To be fair they're pretty good now. They could easily force 2FA on paypal and ebay accounts though. That would kill all the hacked accounts dead.
Er, no. It would make it more difficult, though.
"Identity" is a known "hard problem". See the governments repeated attempts to introduce identity manangement - when you look at the details the "how it fails" use cases multiply and the "can be used for" cases diminish. It reminds me of the old adage, "If you think encryption will solve your problem, you don't understand encryption ans you don't understand your problem".
The credit card industry doesn't even try to authenticate identity - it, very sensibly, authenticates transactions.
If they forced 2FA (I should say MFA) and reauthentication before listing it covers both scenarios in this case. As long as one factor is physical ie a security token then that stops non possessors using intangible secrets which have been obtained or are shared. This leaves the rubber hose as the only remaining vector which you can’t defend against.
Credit cards are completely different. And also wonky as fuck in the authentication side of things. On front office / POS, identity is number one. It’s very difficult which is why there’s a lot of assurance cycles burned up front followed by risk management followed by protection of identity when you have managed to develop a comprehensive profile. Do I want to sell a plan to Bob. Is Bob actually Bob? Is it the same Bob as the other 76 Bobs we have? Identity management is my bread and butter for ref.
There’s no encryption used at a conceptual level here; only in typical token auth scenarios.
Tl;dr: if they have a physical TOTP/HMAC token or less good an app, then it forces them to provide one more bit of information before doing something potentially fraudulently using something an attacker doesn’t have possession of.
To be fair they're pretty good now. They could easily force 2FA on paypal and ebay accounts though. That would kill all the hacked accounts dead.
Er, no. It would make it more difficult, though.
...
I see the trend of many commercial and govt entities using 2FA, though. It would be more of a PITA for the user base, but requiring an authenticator app/code challenge should certainly lower the number of stupid user password hacks, shouldn't it?
It does. It’s good enough to kill nearly all of these class of attacks dead in the water.
Edit: also it’s good enough to shift liability away from the technology provider. “Well you entered the token value. Were you in possession of the token? Oh no? We can’t help you then”