eBay just announced the addition of Account Guard feature to the eBay Toolbar. [via Payments News] While the announcement doesn't go too much into detail, there are some interesting information in the Account Guard section of the Toolbar FAQ.
These are its features:
- Site Indicator – Verified Site and Potential Spoof Site: Located prominently on the toolbar, this feature displays a distinct visual indication when you are on a verified eBay or PayPal Web site, and alerts you when you are on a potential spoof Web site. The Site Indicator turns GREEN if you are on a verified eBay or PayPal Web site; RED if you are on a potential spoof site; and GREY if you are visiting an unidentified Web site. Note: this will be the most frequent indication when you are not on eBay or PayPal.
- eBay Password Protection: This feature warns you when you are entering your eBay password into a an unverified site even if it looks like eBay or PayPal site. The eBay Password Protection function will block the password from being submitted to the Web site – displaying an educational message about password protection – unless you affirm that you want to proceed in entering the password into the site.
- Report a Spoof Site. If you suspect that you are on a fake eBay or PayPal site, eBay Toolbar enables you to report the site to eBay so that eBay can take action. As soon as the report has been verified – and we confirm that the site is fraudulent – all eBay Toolbar users will benefit from having the most current information automatically uploaded to their toolbar.
Site Indicator is an example of visual security which I like. It's not safe from Visual Spoofing though since green light is just a bunch of green pixels. Presence of eBay Toolbar is doesn't even have to be detectable from the server-side because all hackers care about are decent yields for their efforts. More popular the toolbar is, more easily fooled. Having both real and fake toolbar appearing at the same time won't be a problem because the hacker can easily distract sufficient number of users away from the real one.
eBay Password Protection is more interesting because it interrupts and warns the user with an alert dialog. Following FAQ items provide more info:
How does eBay Toolbar detect spoof sites?
eBay Toolbar detects and verifies spoof sites through a combination of technology and reports from the eBay Community. With the tremendous volume of spoof reports, eBay Toolbar leverages the vigilance of our community to enable all eBay Toolbar users to protect themselves.
How does eBay Toolbar block my password from spoof sites?
Before a user submits a password into a Web site, Account Guard reviews the submission and scans for the user's eBay password. This is done instantly and locally (on the user's computer) and does not involve sending any information to eBay. If the Toolbar detects a password match, it displays a pop up indicating that the user is about to send an eBay password to a non-eBay verified site.
eBay Toolbar alerts me every time I enter my eBay password into a non-eBay site. Why is this happening?
eBay, like most other companies, strongly encourages its users to choose unique passwords for all of the accounts (both on and offline) that they hold. The pop-up message warns you when you are about to enter your eBay password into a non-eBay site. You can disable this warning either in the eBay Toolbar preferences page, or on a site-by-site basis.
So the eBay Toolbar knows what the user's eBay password is and prevents user from submitting the password to any site not on their list of verified sites which is presumeably downloaded from eBay and updated regularly. It makes sense to discourage users from using their eBay password elsewhere, but it's bound to annoy quite a number of eBay users, many of whom will have to change their universal passwords used at many non-eBay sites. If it's good for ya, it's usually bitter.
The feature I like the most is the easy spoof reporting although it could create a lot of mess to clean up if misreports flood in. I hope eBay shares their experience with Account Guard.