Is eBay taking a Facebook approach to changes now?

Facebook has a long and inglorious history of making changes that people hate, and implementing them in a way that makes it hard to avoid being subjected to them.  But since Facebook is a free service which (with only very limited exceptions) provides no real opportunity for costly misuse, such changes primarily just elicit grumbles and little more.  It's not like you spend money there, after all.  The same is not true for Ebay and PayPal, however, and there's a fresh new misfeature over at eBay that's a humdinger of an example of a designed-in security breach.

Until recently, when you won an auction or selected a Buy It Now item, the process of paying for the purchase required logging into your PayPal account for each and every transaction. That's as it should be; it guards against a number of things that one should rightly be paranoid about, the most important being an accidental security breach that allows someone to get your eBay password and use your eBay account to get access to your money. Now, however, what pops up in place of the PayPal login page is a "helpful" box extolling the virtues of linking your eBay and PayPal accounts together so that you don't have to enter your PayPal password to complete the transaction. This dialog box has two selections: "Yes, link them together now" and "Not now." There is no selection for "Not just no, but HELL NO!"

Whatever passes for a brain in their marketing department must have been on vacation in Bermuda - and had the entire security division off getting drunk in a bar somewhere while it was gone. This is perhaps the most egregious example of blatant idiocy that I have seen from these folks so far, bar none.

Did it occur to any of them that this allows a one-password breach to permit emptying a bank account entirely? Apparently not, but here's just one way that it could work: Assume, for a moment, that by whatever means, your eBay password has been phished (or grabbed by a virus, or some such) and is now in the possession of someone who wants your funds. Anticipating that they would have this opportunity, they've set up half a dozen eBay accounts and PayPal accounts as well. With your eBay password in hand, they set up several listings in their eBay account for things that have a Buy-It-Now price of three or four hundred dollars each, and then using your password from a system that's on a different connection, they proceed to buy the spurious item and pay for it from your account. Yes, you'll get an email congratulating you on winning the auction - but if they're smart, the item they will list is going to be *identical* to the last one you actually bought (except for the price) so that you'll look at the notice and think "That's odd" instead of "Holy shit, my account's been hacked!" Some people probably wouldn't notice at all - and if you're an active eBay user, they can time it so that it superficially just looks like the same notice accidentally got sent twice. As long as the payment can't happen without also having your PayPal password, this kind of approach gets them nothing unless they have both logins. But with the accounts linked, they need only the eBay login, and they can swiftly empty your bank account. If you're not paying close attention, that money can be cleanly gone and unrecoverable in a very short time.  I should point out that if I can see the potential for this kind of exploit, you can bet that the phishers can, too - and they've probably figured out a dozen more ways to use it, probably with less work and faster results.

eBay has had problems with account security breaches in the past, with varying exploits involved. Some compromised accounts were used to list hundreds of nonexistent items, and the account information was changed so that the email went to the invader instead of the account owner. Various other breaches have had other goals. With the eBay and PayPal accounts linked, however, the possibilities for ill-gotten gain by phishers have just been multiplied. And although I do not know if they have provided a way to undo the linking, it would not surprise me if this change was next to impossible to undo. At the very least, if they had that option available, they ought to say so - being able to temporarily link the accounts might be a useful choice in certain limited circumstances. It would still not be a hazard-free choice, but it would be at least potentially safe in careful hands.