Why PayPal Security Tokens = FAIL

I had a bit of trouble last night trying to purchase something on eBay and despite much frustration and hours chatting with eBay reps, I’m still unable to login to my eBay account due to a mishap involving my PayPal security token, a 1-year-old and a glass of water.

It is pretty obvious to me that none of the 6 representatives I spoke to even knew WTF a PayPal Security Key was. In fact the typical conversation went something like this:

  • Rep: Can I help you?
  • Me: I can’t login to my eBay account, my PapPay Security Key is broken.
  • Rep: So do you need to talk to PayPal account support?
  • Me: No… I can login to PayPal just fine, I can’t login to eBay.
  • Rep: Ok, let me transfer you.
  • Me: EFF!

So rinse and repeat that about 6-7 times over two hours and you got the idea.

What’s really messed up about the whole process is that I was able to easily recover my PaPal account because of their insecure recovery process that just requires evilbadguy to phish a couple of secret questions from me, making the whole security thing kind of comical.

(Un)Fortunately eBay’s recovery method is a bit more secure. They call the contact phone number you have listed on your account and read off a security code for you to use to access your account. This would be great if I hadn’t fat-fingered my phone number and it was off by 1 digit. Unfortunately explaining that to a support rep just results in to them guiding you to your account page and asking you to login in…

So apparently I am perma-screwed as far as eBay is concerned. Which I suppose is fine, I’m not sure I’m really interested in doing business with someone who can’t provide adequate tools and training to their support people.

PayPal really doesn’t have their shit together anymore than eBay does, they just obviously understand people typically care more about convenience over security, which is true for the kind of people who don’t purchase a SECURITY token.

In addition, security tokens are a huge pain in the ass. PayPal/eBay only allows you to have one per account, which meant my wife sending me a message every time she wanted to bid on some item that was under a dollar with 7 days left. I’m definitely bias toward easy multi-factor security and for good reason, having experienced the alternatives.

I dream of the day when I truly control my own account information, so that when I can’t login to an OpenID powered auction site I just reboot my damn server instead of talking on the phone to customer support for two hours.

Advertisements