Here in Germany, ebay and Paypal are starting to sell a security key device. It is a little gadget, the size of an USB Stick, which you can carry on your Keychain and generate numeric keys on the go. These Keys are then going to be part of your Login-data to provide for Login. On the Paypal site it states, additionally to your Login and your Password, you have to specify this key and it is only valid for 30 seconds after it has been generated. The login onto ebay, imho, is supposed to work in the same way. Of course, you can refrain from activating for ebay but it sounds like this might make sniping impossible, if it ever becomes the standard login procedure. As a safety feature i think this is a good aproach and I will activate it for my Paypal account.

Now to the impact on Sniping:
Is there any talk of this device in other countries also?
Any ideas on how sniping would be done in the future?

Greetings
Kruegge

Greetings,
A while ago eBay made a deal with a security provider. It involved a lot of different deals, but as I recall one of the deals was glossed over by many… They agreed to buy a Very Large Number of small security devices from that company. I noticed it, and understood what they were trying to do… Handle phishing, once and for all.

It’s called two-factor authentication. Something you know, and something you have.

The ‘something you know’ is your pass phrase. The ‘something you have’ is, in this case, a hardware key which custom-encrypts a given code, which you send back to them as proof that you have it.

Unfortunately, for JBidwatcher and other sniping solutions, it also acts as an effective verification that there is a human on the other end of the browser, interacting with the web site. Automated sniping stops working.

I absolutely presume they’ll be rolling this out in other countries, but I haven’t heard (maybe I haven’t been listening in the right places) of it shipping in the US yet.

I have a few ideas that would reduce the functionality of JBidwatcher a bit. For instance, it might be necessary for you to be AT JBidwatcher to do a login within 6 hours of the end of the auction to enter the number, and JBidwatcher’ll hold the cookie and key that it gets back until the snipe time. This seems fraught with danger, but it might work…

In general, until that gets hashed out, I recommend DEFINITELY turning one of those on for your PayPal account. Money just deserves to be secured. :) For eBay, balance how worried you are about phishing versus how much you want sniping software…

If you’re not afraid of phishing, and feel confident that you can recognize a ‘phish’, then you don’t really need that security feature.

Either eBay will allow sniping software on their API (which they explicitly don’t right now), or perhaps I’ll develop some kind of a workaround like I described above. Unfortunately, I can’t really do that until they’re available in the US…

Best of luck with your auctions!

— Morgan Schweers, CyberFOX!

hi there,

i am living in germany and got my security key recently. of course due to the excitement :-) i have activated not only for paypal but for ebay too. and now i have the scenario you have described. no more auction watching/sniping. jbidwatcher says something like “logged in” but in fact it gets stuck on the second step, waiting for the 6digit security code. for me i have taken the decision to disable this feature for ebay and use it only for paypal.

by the way, morgan, your idea sounds not too bad. maybe this new security “feature” can be handled somehow.

keep up the good work (on jbidwatcher)

peter

My wife and I both received solicitations from PayPal to buy the keys (we’re US eBayers). I think the one-time fee was $5.00(USD). We are both eBay sellers, and she maintains an eBay store—don’t know if that had anything to do with it. We haven’t taken them up on it yet, so I can’t confirm they are actually shipping them in the US yet. Part of the reason I have not bought one for my PayPal account was to prevent the possibility that they might subsequently propagate it to my eBay account also (and prevent me from sniping). An obvious drawback is that I couldn’t leave JBW running (and signed in) at home and also log in to my eBay account from an office or customer’s site at the same time, as I frequently do now.

The 6-hour expiration on the sign-in cookie suggested above would kill me. I am often away from my computer (that runs JBW) for several days at a time. Maybe there will be some kind of activity that JBW could simulate periodically that would renew the expiration time for the sign-in cookie. If they do expire the sign-in cookie, surely eBay will have some way to prevent logging out a user while he is in the middle of entering a last minute bid (manual snipe) as the session times out. Maybe JbidWatcher could go through the same motions to renew the expiration time.

Morgan keep up the great work on Jbidwatcher! We do appreciate all your effort. So far, JBidWatcherv1.0.2pre5 has been problem-free for me.

Regards,
Doug

I recently got this paypal key as well and connected it to ebay as well. But I wish I had not done it to the email one as it now has broken by jbidwatcher. I thinks it is logged in but I am not able to bid or even get the items off of myebay. So heads up to anyone who gets that key.

What I tried was rm the .jbidwatcher dir and then restarting. I login with my id and pass+security code, try to do a search for my watches and I get this in the error.log:
Thu Mar 27 18:22:42 EST 2008: Loading page 0 of My eBay for user vasy
Thu Mar 27 18:22:42 EST 2008: URL: http://my.ebay.com/ws/eBayISAPI.dll?MyeBay&LogU…:ME:PAGE&FolderId=&GotoPage=1
Thu Mar 27 18:22:42 EST 2008: No items on page!
Thu Mar 27 18:22:42 EST 2008: Loading page: http://my.ebay.com/ws/eBayISAPI.dll?MyeBay&Curr…
Thu Mar 27 18:22:42 EST 2008: No items on page!
Thu Mar 27 18:23:57 EST 2008: Saving to: /home/harri267/.jbidwatcher/JBidWatch.cfg

Not sure if it is related or not but bidding has stopped working as well.