7 Facts: eBay Fumbles Password Reset Warning

  /     /     /  
Publicated : 22/11/2024   Category : security


7 Facts: eBay Fumbles Password Reset Warning


Online auction site criticized for notification misfire, failing to make password resets mandatory.



Security alert to all eBay users: Change your passwords now.
That warning was issued Wednesday by eBay, which announced that
hackers stole legitimate employee login credentials
and used them to access eBays network and steal a database containing information on 145 million users. The stolen database included personal information on users stored in plaintext format, as well as hashed and salted copies of their eBay passwords.
Heres whats known so far about the breach, how eBay has responded, as well as what users should do and expect in the wake of the breach.
1. Breach undetected for two months
While the breach appears to have occurred in late February or early March -- after attackers stole several employees login credentials -- the theft and unauthorized use of those credentials wasnt detected until about two weeks ago, thus triggering an investigation,
eBay said in a blog post
Wednesday. Extensive forensics subsequently identified the compromised eBay database.
Having a breach last for at least two months before its detected isnt unusual. According to a study of 2013 breaches released Wednesday by Trustwave, when a business self-detects a breach, that detection takes place -- on average --
32 days after the breach
occurred. Meanwhile, when an organization learns about the breach from a third party, an average of 108 days, or more than three months, will have elapsed from breach to notification.
2. Unclear: Password encryption strength
One worry, however, is that after having stolen eBay passwords available offline, attackers may have had time to recover them, using
next-generation password-cracking systems
.
An eBay spokesman didnt immediately respond to an emailed request for more information about exactly how the passwords had been encrypted. That information could help information security experts estimate if -- or for how long -- the stolen passwords might be safe.
To be clear, eBay said theres no indication that the stolen, encrypted password data has been cracked and used by attackers. Likewise, the company said that all financial information, including that pertaining to subsidiary PayPal, was stored separately. PayPal data is stored separately on a secure network, and all PayPal financial information is encrypted.
3. Public notification: eBay stumbled
eBay arguably fumbled its public breach notification after
Engadget reported
seeing a half-finished PayPal blog post Wednesday warning people to change their eBay passwords. But after that news broke, and eBay posted an official statement on its website, it still took the online auction business more than 24 hours to send an email alert to all of its users.
Figure 1:
In the meantime, the password-reset advisory remained noticeably absent from the online auction sites homepage or login screen for some hours, leading security expert Graham Cluley to ask why eBay seemed to be
burying news of its security breach
from its millions of Web visitors.
When the company eventually did put a warning on its homepage, it linked to a static warning message, leaving users to navigate multiple drop-down menus, and execute at least a half-dozen clicks, to try and locate the password reset page.
What would have been simpler is if eBays website notice included a link to its
password-reset page
.
4. Beware phishing attacks
Going forward, expect online attackers to begin quickly capitalizing on the eBay password reset warning. When major news like this breaks, it opens the door for eBay or PayPal phishing campaigns to be more effective, since the general public is familiar with the situation and may not realize theyre being duped, said Troy Gill, senior security analyst at AppRiver, in an emailed statement.
Longstanding advice about never clicking on links in emails -- lest theyre a phishing attack in disguise -- applies here. To be safe, users should not click on links in emails about eBay security or password changes; instead, they should type the eBay URL directly into their browsers and log into the site that way to prevent disclosing their credentials to spoofed, malicious copies of the eBay site, said Dwayne Melancon, CTO of Tripwire, in an email.
Also beware eBays actual attackers taking stolen plaintext data -- which included eBay users names, email addresses, and birth dates -- to fashion more realistic-looking fake messages.
5. eBay fails to practice tough love
In the wake of the breach, one security step that eBay didnt take, but should have -- in the eyes of many security experts -- was to forcibly
Next Page
expire all users passwords so they had to be reset. eBay should programmatically force a reset of all passwords because just asking nicely will be ignored by too many, says TK Keanini, CTO of Lancope, in an emailed statement. They also should offer a two-factor authentication method as others have done. All of these things help raise the cost to attackers.
The need to force password resets is reinforced by the results of a new survey conducted by antivirus firm Avast. Only 40% of the respondents who were aware of Heartbleed said they had actually changed their passwords, according to an
Avast blog post
about the survey, which was released this week. This number closely matches Pews Heartbleed report which found that 39% of Internet users have changed their passwords or canceled accounts.
If the Heartbleed password-change rate holds true for eBays user base, that would mean, of the 145 million people whose encrypted password data was reportedly stolen, 87 million would still be vulnerable to having their accounts compromised if attackers successfully decrypt the stolen passwords.
6. Expect new two-factor authentication options
People who want better eBay site security can tap two-factor authentication, in the form of a
PayPal Security Key
(as the name implies, it also works for PayPal), which is a credit-card-sized device that generates random, temporary security codes that are used as a second factor together with a password, for authentication.
But the card will cost you a one-time fee of $30. Theres no monthly service fee or additional cost, according to eBay. Replacement keys are the same price.
Alternately, the PayPal Security Key can be used as a free service via a mobile phone, with the one-time codes being sent via SMS, for example, as sites such as Dropbox and Twitter also do.
Going forward, its likely that eBay might add mobile apps to its list of two-factor authentication options. In its security advisory, for example, eBay previewed unspecified, new possibilities, saying that we are looking at other ways to strengthen security on eBay and noting that in the coming days and weeks we may be introducing new security features.
7. Breach lesson: Employ password managers, or else
Tapping two-factor authentication, where available -- and
when it works well
-- is an excellent security step. But the approach still relies on the strength of your password, and no password is ever completely safe.
Accordingly, people should never reuse their passwords. That way, a breach at a site such as eBay (which, although it enjoys an excellent security reputation, was still hacked) wont allow attackers to reuse stolen passwords on other sites. Each account, especially accounts containing personal information and credit card details, should have its own password, says Ondrej Vlcek, COO at Avast, in an email. In a situation like this you really dont want your PayPal and eBay accounts to have the same passwords.
Practically speaking, the only way to securely track a large amount of online account details and related access credentials is to
use a password manager
. While some people worry that storing all of the sensitive information in one location will create a single point of failure, numerous information security experts argue that because password managers can themselves be secured with a complex password, the benefits of being able to maintain unique, strong passwords for every online account you use far outweigh any potential security downsides.
With the rise of mobile devices and synchronization capabilities, furthermore, people can
keep secure copies of their passwords
on their smartphones, tablets, PCs, or even  on secure websites, for easy retrieval no matter where they are.

Last News

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
7 Facts: eBay Fumbles Password Reset Warning