eBay under attack from hackers

No primary category set

There have been a number of stories in the press regarding Aladdin Software’s discovery of a botnet which is attempting to guess eBay user names and passwords. A “bot” is a computer which has been compromised and a hacker can use to hide their real identity – any attack appears to come from the compromised computer. A “botnet” is an automated tool distributed across hundreds of compromised computers to attack websites. This botnet is using the eBay API (Application Program Interface, for third party applications to talk to eBay) and sending user name and password pairs to see if they work.

Aladdin is reporting this incident as if it was a new phenomenon, and many other sites are repeating the story. eBay told TameBay:

“Brute forcing” has been built into bots for years; it is not a new practice. It’s a technique we are well aware of and eBay has many systems in place to detect this type of activity. Our systems detect brute force as well as cross site scripts, and actively monitor for account irregularities such as the ones described in the PC World article.

We find it very concerning that “security firms” like Aladdin describe well-known techniques used by bots and other identity-theft-tools as “new” or “first of its kind.” eBay has been protecting its site from attacks like this for the past several years and works with a wide variety of leaders in the anti-virus software industry to share information and best practices”

eBay also mask all sensitive financial information, so if a user’s computer and their sign in credentials used on eBay are compromised through whatever means, their sensitive financial data is still protected, reducing the possibility of ID theft.

The long awaited PayPal security key (which is available in the US) would go a long way towards addressing account takeovers and leave attacks such as the current one useless. Even one time passwords from security key are not the complete solution, it’s an ongoing battle that neither side can conclusively win. As companies like eBay put new defences in place hackers work to circumvent them.

As always it’s the users themselves that can do most to protect their accounts, strong passwords using upper and lower case, letters and number go a long way towards making passwords impossible to guess with a brute force attack. eBay have advice on how to choose a secure password that’s memorable as well as some tips on what type of passwords to avoid.

RELATED POSTS..

eBay 3PM Shield acquisition bolsters ability to identify fakes

eBay 3PM Shield acquisition bolsters ability to identify fakes

smoking-01

66% of products from online marketplaces failed safety tests

Trust-but-Verify-Whitepaper

“Trust but verify”: Bridging the trust gap in ecommerce

eBay-seller-protection

Enhanced eBay Seller Protection live from today

eBay-seller-protection

eBay UK Autumn Seller Release – Enhanced eBay Seller Protection

ChannelX Guide...

Featured in this article from the ChannelX Guide – companies that can help you grow and manage your business.

Register for Newsletter

Receive 5 newsletters per week

Gain access to all research

Be notified of upcoming events and webinars