eBay sends out mixed messages on security

The online auctioneer has ruled out introducing two-factor authentication for the time being, despite public calls for the widespread introduction of the technology by its own chief security officer

The director of performance engineering and availability at eBay has admitted that the company and its customers must accept that fraudulent activity goes with the territory when it comes to transacting online.

eBay veteran Paul Kilmartin said that despite the possibility of introducing security technology such as two-factor authentication, the only way the company could hope to eradicate all fraud from its business would be to stop trading. "The one easy way to stop all the fraud would be to turn off the site tomorrow and there would be no more illegal activity," he said.

Kilmartin made the comments at Sun's quarterly release event in Washington DC on Tuesday following questions on whether eBay has any plans to introduce two-factor authentication technology to combat fraud amongst its user base.

Two-factor authentication means using something the user physically possesses — such as a smart card, or fingerprint — in addition to a password to verify the identity of an IT user.

Kilmartin claimed that the company has no plans to alter its authentication process for now, unless customers begin asking for such technology to be introduced. "We have no specific plans in this area yet unless we start to see real demand for it," he said.

Kilmartin’s reluctance to push the technology is at odds with comments made earlier this year by Howard Schmidt, the chief security officer for eBay and former White House cybersecurity adviser who called for greater use of two-factor authentication.

Speaking at a press briefing in Barcelona last November, Schmidt said that businesses had clearly improved their security practices, but that the technology is now available for them to use two-factor authentication.

"We're doing better security now, but we still depend on usernames and passwords as a way of getting online. We now have the technology for the end-user to have two-factor authentication. We expect to see security grow and be federated," said Schmidt, adding that people had to accept the need to supply more credentials.

Microsoft's chief security strategist, Scott Charney, recently said that companies had failed to adopt two-factor authentication as fast as he would have liked.

"We haven't had as much adoption as you would hope for," said Charney. "A lot of solutions for two-factor authentication are for enterprise spaces. If you get two-factor authentication to the consumer level, you reduce the phishing threat."

eBay was criticised by a UK judge late last year for not doing enough to protect its users from the dangers of fraud. Judge Richard Bray said it was "hardly surprising" that eBay was targeted by criminals, given the measures it has put in place to protect users.

The Judge was presiding over the trial of a woman convicted of taking £3,000 from five separate eBay customers for non-existent tickets to the Glastonbury music festival.

And on Wednesday, a teenager who used eBay to defraud over one hundred people of a total of £45,000 was sentenced to twelve months detention and training.

eBay insists that its systems are safe and secure. "Fewer than 0.01 percent of all listings on eBay result in a confirmed case of fraud, and when used properly the site is a safe and secure place to buy and sell," said an eBay spokesperson in response to Judge Bray's comments.

eBay has been using Sun's server technology for the past eight years and claims the technology has been fundamental in ensuring the online trader has maintained consistent availability during that time.

According to Kilmartin, eBay has some 147 million registered users worldwide and trades more than $1344 (£711) worth of goods on the site every second. He explained that maintaining that kind of availability meant staying extremely vigilant against online fraudsters and security attacks against the site's network defences.