Identity Theft at eBay and PayPal

[clifp]

Quote:

Originally Posted by ERD50 Question - do you think this was the result of a phishing scam? Maybe you don't remember, but did you go to a (fake) eBay account directly from a pfishing email? If not, that means the hackers have found other ways in, an then I am worried. -ERD50

The short answer is I am not sure. The longer answer is I did have a talk with Ebay about how they got my password, and the security folks at ebay were pretty uncommital about it.

In the proceeding several months I had been soliciting with ebay phishing schemes. I dutifully passed them on to Ebay. I am not a big Ebay or PayPal user a couple of times a year. So any request to do anything on Ebay or PayPal would have been viewed by me with skepticism. So I rather doubt.

I suspect that most likely way is that I had been sloppy about using a generic password, so possibly any website I had register would have a good chance of guessing my username a password. I since have made a point of not using my generic password for any site where money is involved.

[joesxm3]

Step 1 is to make a good password.

Longer than 8 characters.

Letters and numbers maybe special characters if allowed, mixed case.

One nice suggestion I read recently is to make a sentence that you can remember and then use the first letter of each word to make the password. That ay it can be long yet remembered.

Different password for each site. rite them down and lock it up in case you forget.

That e-bay security key sounds good - too bad they have the gall to charge for it, but probably worth getting.

[chinaco]

Quote:

Originally Posted by joesxm Step 1 is to make a good password. Longer than 8 characters. Letters and numbers maybe special characters if allowed, mixed case. One nice suggestion I read recently is to make a sentence that you can remember and then use the first letter of each word to make the password. That ay it can be long yet remembered. Different password for each site. rite them down and lock it up in case you forget. That e-bay security key sounds good - too bad they have the gall to charge for it, but probably worth getting.

Step 2. Change the passwords on a regular basis. (perhaps quarterly).

[chinaco]

Quote:

Originally Posted by ERD50 Question - do you think this was the result of a phishing scam? Maybe you don't remember, but did you go to a (fake) eBay account directly from a pfishing email? If not, that means the hackers have found other ways in, an then I am worried. -ERD50

According to the article, the recent compromise used brute-force to collect IDs and PWs. If that technique was used, it may indicate that a common security best practice is not in place. The practice being "inactivate an account after several (small number) unsuccessful attempts to login". Brute force often takes a bunch of tests. The login id for ebay is readily available... it is everyone's screen handle. A more secure approach would be to not make the login id public. Keep the login id private and have people key in a different handle.

There are many, many ways to exploit a weakness and compromise a site. There are loads of cracks in the way sites are designed and the supporting pieces of the system. The cracks often extend to the basic business processes (employees and their procedures).

You (as a customer) can do everything right and some other weak link in the chain can be compromised.

When it comes to the internet... Security was an after thought! Holes will continue to be chased for years to come. And the thieves are getting more sophisticated. No longer is the problem a lone nerd reveling over his accomplishment of just breaking into a site and defacing it. Now we face organized crime rings.


If I were using ebay or paypal, I would get the two-factor device (even if I had to pay for it). Consider it a cost of doing business with that platform.

If any of my financial institutions offer two-factor devices, and I use the online service, I will get it.

One basic way to protect oneself (related to internet accounts) is to close unused (or little used) accounts. Personally I limit who I do business with over the internet. For me, ebay is a novelty not a necessity.

[Lsbcal]

From what I understand, Vanguard will not let the user try more then about 3 attempts before deactiviation. If trying from a computer outside the home I think that they ask additional questions that the user has preselected, such as was city were you married in. If other companies aren't using at least this sort of system, it makes you wonder why.

I agree that easy passwords should only be used for non-financial, non-sensitive accounts like a web forum. Personally, if your password is robust I don't see the need to consistently change it on a regular basis -- give me a convincing argument if you think this is wrong.

Les

P.S. Just downloaded AVG's rootkit tool. It runs quite quickly on my XP system and I'll just run it every month or so I guess.

[ERD50]

Quote:

Originally Posted by chinaco The practice being "inactivate an account after several (small number) unsuccessful attempts to login". Brute force often takes a bunch of tests. The login id for ebay is readily available... it is everyone's screen handle. A more secure approach would be to not make the login id public. Keep the login id private and have people key in a different handle.

