eBay Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Using a VPN with eBay

ubercrimedog
Enthusiast

‎02-25-2023 05:11 AM

The password change process is inconveniently muddied up. Since there does not seem to be a direct link to Security without giving more out more personal information I am here...hopefully it will leak back to Security. TO BEGIN - I have been involved with cybersecurity since decades before it was ever called that. I have a thorough understanding of the processes that have to come together to form a good security policy.

 

I had not been on eBay for quite a while and went through the password change process. Which worked reasonably well (except for the fact that the 6 digit pin was passed in the subject line which goes through the email system in cleartext). Changed my password and needed to log in again (was verified by the change password module). That is not a bad thing but is a small nuisance. 

Supplied user name and my new password - which was rejected as a wrong password - really? If it takes a bit to have your servers update then say so... I backed up to the original login screen and logged in from there - and was told that the login could not continue because my computer was not recognized. I can't speak for others but I have a LOT of computers and may not be using the same one every time. So it is likely that eBay had collected my IP address - other sites do that, but don't say that my password is wrong on login - they say that the issue is a different computer and do a simple email to account address with a confirmation PIN - another minor nuisance but happens often enough. Where things went sideways was when I went to customer support - useless - then Security - useless (no way to directly contact). Finally, I went back to login and flushed the cache, then TURNED OFF MY VPN and logged in without issue. The whole process could have been simplified with a few well placed messages like

- wait a few minutes before logging in,

- are you using a VPN? 

Here is my take. Security features were layered up on already existing code, connecting in by reusing old error messages. The security module has to be considered as a single process and any changes tested against the entire process.  Collecting IP addresses is old school anyway. Personally, I travel - a lot. It is not reasonable for me to have to turn off my VPN in the very environment (a hotel) where I need it the most.

So...here's the mission. Get the word to security that their processes are a mess of old and new code and need to be periodically reviewed, consolidated and tested.

Message 1 of 1
latest reply
0 Helpful
0 REPLIES 0

Featured Posts

View all
Top