Welcome to the ABA! Bell Talk Forums General `Bell Stuff` Do you buy bells on eBay? Read this!

Viewing 2 reply threads
  • Author
    • #12301
      Carolyn Whitlock



      If you’re an eBay user like me, you’ll have seen the news about their recent data breach in which users’ names, email addresses, physical addresses, phone numbers, date of birth, and encrypted passwords were taken. As part of my day job, I have been involved in sharing information about this incident, and thought I would share some of my thoughts here.

      From the information publicly shared by eBay, it appears that the data breach involved securely encrypted passwords, which makes it more difficult to gain access to users’ eBay accounts en masse, as it will require brute force decryption (i.e. high-speed guessing) to determine the specific characters in an individual’s password. If you use a simple and/or a short password, the chances of them guessing your password quickly are much higher and if you re-use that simple password on other sites, your risk goes up greatly. Remember, once the attackers have your email address and at least one of your simple passwords at that point, they can start trying that combination on other sites to see if they can get lucky.

      The fact that user email addresses, physical addresses, and dates of birth were taken in the breach is more concerning. Criminals could use your personal information to masquerade as eBay customers on other sites, or perhaps use knowledge of that data to ‘social engineer’ their way into users’ other accounts on other services. Unlike the passwords themselves, the other user-specific information was not encrypted and therefore could be easily reused by attackers.

      eBay will ask you to reset your password – do it, even though it appears they will make this optional. Furthermore, use a complex password – I suggest that you use a product like 1Password or LastPass to help you manage passwords online (I use 1Password, personally). These products can help you create a strong password by suggesting and saving a highly complex password. Of course, you should also make certain you are not using your eBay password on any other sites.

      Many eBay users also have their accounts connected to PayPal for payments (PayPal is owned by eBay, but their statements indicate that PayPal was in no way involved in the data breach). For additional security, I recommend you make use of PayPal’s optional feature which uses 2-factor authentication to verify the users’ identity prior to making a payment (you can find more information on PayPal’s site). Given that PayPal is linked directly to your bank accounts, this is a best practice even if there had not been a data breach at eBay – I have been using this multi-factor approach for a couple of years and it adds an extra step in the buying process, but provides a great deal more security.

      Finally, eBay users have long been a popular target for phishing emails, and users must be especially wary during incidents like this. To be safe, do not click on links in emails about eBay security or password changes; instead, type the eBay URL directly into your browsers and log into the site that way to prevent disclosing your credentials to spoofed, malicious copies of the eBay site.

    • #17573

      Absolutely Correct Carolyn!

      This is double especially true as e-bay also owns Paypal and many people have tied the two together so that they don’t have extra steps when paying. That means they can send themselves money from your credit card!!!! and you won’t be able to prove it wasn’t you!

      One thing I always tell my clients is that, especially in the case of money sites, that they use TWO FACTOR authentication. A couple of them to consider are; yubico.com and phonefactor (which was just aquired by Microsoft).

      That way the bad guys not only have to get the password, but also have to get a physical thing from you too.
      Very hard!

    • #17574

      The message I received from Ebay suggested logging out when not acutally using the site. By remaining logged in, supposedly, you allow an open channel to your log in information and password. I don’t know but easy enough to log out and be sure.

Viewing 2 reply threads
  • You must be logged in to reply to this topic.