eBay under attack from hackers

by Chris Dawson

This post was written in September 2007; specific information contained within it may be out of date.

There have been a number of stories in the press regarding Aladdin Software’s discovery of a botnet which is attempting to guess eBay user names and passwords. A “bot” is a computer which has been compromised and a hacker can use to hide their real identity - any attack appears to come from the compromised computer. A “botnet” is an automated tool distributed across hundreds of compromised computers to attack websites. This botnet is using the eBay API (Application Program Interface, for third party applications to talk to eBay) and sending user name and password pairs to see if they work.

Aladdin is reporting this incident as if it was a new phenomenon, and many other sites are repeating the story. eBay told TameBay:

“Brute forcing” has been built into bots for years; it is not a new practice. It’s a technique we are well aware of and eBay has many systems in place to detect this type of activity. Our systems detect brute force as well as cross site scripts, and actively monitor for account irregularities such as the ones described in the PC World article.

We find it very concerning that “security firms” like Aladdin describe well-known techniques used by bots and other identity-theft-tools as “new” or “first of its kind.” eBay has been protecting its site from attacks like this for the past several years and works with a wide variety of leaders in the anti-virus software industry to share information and best practices”

eBay also mask all sensitive financial information, so if a user’s computer and their sign in credentials used on eBay are compromised through whatever means, their sensitive financial data is still protected, reducing the possibility of ID theft.

The long awaited PayPal security key (which is available in the US) would go a long way towards addressing account takeovers and leave attacks such as the current one useless. Even one time passwords from security key are not the complete solution, it’s an ongoing battle that neither side can conclusively win. As companies like eBay put new defences in place hackers work to circumvent them.

As always it’s the users themselves that can do most to protect their accounts, strong passwords using upper and lower case, letters and number go a long way towards making passwords impossible to guess with a brute force attack. eBay have advice on how to choose a secure password that’s memorable as well as some tips on what type of passwords to avoid.

Tags for this post:
Author: Chris Dawson
Posted at: Monday, September 10th, 2007 at 7:06 pm
Filed Under Uncategorized
 

Comments

Comments are closed.

TradeBox