[Dave Petch] It’s not often the case that eBay users find cause to congratulate
the internet giant, in fact quite the opposite is usually the case.
Whether it’s seller
rebellion against fee hikes, anger at
seller policy changes, lawsuits against
the selling of counterfeit goods or password
vulnerabilities in the developer program, eBay are never far away from
controversy of some kind.
So I was therefore pleasantly surprised to discover that eBay (in the UK at least) have implemented location-based login checks,
something which would surely assist in the ongoing fight against phishing
attacks were it implemented more widely at other online merchants /
communities. It was also another great but simple example of the utility of the
mobile phone as an authentication channel.
I discovered this through the somewhat suspect process of
using my friend’s eBay login details to help him sort out an item listing issue
that he had. He’s one of those illiterate computer users who doesn’t know
one end of the web from the other, so he didn’t hesitate in telling me his
login and password over the phone.
My friend lives 20 miles away from me. When I tried to
log in using his valid credentials, eBay took me to a page stating it had been
noticed I was logging in from a “location” that was not my usual one. I
presume this was detected using my IP address, although whether it was able to
trace me to a spot in Guildford or just to the location of my ISP is not clear
(a whois of my IP address at
home tells me that I live in Hull, East Yorkshire, which is at least 230 miles
from my house but unsurprisingly not very far from my ISP). However, for
the security mechanism in question, this was more than enough information for eBay to detect the disparity from my friend’s usual network access data.
I was then asked if I wished to be authenticated using
either a phone call (instant) or an email (short delay). I selected
authentication by phone call (it uses the existing registered number and does
not allow you to enter a different one), my friend’s mobile rang almost
instantly, after which an electronic voice announced, “Hello, this is eBay, are
you expecting this call? If so, press #”. My friend pressed # and
an access code was read out to him. He reported the code to me, I entered
it at the website and in I went.
The specifics of the situation were obviously beyond that
for which the protection mechanism was strictly designed, but the process
worked very smoothly and was close to real time, it presented the user with
alternative options for added convenience and, above all, it was simple.
Sure, it slowed me down for a minute, but my initial thought was that such a
simple mechanism would surely assist in the fight against the use of phished
credentials. If you cannot stop the consumer from continuing to fall for
what is fast becoming one of the oldest tricks in the book, then stopping the
use of those captured credentials using simple location checking seems to be a
worthwhile next step, at least until such time that the highly
flawed method of user authentication that we call “passwords” is replaced
was a flaw in the process, however. Having completed my login to the
website using my friend’s credentials, I then asked him to log in at the same
time so that he could see the effect of the changes I was making to his item
listing. eBay allowed him straight in, although it should have been clear
at this point that it was not possible for him to be in two different locations
at the same time, at least not without considerable mind power.