eBay Account Hacked -> Case and Point for OpenID
I logged into my email today to 50+ emails from eBay. My initial reaction was:
Great! Google's email SPAM filter has finally broken down.
Unfortunately, it was not a simple case of spoofed eBay emails making it through the trusty SPAM filter. My eBay account had been hacked. Some one had gained access to my account and posted about 50 listings for "eBay Listing Confirmed: brand new CLH LRG DEAD SERIOUS HOODIE size XXXL" of different sizes. The final two emails from eBay were "TKO NOTICE: eBay Registration Suspension - Possible Unauthorized Account Use" and "TKO NOTICE: eBay Listing(s) Removed" indicating that eBay has disabled my account and removed the unauthorized listings. Good job eBay!
Why did this happen?
I'm not a frequent eBay user by any stretch of the imagination. In fact, I probably haven't used my account in about two years.
Was my password strong and frequently changed?
No, of course not! If I used eBay on a daily basis, perhaps I would use a more difficult (and harder to remember) password and frequently generate new ones. However, like most users, even tech-savvy ones, I have other things to do with my time besides come up with, memorize and deploy new passwords. However, this problem of users having too many site credentials to remember and protect could be avoided if eBay and other sites adopted a decentralized authentication system such as OpenID in the future.
OpenID works by giving each user an URL or an iname that the user uses to identify herself to a website instead of creating a login and password for each site. After enter her OpenID (Step 1), the user is redirected to her OpenID provider to verify she is the owner of the OpenID provided (Step 2).
For those new to OpenID, I have taken screenshots of a hypothetical AOL user with screen name "YourSN" and OpenID "http://openid.aol.com/YourSN" trying to log on to ipv6links.net, my testbed for IPv6, OpenID, and other next-generation web technologies.
Using OpenID, each person would only need to have one OpenID and could use the same OpenID to log on to any number of sites. The benefit of this is that abstracting the verification of a users identity away from the site to which she is logging in plus reducing the number of identities for which she must remember credentials allows advanced security techniques could be used to protect her identity.
Her OpenID would be better protected by simply selecting a stronger password and changing it frequently. It is much easier to frequently change passwords if one must only change it in one place instead of on every site on the Internet. Two factor authentication techniques such as SecurID or having the user answer a series of predefined questions could be used.
All of your eggs in one basket?
Some would argue that OpenID or other such web-based single sign on systems are akin to putting all of your eggs in one basket. There is some truth to this, in that if your OpenID is compromised, criminals can potentially access all of the sites where you use that identifier. However, the nice thing about having all of your eggs in one basket, is that it is much more feasible to fiercely guard one or two baskets to make it much harder for any Internet fox to get to your eggs than it is to guard the dozens of baskets that exist when users are forced to maintain a user name and password for each website.
Choose the most secure basket for your eggs
With the status quo users are forced to store information regarding their identity in whatever method a website offers. Identity storage and protection are usually not the core competencies of most websites including places like eBay. OpenID's decentralization allows users in the free market to choose to put their proverbial eggs in the basket of an OpenID provider whose core competency and raison d'être is identity management and with a reputation for the most secure basket.