Friday 23 May 2014

EBay Users Still at Risk After Cyberattack, Even If They Change Passwords

Android Apps
When eBay admitted Wednesday that it had been the victim of a cyberattack, the company asked all of its 145 million active users to change their passwords. But the intruders had access to a customer database that also included other personal information, including names, mailing addresses and dates of birth — data that can't so easily be changed.
The good news is that eBay says that no financial or credit card information was compromised. Financial data was stored on separate systems, and eBay says there's no evidence that any PayPal data was compromised. The bad news is that the data that was compromised was still important.
EBay representatives told Mashable the company had no idea how many of its 145 million active accounts were seen by the intruders. Millions more inactive accounts could also be affected.
The company said that the attack occurred between late February and March, and that the following information was accessible to the hackers:
Customer name
Encrypted password
Email address
Physical address
Phone number
Date of birth
That's a lot of important information. In fact, as the attack against Wired reporter Mat Honan demonstrated, access to just a bit of personal information — like a phone number, email and physical address — paired with good old-fashioned social engineering can lead to massive amounts of damage.
Many password-reset questions involve a birthday, phone number and physical address. At the very least, this sort of data would make it easy for criminals attempting to bypass security settings. It could also be used to aid identity-theft schemes.
Already, as researcher Ashkan Soltani notes, at least one person claims to be selling the alleged user database. The person in question wants 1.453 BTC (about $753) in exchange for access to a supposed 145,312,663 unique records. But it seems to be a fake, based on eBay's response:
Still, it seems more likely than not that at least some of the stolen information will make its way to various underground markets that deal in exchanging personal data.
Be aware of email and phone scams
Security reporter Brian Krebs says it's quite likely that the email addresses on this list will receive more spam. He says that spam will "probably include phishing attacks aimed at stealing login information and/or spreading malware."
Krebs believes this kind of database would be "a gold mine for telephone-based scam artists."
Adds Krebs: "Armed with just bits of information about people, scam artists can often dramatically improve the success of schemes that try to trick people into giving away more personal and financial data."
Not all data encrypted
For me, the most concerning aspect of this attack was that the only information eBay encrypted in its database was the user password. Depending on the type of cryptography scheme used, cracking those passwords may be very difficult or very easy for an attacker. Still, at least the passwords had some form of encryption.
It's shocking that names, phone numbers, dates of birth, email addresses and home addresses were not only not encrypted — but stored in plain text. And keep in mind, this data is not optional. In order to sign up for an eBay account, a user must provide a name, address and phone number. If you want to sell anything on eBay, you must provide a birthdate showing you are over 18.
So for those 145 million active eBay accounts, users had no choice of what information to give the company. It's shocking that eBay would choose not to encrypt that kind of sensitive information.
A call for data security standards?
Cyberattacks are increasing all the time. Nearly every week, we hear about yet another data breach or password reset opportunity. But passwords and credit card data are only one part of the problem.
For privacy advocates, the fact that so many services and companies require access to so much personal information is already disconcerting. But even if you put privacy issues aside, is it time to start forcing companies to store personal information in a secure manner?
There are already industry standards around how payment information can be stored and secured. Maybe it's time we start requiring online services to treat our personal information with similar reverence.
A user can change her password. She might not do it as often as she should, but a password can be changed. Once treasure troves of identifiable information are available — especially when the information linked to an online identity — that's something the user can't control.
Credit cards and banks offer protection against fraud. That same type of protection isn't available for identity theft (and what is available is costly in time and money).
If billion-dollar companies want us to give up our personal information, shouldn't we make sure they are going to protect it?
Have something to add to this story? Share it in the comments.
Posted by : Gizmeon

No comments:

Post a Comment