eBay Australia rolls out anonymous messaging

September 22, 2008

eBay.com.aueBay Australia has announced the roll-out of anonymised emails between eBay members. Pre-sale ASQs will no longer show the sender’s email address, but will instead be sent with a temporary eBay-based email address. Recipients will be able to replay directly through their email client to this address, and eBay will forward the messages to the correct, real-world email. The email addresses used by eBay are composed of an apparently-random string of 10-14 letters and numbers: how long these “temporary” addresses remain valid isn’t yet clear. Members where an item has already been purchased will be able to see each other’s email addresses as normal.

Currently, eBay are not verifying that the email used to reply is the “correct” one - i.e. that it matches up with the eBay account to which the message was sent. This is, they say, a “short grace period”, presumably to allow members to ensure their registered email addresses match the ones their email client uses.

So today I’ve been able to reply to trial messages with emails registered with other eBay accounts, and emails that aren’t linked with any eBay account at all, and in all cases, messages sent from the ‘wrong’ email address still arrive with eBay subject lines suggesting they’ve come from the correct eBay member.

If a phisher gets hold of one of these temporary email addresses, or randomly generates the correct sequence of letters and numers, right now eBay’s own system will make their messages look genuine. The only security at present appears to be the obscurity of the email addresses themselves: with the vast amount of processing power at phishers’ disposal, generating some correct matches surely isn’t going to be difficult. eBay would have done better to give members more information about this in advance, so that registered addresses and email clients could have been made to match, rather than leaving the system so insecure, even if temporarily.

There’s currently no published timeline for the implementation of this system on other eBay sites, though it is expected to roll everywhere in the next few months.

Written by Sue Bailey · Filed Under News | 15 Comments 

Is someone eavesdropping on your Skype calls?

July 25, 2008

Slug from Atmosphere eavesdrops on Lucy?
Creative Commons License photo credit: Joe Howell

Just how secure is a Skype call? It’s often thought that a phone call is pretty secure and an encrypted IP phone call almost impossible to listen in on. Not any longer though, the Austrian government have revealed that it is “not a problem” for them to listen in on Skype calls.

Skype is proprietary software so no one really knows how it works, there is speculation that there might be a backdoor built into Skype to allow legal authorities to eavesdrop on calls. If that’s not the case then it appears Skype may have a flaw in the set up of calls enabling the call security to be compromised. AES encryption that Skype uses is secure, but not if the keys exchanged when a call is set up can be captured.

It’s long been known that GCHQ can listen in to land line or mobile phone calls and they can also read your emails. Does it really matter if they can eavesdrop on your Skype calls as well?

If the government really want to listen in on my mindless wittering on phone calls then they’re welcome - all the time Skype is free I’ll carry on using it. After all the alternative is to use mobile or land line phones and they can listen in to them anyway.

The big question of course is who else is listening in on calls, if governments and Skype themselves can intercept conversations then how long before someone less desirable gains access and starts monitoring calls?

Written by Chris Dawson · Filed Under News | 13 Comments 

eBay UK identity verification now live

April 21, 2008

This post was written in April 2008; specific information contained within it may be out of date.

Creative Commons License photo credit: fazen

 eBay UK have announced that measures to track which computers sellers list from to help prevent account takeovers are now live. At some yet-to-be specified point later this year, the computer being used to list will be checked against this data, and anything unusual flagged for further investigation.

eBay also have a new page about identity confirmation available, which gives a little more information about the process: every eBay seller is very strongly recommended to check that your telephone number is a valid one, and that your “secret question” is one you can answer but no one else can.

Having announced the policy, eBay are doing very little to answer sellers’ questions about its actual implementation. I’ve been unable to discover, for example, exactly what happens when you buy a new computer, or what happens if you list an item from the library so eBay phone you at home and you’re not there.

“Have a mobile phone as your secondary contact number” seems to be the only solution to this, otherwise sellers potentially run the risk of needing to “contact customer support”, presumably to say that, yes, that was them who did a few relists from an internet cafe last night so please could the account be unfrozen. eBay staff who have been involved in discussions have generally been pretty dismissive of sellers’ concerns, preferring instead to concentrate on the obvious security improvements the measures will bring. Some explanations of exactly how this is going to work in practice are now overdue.

Several other European sites including Austria, France, Switzerland, Spain and Germany have announced similar programs starting today.

Written by Sue Bailey · Filed Under Featured | Comments Off 

PayPal to block unsafe old browsers

April 18, 2008

This post was written in April 2008; specific information contained within it may be out of date.

PayPal are to block old browsers in an attempt to improve security. In a white paper discussing anti-phishing measures, the company said, “The alarming fact is that there is a significant set of users who use very old and vulnerable browsers, such as Microsoft’s Internet Explorer 4 or even IE 3.” Unlike more up to date versions of Internet Explorer and Firefox, these browsers do not have any phishing filters. Earlier this year, PayPal advised users of Apple’s Safari to use another browser to access the internet, as Safari lacks crucial anti-phishing features such as a filter for known or potential phishing sites, and visual clues which tell users when they are on a safe site.

In their fight against online fraudsters, PayPal go a step further, proposing that the process of blocking old browsers should be a rolling one, saying that “any Web site that asks for personal or financial information” should warn users who are one release behind the most up-to-date software, and block anyone who is two or more releases behind the times. Currently that would mean anyone using IE5 or earlier blocked from accessing the site.

PayPal comment “in our view, letting users view the PayPal site on one of these browsers is equal to a car manufacturer allowing drivers to buy one of their vehicles without seatbelts.” And as those using older browsers are perhaps likely to be those who know the least about internet security, ensuring they’re using the most up-to-date software to help them is a great move on PayPal’s part.

Written by Sue Bailey · Filed Under Featured | 5 Comments