Aberdeen Group - Home
eBay, the World’s Online Marketplace for Stolen Identities: 145M Accounts Compromised
Yet another compromise of millions of consumer records has been disclosed, in this case by eBay. A summary of the facts provided so far by the company, along with some parenthetical comments and observations from me: • A “small number of employee login credentials” were compromised, allowing unauthorized access to eBay’s corporate network Presumably by “login credentials” we’re talking about passwords yet again … when will we ever accept that passwords are not secure, not convenient, and not really less expensive than stronger authentication? And the “small number” detail is just so much corporate spin doctoring … it takes only one compromised account to initiate the attack lifecycle. See my blog called Incident Response Communications: Report Card for what makes a good communication – I’ll apply the report card framework to the eBay breach after it plays out a little longer. • The attack occurred between late February and early March … was discovered “earlier in May” … and was disclosed publicly on May 21 This is a great illustration of why leading organizations are augmenting traditional security strategies, which are oriented primarily around protection, with capabilities for rapid detection and response. • The database that was compromised included customer names, passwords (encrypted), email addresses, physical addresses, phone numbers, and date of birth – affecting up to 145 million eBay users At least the passwords were encrypted … see my blog on Salt With Your Hash = Better for You (Your Passwords, That Is). Point eBay. Most of the reporting about the breach to date has been about all about passwords: changing your passwords … what makes up a good password … examples of bad passwords. And this is a good idea. If we have to use passwords, we should use good passwords; we should be changing our passwords regularly; and we shouldn’t be using the same password on multiple sites. But the focus on passwords is missing the bigger and more important point – which is that the other personal information that has been compromised can be used to open phony accounts and run up fraudulent charges, on a massively large scale. See my three-part blog series on The Asymmetry of Information Security for insight into the underground market value of stolen credentials, and the sophisticated, highly repeatable “make up, pump up, run up” schemes that generate hundreds of millions of dollars of fraud on the backs of stolen credentials and personal information. Change your eBay passwords? Yes, of course. But 145 million eBay users now also have the displeasure of waiting for the other shoe to drop – and recovering from identity theft will be a lot more inconvenient and a lot more costly than having to reset a password. In my view, that’s … • Going (for use of passwords for corporate employees) • Going (for lack of capabilities for rapid detection and incident response) • and Gone (for focusing on password resets, but not addressing the massive identity theft problem they just created) … and 145M users have just been sold out by eBay on this issue.
MAY 27, 2014 01:33 AM
A+ A A-

Yet another compromise of millions of consumer records has been disclosed, in this case by eBay.

A summary of the facts provided so far by the company, along with some parenthetical comments and observations from me:

·        A “small number of employee login credentials” were compromised, allowing unauthorized access to eBay’s corporate network

Presumably by “login credentials” we’re talking about passwords yet again … when will we ever accept that passwords are not securenot convenient, and not really less expensive than stronger authentication?

And the “small number” detail is just so much corporate spin doctoring … it takes only one compromised account to initiate the attack lifecycle. See my blog called Incident Response Communications: Report Card for what makes a good communication – I’ll apply the report card framework to the eBay breach after it plays out a little longer.

·        The attack occurred between late February and early March … was discovered “earlier in May” … and was disclosed publicly on May 21 

This is a great illustration of why leading organizations are augmenting traditional security strategies, which are oriented primarily around protection, with capabilities for rapid detection and response.

·        The database that was compromised included customer namespasswords (encrypted), email addresses, physical addresses, phone numbers, and date of birth – affecting up to 145 million eBay users

At least the passwords were encrypted … see my blog on Salt With Your Hash = Better for You (Your Passwords, That Is). Point eBay.

Most of the reporting about the breach to date has been about all about passwords: changing your passwords … what makes up a good password … examples of bad passwords. And this is a good idea. If we have to use passwords, we should use good passwords; we should be changing our passwords regularly; and we shouldn’t be using the same password on multiple sites.

But the focus on passwords is missing the bigger and more important point – which is that the other personal information that has been compromised can be used to open phony accounts and run up fraudulent charges, on a massively large scale. See my three-part blog series on The Asymmetry of Information Security for insight into the underground market value of stolen credentials, and the sophisticated, highly repeatable “make up, pump up, run up” schemes that generate hundreds of millions of dollars of fraud on the backs of stolen credentials and personal information.

Change your eBay passwords? Yes, of course. But 145 million eBay users now also have the displeasure of waiting for the other shoe to drop – and recovering from identity theft will be a lot more inconvenient and a lot more costly than having to reset a password.

In my view, that’s …

·        Going (for use of passwords for corporate employees)

·        Going (for lack of capabilities for rapid detection and incident response)

·        and Gone (for focusing on password resets, but not addressing the massive identity theft problem they just created)

… and 145M users have just been sold out by eBay on this issue.

FIRST
PREV
NEXT
LAST
Page(s):
[%= name %]
[%= createDate %]
[%= comment %]
Share this:
Please login to enter a comment:
 
RESET