Should You Be Worried About eBay?
So should eBay have acted sooner? Yes, in the sense they should have noticed earlier. But they didn’t because, apparently, there was no increase in fraud, which the company monitors assiduously. Indeed, the only inconvenience I’ve experienced myself when it comes to eBay and fraud has resulted from their being over-zealous.
And it’s plainly in their interest to keep customers’ details secure – investment in security is obviously vital to maintain trust. So what’s truly shocking, however, about eBay’s lapse is that while passwords were encrypted, all the other data was not. That’s probably what’s meant there’s been little rise in fraud thus far: millions of user names and passwords are valuable to criminals because people routinely use the same combinations for a host of sites, so trying them out automatically can be done easily on a wide scale across the web.
But inputting your name, address, and all that is needed to steal your identity is a tougher challenge to automate – it’s really a manual job, albeit with a bigger prize at the end. So the real scandal is twofold: eBay didn’t encrypt all this data – and the company and its users seem to have got away with that lapse. What damage there is to its reputation, and what may emerge in the future, remains to be seen.
eBay hack puts millions at risk of identity theft
Millions of eBay customers could be at risk of identity theft after hackers stole personal data such as names, email and postal addresses, phone numbers and dates of birth, giving attackers the information they need to break in to other online accounts
The auction site today asked all 145m of its active users to change their passwords as it emerged that hackers managed to access the names, email and postal addresses, phone numbers and dates of birth of customers. It is feared that those details could now be used to leverage access to users' other online accounts.
Some sites such as online banking services accept a date of birth and address as part of their secure log-in process, while telephone banking services will often request the same details to validate who they are talking to. Having a list of these personal details would make life easier for a malicious attacker.
The eBay hack did not include passwords stored in plain text, but encrypted passwords were stolen. The company was unable to say today how strong that encyption was. However, because the attack took place between late February and early March, it is possible that the thieves have had time to extract them, said David Emm, senior security researcher at Kaspersky Lab.
It’s difficult to quantify the danger customers may be in following the eBay cyber attack, but of course any personal data in the wrong hands is bad news and it appears that the attackers have gained access to customers' names, email addresses, physical addresses, phone numbers and dates of birth, as well as encrypted passwords,” he said.
“The fact that this attack took place two to three months ago means the attackers have had additional time with which to attempt to decrypt the stolen passwords as well as make use of the other personal data.
“The worrying thing is that many people use a single password for more than one internet site and so if the passwords are compromised, they could be at further risk from cyber-criminal activity. The time lapse here highlights the urgency for customers to change not only their eBay and PayPal passwords but also on any other site that they use the same log-in details for.”
Paul Martini, chief executive at iboss Network Security, said that eBay could be viewed as the "golden goose of hacking targets" because of the vast scale of information it holds.
"The damage could well have already been done, as the time lag between the cyber breach and the discovery of the breach is in the months," he said. "Cyber hackers may not hit the obvious target of siphoning money or goods out of eBay; they may take the personal information gained from the database and target other popular sites."
It is thought that hackers managed to access some eBay employee log-ins which gave access to the company's corporate network. From there the attackers were able to access the database containing users' information and steal the data.
Today eBay said that it is "aggressively investigating the matter" along with law enforcement agencies in the US, because all of the company's servers are based there, and will be using the "best forensic tools" to track down the culprits.
The company will be sending an email to each user today to notify them of the data breach and ask them to change their password. They will also be advised to change their log-in on any other websites if they used the same password there.
It will also be making changes to its website within the next 24 hours that will force users to change their password the next time that they log on.
"We believe we have shut down unauthorised access to our site and have put additional measures in place to enhance our security," it said.
It is not yet clear why there was such a long delay between the attack and users being informed, but eBay says that it first discovered the attack "earlier in May". Since then the company has been performing a "forensic analysis
No comments:
Post a Comment
Comments