Following news that one of eBay’s databases containing end-user passwords has been compromised after hackers gained access to ‘a small number of employee log-in credentials’, find the following comments, thoughts and opinions from a range of industry experts including Kaspersky, High-Tech Bridge & Tripwire.
David Emm, Senior Security Researcher at Kaspersky Lab:
“It’s difficult to quantify the danger customers may be in following the eBay cyber-attack, but of course any personal data in the wrong hands is bad news and it appears that the attackers have gained access to customers’ names, email addresses, physical addresses, phone numbers and dates of birth, as well as encrypted passwords. The fact that this attack took place two to three months ago means the attackers have had additional time with which to attempt to decrypt the stolen passwords as well as make use of the other personal data. While it might seem as though eBay has been slow to respond but if the company has only just discovered the full extent of the attack it is now doing the right thing by notifying customers in a timely manner.
The worrying thing is that many people use a single password for more than one internet site and so if the passwords are compromised, they could be at further risk from cyber-criminal activity. The time lapse here highlights the urgency for customers to change not only their eBay and PayPal passwords but also on any other site that they use the same log-in details for.
Many people will also be asking whether this is related to Heartbleed. I suspect that the two are not linked, although of course we can’t rule it out. The Heartbleed bug has been around for two years and was discovered after this attack took place. However, eBay states that the leaked information was a result of a compromised database, whereas Heartbleed is a vulnerability that lies in the mechanism used to encrypt data.”
Ilia Kolochenko, CEO of Information Security Company High-Tech Bridge:
“Unfortunately, the number of such security incidents will only grow in the future. Cloud, decentralised storage and outsourcing spread corporate information across numerous different sources and locations, some of which cannot even be clearly identified. Obviously hackers are looking for the most efficient ways of hacking (time and cost efficient) and will not attack eBay’s front-end as it is quite secure, but rather find one of their partners/suppliers who has access to the data, easily hack him and get the same data as if they hacked eBay directly.”
“The most dangerous consequence for the end-users is password re-use attacks – when one (or similar) password is being used for several or even all user accounts. Encryption does not really help, as our penetration testing practice shows – over 80% of encrypted hashes [used on web applications] can be bruteforced within 48 hours. But even a 50-random-characters password cannot guarantee a 100% security, as hackers can just intercept passwords in plain-text when users are logging-in for example [in case is hackers have access to web application of course]. This is why eBay is doing a good thing by advising users to change the passwords asap; people should not rely on encryption.”
“Centralization of data storage, regular and independent security audits and penetration tests can significantly help to improve the situation and minimize the risks.”
Richard Parris, CEO and founder of Intercede:
“While eBay is right to advise its users to change passwords, the real issue is that usernames and passwords are increasingly unfit for purpose – they do not offer proof of a person’s identity and are easily lost, stolen or hacked. To be even remotely effective, they have to be increasingly complex, which makes them harder to remember and very user-unfriendly. What’s more, many people use the same username and passwords combination for multiple sites and applications, so it’s not just the information that eBay holds that is potentially at risk, but information on any other application with the same password – that could include email accounts, mobile banking, online shopping to name just a few.
“All businesses, including eBay need to wake up to these risks and adopt stronger authentication for both employees and users of their services or sites. The answer lies in two-factor authentication – something you have and something you know. We’re already familiar with this and use it in the form of chip and PIN everyday with our bank cards. It’s now time for businesses and society to wake up to the fact that passwords are dead and we need a more secure alternative.”
Toyin Adelakun, VP of Products for Sestus:
“This appears to be more serious than a ”mere” password smash-and-grab. Rather, it seems eBay customers’ names, encrypted passwords, email addresses, physical addresses, ‘phone numbers and dates of birth were stolen. Passwords can and must be reset—especially if they’re reused elsewhere—but the other personal data cannot easily be reset.
If eBay confirms that wider personal data has been stolen, users must maintain extreme vigilance of all financial statements and of their credit reference files. Users with reason to suspect their identities have been stolen can contact the fraud prevention service CIFAS<http://www.cifas.org.uk/pr> (in the UK – equivalents elsewhere), and consider asking it to put a ‘protective registration’ on credit reference file. This service costs about £20 (about US$30) and alerts lenders to conduct further checks before approving credit applications. The erstwhile silver bullet of “identity theft insurance” has become somewhat deprecated over the last few years, but users considering such protection should satisfy themselves that such policies definitely offer adequate protection against actual losses.
Generally, institutional, regulatory and legal responses to identity theft are immature and still under development, so personal responsibility needs to be the fore, for now.”
Dwayne Melancon, CTO of Tripwire:
“Now that this information has leaked, I am quite surprised that eBay has been so slow to add information to their site to inform users of the situation and guide them through the password reset process. Customer confidence relies on directive, specific action and information in these scenarios.
It appears that the eBay data breach involved securely encrypted passwords, which makes it less likely that users’ eBay accounts will be easily accessed since doing so will require brute force decryption of passwords. However, the fact that user email addresses and physical addresses were taken in the breach is more concerning. Criminals could use that information to masquerade as eBay customers on other sites, or perhaps use that information to ‘social engineer’ their way to users’ other accounts. Unlike the passwords, the other user-specific information was not encrypted and therefore easily reused by attackers.
It is good practice to ask for a password reset, and users should probably be required to reset – not just asked. Furthermore, password complexity rules ought to be in place to ensure users select complex passwords. Of course, users should also make certain they are not using the same password they are using on another site.
Many eBay users also have their accounts connected to PayPal (which is owned by eBay) for payments. For further security, I recommend customers make use of PayPal’s optional feature which uses 2-factor authentication to verify the users’ identity prior to making a payment. Given that PayPal is linked directly to users’ bank accounts, this is a best practice even if there had not been a data breach at eBay.
eBay users have long been a popular target for phishing emails, and users must be especially wary during incidents like this. To be safe, users should not click on links in emails about eBay security or password changes; instead, they should type the eBay URL directly into their browsers and log into the site that way to prevent disclosing their credentials to spoofed, malicious copies of the eBay site.”
Mark James, Technical Team Leader at ESET:
“The obvious concern here is knowing exactly what was and was not compromised. They state that eBay customers’ names, encrypted passwords, email addresses, physical addresses, phone numbers and date of births were compromised, and all of this information can be used to steal user identities. This is a major concern when this type of attack happens and to hear it happen to such a large corporate organisation is very worrying.
The first thing that you need to do is change your eBay password then IF you have used that password on ANY other site then you need to do 2 things:
1, Change that password as well but NOT to the same password as the new eBay one.
2, STOP using the same password on multiple sites, even changing just a few characters and NOT using dictionary words will suffice if you can’t make them all unique.
