Reports recently surfaced that Google was\u00a0alerted to security holes in its IoT security camera products\u00a0and declined to patch them. This was quite frightening for two reasons. First, the fix was apparently straightforward, and second, the hole was readily and easily available to burglars with even a modicum of tech savviness.Meanwhile, eBay seems to be encouraging users to downgrade their security defenses by giving up the hardware tokens they use for two-factor authentication and relying on text messages instead. Yes, eBay suggested that users make themselves more vulnerable\u00a0to identity thieves. With these two recent incidents, is it any wonder that IT is suspicious about whether major companies are taking security seriously?Let\u2019s start with the Google situation. At issue is a series of products marketed as Nest Dropcam, Nest Dropcam Pro, Nest Cam Outdoor and Nest Cam Indoor. The Boing Boing story linked above provided more details:\u201cResearcher Jason Boyle discovered that sending long wifi network names or passwords to cameras over their Bluetooth interfaces (which cannot be disabled) will cause them to reboot.\u00a0It would be trivial for a home intruder to reboot all the cameras in a home before breaking in. More seriously, a camera that is passed a malformed wifi network name can be made to disconnect from its home wifi for 60-90 seconds. This time can be extended by feeding it a stream of malformed wifi names,\u201d the story said. It added that another flaw \u201callows the attacker to force the camera to temporarily disconnect from the wireless network to which it is connected by supplying it a new SSID to connect to. If that particular SSID does not exist, the camera drops its attempt to associate with it and return to the original Wi-Fi network, but the whole process can last from 60 to 90 seconds, during which the camera won\u2019t be recording.\u201dTo be fair, these attacks do require the burglar (or, for that matter, murderer or rapist) to engage in a bit of physical gymnastics. The attacker first needs to get close enough to the camera to access Bluetooth \u2014 distances vary based on device and environment and it can even vary from initially making the handshake to maintaining the connection. But these are security cameras, so the attacker must achieve this potentially very short distance while also staying out of the camera\u2019s view. After all, if the attacker is filmed before initiating the connection, the point of this exercise may be lost.This problem is hardly insurmountable. But it involves studying the camera beforehand to learn the proper angle and positioning needed to access Bluetooth without being seen.Another logistical challenge arises if the property is protected by multiple cameras. The blackout period referenced here (generally shy of 90 seconds) could be enough time to force entry, but it\u2019s unlikely to be enough to complete the crime and escape. Hence, a network of nine or ten cameras may make this hole fairly trivial.Those disclaimers all disclaimed, for the typical home that might have just one camera focusing on the front door, this could be a very significant hole.So why didn\u2019t Google fix it in the months it was given? Did it fear that confirming the hole\u2019s existence \u2014 which a patch would presumably do \u2014 would undermine Google\u2019s marketing messaging? That would be a terrible reason to leave a hole unpatched, but without a better explanation offered by Google, it\u2019s a place to start.Another question: Why was Bluetooth access enabled for a security device designed to be mounted outdoors? Bluetooth generally has weak, if any, authentication, on the premise that extreme physical proximity implies authorization. Does that premise hold up in the case of an outdoor security camera?Now we turn to eBay. It asked customers who already had good security to soften their defenses.Part of the rationale is the age-old\u00a0security-versus-convenience thinking, where companies fear that insisting on robust security will inconvenience customers to the point where they don\u2019t bother or where they will look for companies that are easier to work with. But that doesn\u2019t seem to be the key issue here, since eBay was approaching customers who were already using better security.The particulars of the eBay situation were laid out in a story in KrebsOnSecurity.eBay wanted Brian Krebs \u201cto switch from using a hardware key fob when logging into eBay to receiving a one-time code sent via text message,\u201d the story said. \u201cI found it remarkable that eBay, which at one time was well ahead of most e-commerce companies in providing more robust online authentication options, is now essentially trying to downgrade my login experience to a less-secure option. The move by eBay comes just months after the National Institute for Standards and Technology (NIST) released a draft of new authentication guidelines that appear to be phasing out the use of SMS-based two-factor authentication. NIST said one-time codes that are texted to users over a mobile phone are vulnerable to interception, noting that thieves can divert the target\u2019s SMS messages and calls to another device, either by social engineering a customer service person at the phone company, or via more advanced attacks like SS7 hacks.\u201deBay apparently said that the change \u201cwas more about bringing authentication in-house (the security key is made by Verisign) and that eBay hopes to offer additional multifactor authentication options in the future.\u201dThat makes no sense. If that was eBay\u2019s concern, it would have waited until it had created \u2014 or purchased \u2014 its own hardware tokens and then simply offered the tokens to existing customers and offered those customers an incentive to switch.To ask customers with good security to abandon it now \u2014 without offering a comparably secure alternative \u2014 is absurd. If eBay wanted to send the message that it doesn\u2019t care about protecting its customers or its data, it picked an ideal way to do it.Physical tokens are excellent authentication devices, coupled with other elements, since they pose considerable obstacles to long-distance attackers. Then again, if homeowners chose to store their hardware tokens on top of their Google security cameras, they may have some issues.