Noted online payment processing and e-wallet vendor Skrill yesterday announced that it now offers customers the option of enabling free two factor authentication via Google Authenticator on their e-wallet and merchant accounts.
In an email sent to merchant account holders, Skrill urged account holders to enable the new two factor authentication method, which is free to all account holders. Skrill has previously offered similar security via a hardware security token that merchants were required to pay for. This new method is free. We have checked our personal Skrill accounts and can confirm that this security measure is available to personal customers too, and it is a facility that we advise you activate on your account.
The more interesting part of the email is the strong recommendation that users change their password within the next 24 hours.
At Skrill we constantly aim to improve the online security of our merchant accounts.
To help with this, we are introducing two-factor authentication on all our merchant accounts. We STRONGLY recommend that you activate and use two-factor authentication and that you change your user account password within the next 24 hours.
For detailed instructions on how to activate and use two-factor authentication, please click here
The Skrill Team
Skrill followed this email up with another shortly after that urges merchants to activate IP address restrictions on their accounts. If they don't, Skrill is adopting a legally questionable tactic of demanding merchants sign an indemnity form that absolves Skrill of all responsibility for any fraudulent account transactions, even if the two factor authentication is used.
While we are always welcoming of better security practices and commend Skrill on rolling out free two factor authentication to all account holders, we have to question the motivation behind this decision and perhaps whether there is not more to this story. With account holders regularly complaining of compromised accounts, and personal accounts being locked and password resets forced, it smells a lot to us like there has been a security breach at Skrill and they are scrambling to shut the gates well after the horse has bolted.