Hacking, taunting and eBay security

It’s been a fairly hectic week for eBay with stories flying around re security on the site. A few of them are on auctionbytes (twice), The Register (twice) and pretty much every other eBay related news site going. So it’s time to look at the facts.

Vladuz

A Romanian Hacker known by the handle Vladuz has been the cause of much speculation and it has been acknowledged by eBay that he has had access to a small (single digit) number of eBay staff email accounts.

Vladuz posted screen shots of eBay’s back end system on the eBay community boards. The screen shots were not taken by Vladuz himself, but had been sent, as images, to the staff member in question. That is how Vladuz was able to post them on the internet. Despite what those seeing the screen shots assumed, Vladuz never had access to eBay’s data servers.

Further worries were caused by Vladuz posting on eBay community boards masquerading as an eBay “Pink”. This again was not due to accessing eBay’s main servers, but rather from hijacked staff accounts. eBay have confirmed to TameBay that staff accounts with eBay.com (or eBay.co.uk) email addresses automatically appear with the pink banner on the community boards. Simply by having access to a staff account with community board posting rights allowed Vladuz to post with the pink banner. eBayers were obviously concerned that the “pink line” meant that Vladuz was in a position of power and could access any part of eBay’s system, but in fact, this was not the case: he never got any further than the staff email system.

This is desperately embarrassing for eBay, if eBay employees email and passwords have been accessed just what hope is there for the average user?

Hijacked Accounts

Running in parallel with the Vladuz story is the large number of hijacked accounts with “For BUY IT NOW price contact me at: [a gmail email address]. eBay told us this afternoon that there is currently “No evidence to suggest that he [Vladuz] is the one doing the account takeovers at this stage”. There certainly is a large number of accounts compromised, and some have speculated that Vladuz is able to access them through eBay’s servers at will. In reality what appears to be happening is phishers and pharmers have harvested a large number of accounts which they are using in an alphabetical sequence (naturally it makes it easier to sort alphabetically any list you want to work through sequentially).

eBay work hard to freeze hijacked accounts and restore them to their legitimate owner. Some users have reported even changing their account password has not stopped further activity by hijackers. This may be explained quite simply, firstly if auctions have been scheduled unless they are cancelled they will launch at a later date. Secondly if you are logged into your eBay account on one computer and then change your password on a second eBay servers don’t appear to log you out on the first. This is a loophole which eBay need to address and may be why changing the password on hijacked accounts does not stop all unauthorised activity immediately.

If you are unfortunate to have your account hijacked we strongly recommend that you contact LiveHelp on the link for hijacked accounts. They will be able to fully restore your account to you and cancel any activity which has occurred in the meantime.

Summary

Two events appear to have taken place, ongoing and persistent abuse of hijacked accounts and taunting of eBay by a Romanian hacker. eBay are constantly working to prevent account hijacks and educate users on how to stay safe online but it is a never ending battle. Even the new PayPal security tokens don’t give a 100% guarantee of security although they will certainly slow hackers down. The key for all users is never click links in emails, and be suspicious of all links on websites. The much maligned eBay toolbar will show if you are about to enter your user name and password into a non-eBay site, and new EV SLL enabled browsers will assist also. (eBay and PayPal are amongst the first websites to be EV SLL ready).

eBay are working with both the American Secret Service and law enforcement in Romania to track down Vladuz and bring him to justice. It is rumoured that a FireFox addon “eBayCaptcha Populator” written by Vladuz may be the key to how he compromised accounts, but this far from being substantiated. We’d recommend that you don’t use tools to bypass security and especially don’t install this addon regardless.

The Future

So what of the future? Well firstly with My Messages on eBay it may be time to ban email addresses in auctions. Many sellers will object vociferously at this, but we’re due to see enhancements to messages in the near future anyway. The dreaded “[email protected]” replyto: address is due to be replaced with smart messaging. This would allow sellers to reply to emails where the buyer withheld their email address with their email client and eBay would forward them through their servers. Once users are accustomed to using My Messages exclusively on eBay any email asking you to log in to the site would instantly stand out. Users would also regard any request to email direct with instant suspicion, although we’d hope eBay wouldn’t block the use of the “@” symbol entirely.

Another possibility is tying an eBay account permanently to a PayPal account. Currently sellers enter the email address they wish PayPal payments to be sent to individually in each auction. In theory every auction a seller lists could have a different PayPal email address for payment, although in practise you’re limited to the number of PayPal accounts and only a handful of addresses for each. Certainly removing the ability to edit the PayPal email address individually in each auction shouldn’t be irksome, in fact if users could send money to an eBay ID instead of an email address it would solve several problems, not least having to edit all your auctions if you change your email provider.

eBay have a long way to go in the fight to keep accounts secure, steps are being taken but the scammers are moving just as fast if not faster.