- Related Stories
-
Hackers find new way to bilk eBay users
March 25, 2002 -
Wells Fargo latest target in scams
March 11, 2002
Unlike most leading e-commerce sites, eBay does not automatically encrypt much of the data sent between customers' computers and eBay's servers, which means that when customers type their password into eBay's Web site, that information can be viewed by hackers.
Most e-commerce sites use Secure Socket Layer (SSL), a technology that encrypts sensitive information such as customer passwords and account activity while the data is in transit to another computer.
"SSL is typically a no-brainer on any Web site," said John Pescatore, research director for Internet security at Gartner.
eBay users have the option to log in using SSL, but the default is to use an insecure login. Even if customers log in using SSL, they are taken to non-SSL pages if they want to change their password or view account balances.
"They are doing their users a disservice," Pescatore said. "They really should make SSL the default option."
eBay did not return repeated calls seeking comment.
The importance of securing account information on eBay and other sites has become more apparent in recent months. Since January, a growing number of eBay members have seen their accounts taken over and used to set up fraudulent auctions. The scam artists parlay the members' good reputations into bids--then take off with the cash.
eBay has said that such scams are relatively few in number and that overall, the percentage of confirmed fraudulent auctions is less than one one-hundredth of 1 percent of all listings.
But customers are concerned. Identity theft and auction fraud are the top two most frequently cited consumer fraud complaints filed with the Federal Trade Commission.
SSL has been the de facto standard for transmitting passwords and other data since Netscape introduced the protocol in the mid-1990s. E-commerce sites such as Amazon.com and Buy.com use it to secure customers' orders. Customers of online brokerages such as E*Trade Financial can't access any personal data except through pages secured by SSL.
Information sent without SSL can be monitored by hackers using so-called "packet sniffing" programs. However, in recent years, there have been few reports of breaking into accounts by sniffing out passwords, security experts say.
eBay has blamed the recent examples of identity theft on its site on automated programs that execute a so-called "dictionary attack," taking a known user ID and trying to match it with a list of common passwords and a dictionary of words.
The company has also warned members about fake e-mail that appears to come from eBay asking for users' passwords or other account information. Wells Fargo, Bank of America and PayPal have warned customers of similar scams in recent months.
Gaining access to accounts through scams such as these are much easier than trying to find user passwords via packet sniffing programs, security experts say. With a packet sniffer, a hacker would have to know what stream of data to monitor and would have to weed through a lot of useless data to find a password or something else that's useful.
"You're drinking from a fire hose," said Chris Christiansen, a security analyst with IDC.
But attackers will go after the weakest link, Pescatore noted. The paucity of sniffing attacks may be simply because of the success of SSL, he said. By not using SSL, eBay may be inviting people to snoop on its data, he said.
"Most burglars don't use the front door to break into a home; they use an open window or some other way. But if you left the front door open, the burglars would use it," Pescatore said.
Making SSL the default option when people log in and using it to protect sensitive data on the site may not in reality provide a lot of added security, said Matthew Berk, an analyst who covers Web site technologies and operations for Jupiter Media Metrix. But eBay would be wise to use SSL more thoroughly on its site to manage user expectations, he said.
"What's probably more tangible than the actual security risk is the perceived security risk," Berk said. "As an industry leader, they need to make every effort to convince users that they are using the most secure methods possible."
There is a huge problem for buyers of goods at the online auction site. People with 2 user id's. You start to bid on an item at eBay. It looks good, it seems like there are no other people bidding. Suddenly you are in a bidding war with another user. The problem is, the other user is the seller of the item.
(PRWEB) November 1, 2004 -- There is a huge problem for buyers of goods at the online auction site. People with 2 user id's You start to bid on an item at eBay. It looks good, noone else is bidding. Suddenly you are in a bidding war with another user. The problem is, the other user is the seller of the item.
A seller lists an item for sale on eBay. Near the end of the auction, the seller logs into the system with an alternate user id. Using this id, he/she starts to bid on the item. The bidding continues to the point that seller actually wins the auction, likely using an automated piece of software to do it.
Now the seller sends a "second chance" email to "you" saying that the winner of the auction has retracted their bid, and that the item is now available to "you" at the winning bid price.
Basically, the seller is going online with an alternate user id, jacking up the auction price, then selling the item to you at that price! What can a person do to protect themselves.?
One identifying feature is that alternate user id usually has a buying score of zero, because a transaction is never actually completed. The alternate id is just a tool to help jack up the auction price.
There are a number of ways eBay could and should protect its users from this kind of thing. It's appalling that they don't already. There are a number of ways this could be achieved.
For example, each person that signs up for eBay should be allowed only one ip address per user id per session. The ip address should also be logged to trace abuse. While this is not a very strong measure, it is a start. The person could still have two accounts at 2 different Internet Service Providers.
More effective would be one userid, verified by any or all of the following means: telephone, email, ip address or postal mail. Postal mail for residential and business address verification is used by many services including Paypal.
Users should not be able to change their id without re-verifying their account, and a reference to their old id should be visible so there are no more cases of "apparently disappearing sellers".
eBay has become a breeding ground for software pirating, scams and fraud. Will eBay step up to the plate and do something about their security disaster to protect their customers?
Will eBay ensure that each person is limited to one user id and enforce it?
They will, if the buying public demands it.
Send your complaints to the links at this address:
http://www.elsop.com/wrc/complain.htm
# # #