Hackers attack eBay accounts
Published: 26 Mar 2002 11:41 GMT
Someone other than Gloria Geary had access to the artist's eBay account last week.
Using Geary's user ID, the person set up an auction for an Intel Pentium computer chip. Not only that, but the person changed Geary's password so she could no longer access her own account -- or cancel the bogus auction.
Geary, who discovered the auction on Friday, was able to convince eBay to pull down the auction over the weekend, but not before suffering through a stressful day of worrying about how the auction would affect her legitimate listings.
"I felt totally violated. I was shaking," Geary said. "It's appalling the ease at which they totally took over my account."
Geary is only the latest victim of an increasingly popular scam on eBay. Since January, the company has received a growing number of complaints from people such as Geary who say their accounts have been taken over and used to set up fraudulent auctions. The scam artists make a quick buck, then leave the legitimate eBay users to deal with the furor from bilked bidders.
Although the company has thus far seen only a relatively small number of cases -- numbering in the "low triple digits" -- the new scam is a "concern" for eBay, company spokesman Kevin Pursglove said.
"Even if it happened to just one user, that user had a fairly bad user experience," Pursglove said. "We need to find ways of preventing it."
Security experts say eBay needs to work fast to find a fix, because this combination of hacking and identity theft are the wave of the future.
"We work with the people at eBay. They know they have a real problem," said Lee Curtis, managing director of high-tech investigations at Kroll, which specialises in security. "If they lose the confidence of their customer base, they're out of business."
The percentage of auctions that end in a confirmed case of fraud on eBay is less than one one-hundredth of 1 percent, the company said. But the problem has been a persistent thorn in the side of the company and of the online auction industry as a whole.
Last year, consumers reported some 20,000 fraud complaints concerning online auctions to the Federal Trade Commission, second only to complaints about identity theft. Some complaints involved sellers who simply never sent the goods they auctioned.
Other complaints have involved more elaborate schemes, such as the sale of a fake Richard Diebenkorn painting on eBay in 2000.
But the latest attempts to defraud bidders seem to be using more sophisticated methods. Instead of establishing their own accounts on eBay, many scam artists are using a so-called dictionary attack to break into reputable sellers' accounts. A time-tested technique, a dictionary attack involves an automated program, or "bot," that tries to find a password for a known user ID by drawing on a list of common passwords and a dictionary of words.
Once they have access to the seller's account, the scam artists use the legitimate seller's reputation to draw bids on their fraudulent auctions.
Kevin Jarrett had his account broken into last week. The person who broke into it listed four auctions for digital cameras and changed the password for Jarrett's account on Billpoint, eBay's proprietary payment service. Jarrett, who found out about the auctions when he received an email from a bidder on one of the bogus auctions, was able to minimise the damage by getting eBay to shut down the auctions before they ended. But as a result, he's since cancelled a bank account and credit card that were linked to his Billpoint account.
Jarrett said it was likely his status as a trusted eBay seller that attracted hackers to his account. "It never occurred to me that 142 feedback points on eBay is a very valuable item," he said. "It means that you're trusted."
Feedback points allow members to judge the trustworthiness of other members. In addition to providing written comments about members, eBay assigns a feedback rating based on the number of positive comments a member has received minus the number of negative comments.
Password patrol
The usual way of preventing a dictionary attack is for a Web site to lock an account after there have been several incorrect password entries. Typically, Web sites require customers whose accounts are locked to call their customer service departments and verify their right to access the account by giving information such as their social security number or mother's maiden name.
While eBay is exploring the possibility of locking accounts after repeated failed log-in attempts, it doesn't do so currently, Pursglove said. EBay is worried that unscrupulous bidders might try to sabotage their competitors by locking out their accounts or that legitimate users may find themselves unable to log in after an attempted dictionary attack, he said.
"It's one of the proposals that we're considering," he said. "We're trying to figure out a way that we can adopt it without disclosing how the process works."
In the meantime, the company is recommending that customers check their accounts frequently and change their passwords to ones that are more difficult to guess. The company is also recommending that bidders check sellers' selling history to look for anything anomalous such as a sudden upswing in listings.
Jarrett, an information technology consultant, said he was probably too lax about his passwords, using ones that were too easy to guess. But he said that eBay needs to do a better job of protecting accounts.
"I find this vulnerability to be unacceptable," he said. "As a paying customer, I have the expectation that my information will be held securely."
EBay's reluctance to put in place a lockout system may have more to do with it wanting to save money on customer service than anything else, said Rosalinda Baldwin, editor of The Auction Guild, a newsletter covering the online auction industry. If the company put in place a lockout system, it would have to provide people with instant customer support over the telephone so they could unlock their accounts. Currently, eBay doesn't list a customer support phone number on its site, instead directing all inquiries to email or to lists of frequently asked questions.
Locking out accounts "would make sense," Baldwin said. "But they would have to hire some people to man a phone 24-7. That's not what they want to use our dollars for."
That eBay is not taking a more active role in protecting customer accounts by implementing a lockout system indicates that the company is putting business concerns ahead of security concerns, said Richard Power, editorial director of the Computer Security Institute. The problem is that e-commerce has never fully dealt with security issues, and those issues are likely to become more acute in the near future, Power said. Criminal gangs and organised crime, for instance, are only now getting up to speed on the Internet and could prove a tough challenge to vulnerable e-commerce sites, he said.
"I think eBay's foolish," Power said. "The thing that holds back people from buying on the Internet more than anything is insecurity."
For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Viruses and Hacking News Section.
Have your say instantly, and see what others have said. Go to the Security forum.
Let the editors know what you think in the Mailroom.
Did you find this article useful?
26 out of 79 people found this useful
- Share this article:
Full Talkback thread
7 comments
-
Hey,
I was suckered into a laptop deal for $1250 t... Anonymous -
Mr. Pursglove has simply mastered the art of decep... David Livings
-
You can go to the following address and file a rep... Anonymous
-
I was a victim yesterday when I learned someone ha... Brenda Carothers
-
I've just been suspended from ebay because someone... Captain Cordery
-
She isn't the only one. It just happened to my fam... Anonymous
-
HAHA FUNNY Anonymous