You make some good points. Having a separate user name from what is displayed is good, but really no better than requiring a longer password.

X character hidden login ID plus Y character password = public login ID and an (X+Y) length password. No difference.

But that public login id does give the scammers a limited number of accounts to try to crack, which makes weak passwords all that more vulnerable - I think I'm, going to go back and make sure I have a very strong password on ebay/paypal.

Brute force and a limit at three attempts: I suspect that their robots would just make three attempts, note it, and move on to the next account. Come back to the first after they cycle through all of them, maybe a day later. They don't need to keep going until they find YOUR password, they just need to keep going till the find ANY password. Then start again.

Like lsbcal notes, some of my financial sites are leaving cookies on my computer, and when I try to log on from a different computer it sees that I don't have the cookie from the latest log on, and starts asking the security questions. Maybe the viruses can get into the cookie jar, though I would assume this is encoded?

-ERD50

[whitestick]

Quote:

Originally Posted by TexasGal ERD50, It is fairly obvious the bad guys have it in for PayPal so I think PayPal is responsible to offer me another layer of security free if they want me to continue doing business with them.

I can undestand your feelings from a user perspective, however, this is a topic that I have been deeply involved with, for my MegaCorp. In that role, I can tell you that the cost to implement and operate that two-factor key is significantly higher then the PayPal charge of $5 per user. Matter of fact, from the costs that i have been looking at to implement a bare bones similar implimentation, I would question if their CFO had knowledge of their providing a service like that for such a low price. I believe that the charge is primarily to cover the cost of shipping and handling, which as we know for a commercial account is not free.
Personally, as soons as I was able to purchase the token from PayPal, I placed my order, and thought it a bargain.
IMHO.

[ERD50]

I got an email from my CC company today. I am 99% sure this is legit, but have not checked yet. I'm going to post a portion of it here (with links and ID removed for safety - but in blue font):

Quote:

If you are concerned about the authenticity of this message, please click here or call the phone number on the back of your credit card and reference the <snip> If you would like to learn more about e-mail security or want to report a suspicious e-mail, click here Note: If you are concerned about clicking links in this e-mail, the <snip> services mentioned above can be accessed by typing www.<snip>.com directly into your browser.

This is really stupid. They are conditioning people to click links in an email they get. Just because it has the company name, does not mean it is legit. You should ASSUME it is fake, and follow their second suggestion - go to the site directly. They should not even spell out the URL in the email, they should do like they did with the phone # ' call the number on your card or statement'.

There should not be an "IF' about it - DO NOT CLICK from an email!

Stupid, stupid, stupid. - ERD50

[chinaco]

Quote:

Originally Posted by ERD50 ... Having a separate user name from what is displayed is good, but really no better than requiring a longer password. X character hidden login ID plus Y character password = public login ID and an (X+Y) length password. No difference.

I follow your logic, but you missed something...

The max length of X and Y together is alway greater than the max length of Y.

Knowing the ids enables the hacker (i.e., software) to focus the attack on valid accounts.

[ERD50]

Quote:

Originally Posted by chinaco I follow your logic, but you missed something... The max length of X and Y together is alway greater than the max length of Y. Knowing the ids enables the hacker (i.e., software) to focus the attack on valid accounts.

Yes, implied (but not stated) was that the new 'Y' password used would be as many char as the old login ID plus the old password.

Weak passwords are bad. I need to put a few of mine on an exercise plan

-ERD50

[Dawg52]

Quote:

Originally Posted by lsbcal From what I understand, Vanguard will not let the user try more then about 3 attempts before deactiviation. If trying from a computer outside the home I think that they ask additional questions that the user has preselected, such as was city were you married in. If other companies aren't using at least this sort of system, it makes you wonder why.

Fidelity does this as well. I actually had someone try to hack into my Fidelity account a few months ago. They informed me of this and closed all my accounts and established new ones. I established new passwords and user names too.

I was on the last leg of my old computer so I got a new one at the same time all this occurred. I had a virus I couldn't get rid of so I dumped it. Just didn't trust it anymore. I make sure I get anti-virus updates and run scans frequently now.

Just got through changing all user names and passwords with all financial institutions I use. Just can't be too careful anymore.