When
eBay admitted Wednesday that it had been the victim of a cyberattack,
the company asked all of its 145 million active users to change their
passwords. But the intruders had access to a customer database that also
included other personal information, including names, mailing addresses
and dates of birth — data that can't so easily be changed.
The
good news is that eBay says that no financial or credit card information
was compromised. Financial data was stored on separate systems, and
eBay says there's no evidence that any PayPal data was compromised. The
bad news is that the data that was compromised was still important.
EBay
representatives told Mashable the company had no idea how many of its
145 million active accounts were seen by the intruders. Millions more
inactive accounts could also be affected.
The company said that
the attack occurred between late February and March, and that the
following information was accessible to the hackers:
Customer name
Encrypted password
Email address
Physical address
Phone number
Date of birth
That's
a lot of important information. In fact, as the attack against Wired
reporter Mat Honan demonstrated, access to just a bit of personal
information — like a phone number, email and physical address — paired
with good old-fashioned social engineering can lead to massive amounts
of damage.
Many password-reset questions involve a birthday, phone
number and physical address. At the very least, this sort of data would
make it easy for criminals attempting to bypass security settings. It
could also be used to aid identity-theft schemes.
Already, as
researcher Ashkan Soltani notes, at least one person claims to be
selling the alleged user database. The person in question wants 1.453
BTC (about $753) in exchange for access to a supposed 145,312,663 unique
records. But it seems to be a fake, based on eBay's response:
Still,
it seems more likely than not that at least some of the stolen
information will make its way to various underground markets that deal
in exchanging personal data.
Be aware of email and phone scams
Be aware of email and phone scams
Security
reporter Brian Krebs says it's quite likely that the email addresses on
this list will receive more spam. He says that spam will "probably
include phishing attacks aimed at stealing login information and/or
spreading malware."
Krebs believes this kind of database would be "a gold mine for telephone-based scam artists."
Adds
Krebs: "Armed with just bits of information about people, scam artists
can often dramatically improve the success of schemes that try to trick
people into giving away more personal and financial data."
Not all data encrypted
Not all data encrypted
For
me, the most concerning aspect of this attack was that the only
information eBay encrypted in its database was the user password.
Depending on the type of cryptography scheme used, cracking those
passwords may be very difficult or very easy for an attacker. Still, at
least the passwords had some form of encryption.
It's shocking
that names, phone numbers, dates of birth, email addresses and home
addresses were not only not encrypted — but stored in plain text. And
keep in mind, this data is not optional. In order to sign up for an eBay
account, a user must provide a name, address and phone number. If you
want to sell anything on eBay, you must provide a birthdate showing you
are over 18.
So for those 145 million active eBay accounts, users
had no choice of what information to give the company. It's shocking
that eBay would choose not to encrypt that kind of sensitive
information.
A call for data security standards?
Cyberattacks
are increasing all the time. Nearly every week, we hear about yet
another data breach or password reset opportunity. But passwords and
credit card data are only one part of the problem.
For privacy
advocates, the fact that so many services and companies require access
to so much personal information is already disconcerting. But even if
you put privacy issues aside, is it time to start forcing companies to
store personal information in a secure manner?
There are already
industry standards around how payment information can be stored and
secured. Maybe it's time we start requiring online services to treat our
personal information with similar reverence.
A user can change
her password. She might not do it as often as she should, but a password
can be changed. Once treasure troves of identifiable information are
available — especially when the information linked to an online identity
— that's something the user can't control.
Credit cards and banks
offer protection against fraud. That same type of protection isn't
available for identity theft (and what is available is costly in time
and money).
If billion-dollar companies want us to give up our personal information, shouldn't we make sure they are going to protect it?
Have something to add to this story? Share it in the comments.
Posted by : Gizmeon
No comments:
Post a Comment