technology vendor AccessData, believes that two-factor authentication will guard business employees, and customer users, from these kinds of attacks.

“Long term users and organisations should turn on two-factor authentication on any accounts that support it and use a password management tool to generate and manage strong, unique passwords for every account,” he said via email.

Independent security researcher Brian Krebs also urged users to use the PayPal and eBay's inbuilt 2FA tool and said that they should be extra vigilant against opportunistic phishing emails – especially with the ecommerce firm still to send out its security advisory by email.

"Be extra wary of phishing emails that spoof eBay and PayPal and ask you to click on some link or download some security tool; attackers are likely to capitalise on this incident to spread malware and to hijack accounts,” he said on his blog.

“eBay and PayPal users who haven't already done so should consider using the PayPal Security Key, a two-factor authentication solution that can be used to add for additional security on both sites.” 

Despite this, two-factor authentication remains a rare optional extra in many companies with SafeNet data showing that less than 15 percent of companies have implemented multi-factor authentication for all employees. 

“Multi-factor authentication eliminates the inherent insecurity of static passwords by requiring an additional level of user authentication, such as passcode sent to a mobile phone,” Jason Hart, VP of cloud solutions at SafeNet, told SC in an email.

“Given the increasing number of data breaches we are seeing, a combination of strong authentication and data encryption will play an increasingly central role in any organisation's security strategy.” 

In related news, Skyhigh Networks' research indicates that eBay hack affects 99 percent of companies, with the average Fortune 2000 company having approximately 15,800 employees using eBay.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews