eBay: Let's wait and see on tighter security

The auction giant has ruled out two-factor authentication for the time being, says an eBay exec.

Andrew Donoghue Special to CNET News.com
3 min read
WASHINGTON--eBay and its customers must accept that fraud goes with the territory of online transactions, a top executive at the auction giant said.

Paul Kilmartin, director of performance engineering and availability at eBay, said the company could introduce security technology such as two-factor authentication, but the sure way to eradicate all fraud from its business would be to stop trading. "The one easy way to stop all the fraud would be to turn off the site tomorrow, and there would be no more illegal activity," he said.

Kilmartin, a 10-year eBay veteran, made the comments at Sun Microsystems' quarterly release event here on Tuesday following questions about whether eBay has any plans to introduce two-factor authentication technology to combat fraud among its users.

Two-factor authentication means requiring a second security device, such as a smart card or fingerprint, in addition to a password, to verify the identity of an IT user.

Kilmartin said that eBay has no plans to alter its authentication process for now. "We have no specific plans in this area yet, unless we start to see real demand for it," he said.

Kilmartin's remarks are at odds with comments made earlier this year by Howard Schmidt, the chief security officer for eBay and former White House cybersecurity advisor, who has called for greater use of two-factor authentication.

Speaking at a press briefing in Barcelona last November, Schmidt said that businesses had clearly improved their security practices, but that the technology is now available for them to use two-factor authentication.

"We're doing better security now, but we still depend on usernames and passwords as a way of getting online. We now have the technology for the end-user to have two-factor authentication. We expect to see security grow and be federated," said Schmidt, adding that people had to accept the need to supply more credentials.

Microsoft's chief security strategist, Scott Charney, recently said that companies had failed to adopt two-factor authentication as fast as he would have liked.

"We haven't had as much adoption as you would hope for," Charney said. "A lot of solutions for two-factor authentication are for enterprise spaces. If you get two-factor authentication to the consumer level, you reduce the phishing threat."

eBay was criticized by a U.K. judge late last year for not doing enough to protect its users from the dangers of fraud. Judge Richard Bray said it was "hardly surprising" that eBay was targeted by criminals, given the measures it has put in place to protect users.

The judge was presiding over the trial of a woman convicted of taking $5,700 (3,000 pounds) from five separate eBay customers for nonexistent tickets to the Glastonbury music festival.

And on Wednesday, a teenager who used eBay to defraud more than 100 people of a total of $85,000 (45,000 pounds) was sentenced to 12 months detention and training.

eBay insists that its systems are safe and secure. "Fewer than 0.01 percent of all listings on eBay result in a confirmed case of fraud, and when used properly the site is a safe and secure place to buy and sell," an eBay spokesperson said in response to Judge Bray's comments.

eBay has been using Sun's server technology for the past eight years and says the technology has been fundamental to ensuring that the online trader has maintained consistent availability during that time.

According to Kilmartin, eBay has some 147 million registered users worldwide and trades more than $1,344 in goods on the site every second. He explained that maintaining that kind of availability meant staying vigilant against online fraudsters and attacks against the auction site's network security defenses.

Andrew Donoghue of London-based ZDNet UK reported from Washington.