Security breach at eBay a reminder of damage cyber criminals can wreak

By Harry Wallop

eBay has been hacked in what could be the biggest data breach of its kind. Photo / AP file
eBay has been hacked in what could be the biggest data breach of its kind. Photo / AP file

Some of the numbers involved in the eBay security breach reported this week are so large that they are difficult to grasp. Up to 233 million people have had their personal details stolen -- their telephone numbers, their names, their postal and email addresses, their dates of birth and the passwords to their accounts.

The exact circumstances of how such a huge security lapse has happened are not yet fully known. What is certain is that eBay has handled the loss of data extremely poorly, with experts castigating the company for what appeared to be serious delays in informing their customers after the initial breach at the end of February. Worse, on Thursday -- after telling customers to immediately change their passwords -- eBay's systems crashed as people tried to do as instructed.

• 233 million people believed to have had their personal details stolen in eBay security breach this week
• 128 million active eBay users
• US$212b($247.5b) worth of commerce on its various marketplaces and other services last year

The incident has again shone a spotlight on the amount of information held by internet companies. And it has caused further confusion about what customers can do to protect themselves.

One curiosity about the scale of eBay's data breach is how this company became so large.

"They are now a fully fledged retail platform," says Neil Saunders, retail analyst at Conlumino, a consulting firm. "They are a significant player, and in terms of customer numbers they are easily a top 10 player in the clothing market." In part, that is because large retailers use eBay as an alternative platform to target online shoppers with new products.

What makes the eBay security breach so worrying is that the company also owns PayPal, the payment system that boasts of its security, and which is used by many other websites. But eBay says that PayPal is run on a different system and has not been breached. However, as many customers use the same password for both sites, they will need to change their PayPal password, too.

Graham Cluley, an online security consultant, says: "eBay is saying that there is no evidence that any financial information has been leaked. It is hard for them to be 100 per cent certain when something is missing. It's not like someone stealing the Mona Lisa and suddenly there is a gap on the wall."

Experts say people should still take the data breach at eBay seriously, even though it has not lost their bank account details. To understand why, you need to trace what happens to the data after it leaves the company and enters hackers' hands.

In some cases, the hackers grab the data for the thrill of beating the system. In these instances, the thief usually boasts about it on the internet within 24 hours, but experts say this sort of breach is increasingly rare. In most cases, the data is stolen with criminal intent. "The data is most likely being sold on underground marketplaces -- basically an underground version of eBay," Cluley says.

Estimates for how much an individual's basic information is worth vary from £1 ($1.97) to about £30, depending on whether it comes with a password. In eBay's case, the company managed to encrypt the passwords, but none of the other personal details. Brendan Rizzo, technical director of Voltage Security, says: "Everything should be encrypted. But it would seem that eBay took very much a tick-box compliance approach to protecting users' data."

A criminal can do very little with the data directly -- though in theory they could commit full-scale identity theft with the basic details of your date of birth, postal address and email.

A criminal can still cause huge indirect damage by sending out millions of spam emails. And this is the most common way stolen data ends up being used.

"If I had access to 100 million email addresses, I would spam them," Cluley says. "I would send them a convincing-looking email with their name, date of birth or other information to make it look plausible and contain within that email a link to a malicious website, or an attachment, which causes your computer to become infected."

Because they contain enough basic information, there is a chance that a few recipients -- and it only needs a few to be successful -- will click on the link.

By doing so, you can leave your computer open to becoming a hunting ground for criminals higher up the food chain, because by clicking you have usually inadvertently installed dodgy software, such as Adware. This is what can cause annoying pop-up adverts to flash up on your screen. Every time you click on one, the criminal will be taking a tiny slice of the revenue.

Malware or keylogger software can be far more dangerous, allowing criminals to monitor every key you type and, ultimately, work out all your passwords for online accounts, and your email, bank and insurance company details.

The most dangerous are "spear phishing" attacks, which are highly personalised emails designed to trick even savvy computer users. Chris Boyd, analyst at Malwarebytes, explains: "Say, on Twitter, I see you complaining about some poor service with a particular bank, and I can see you are a customer with them. I then take the information from this eBay attack and I can then construct a wonderfully crafted email purporting to come from your bank. Before you know it, you have handed over your account details."

Many users will feel a sense of ennui that, yet again, they have to change their passwords after another data breach, and even if they do, this is no more than damage limitation. The details have been stolen and changing passwords will not stop the phishing attacks.

What makes cyber crime so pernicious is that it is impossible for anyone to link the eBay data breach -- or any other data breach -- directly with a consumer being out of pocket. But yesterday the personal details of 715 individuals were advertised for sale online. The data appeared to come from the eBay breach and looked to be an attempt by a hacker to attract potential criminal buyers.

- Daily Telegraph UK

© Copyright 2014, APN New Zealand Limited

Assembled by: (static) on red akl_n3 at 27 Aug 2014 21:45:35 Processing Time: 693ms