An angry letter to eBay: 5 questions it must answer about its security breach
Rik Ferguson, global VP security research at Trend Micro, has five questions for eBay following its data breach
Short of time?
Those making a list of high profile data breaches now have a new name to add to that list: eBay.
In a posting on its website, eBay clarified to some extent the scale of the breach, although even the headline seems incapable of telling it like it is.
‘The database,’ the company wrote, ‘which was compromised between late February and early March, included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth.’
Although investigations are of course still ongoing, the current posting indicates that eBay is relatively sure that unauthorised access was only to one database, or certainly the wording of the article presents that view.
>See also: Tesco suffers another security breach
For now, eBay users need to change their password, and if they used that password on any other website, they’re going to need to change it there too (yes, again).
Unfortunately, changing your name or address is not so easy – they’ll have to stay compromised, I’m afraid.
Some questions for you eBay (yes, I’m angry – this is MY data which I entrusted to you).
1. If all this sensitive data was stored in one single database, why was it not encrypted?
In fact why would it not be encrypted even across multiple databases? I note with chagrin that ‘all PayPal financial information is encrypted’, still running a two-tier system?
2. If you’re going to tell me that it was encrypted, but the attacker got access to stolen database credentials, why was there no two-factor authentication to access these crown jewels?
3. Why did it only take compromised credentials to gain access to the corporate network?
Again, where’s the multi-factor?
4. Why has it taken an organisation with the resources of eBay three months to notice that was being accessed inappropriately not to mention exfiltrated?
And where are the breach detection systems?
5. How was my password ‘encrypted’?
>See also: The 2014 cyber security roadmap
I want details. I want to know which algorithm and how you salted it. I want to know the realistic chances of my password being brute-forced, so I can make an educated assessment of my level of exposure and offer practical advice to others.
And a bonus question for extra points: How were the initial accounts compromised and what are you going to do to make sure this doesn’t happen again?
Effective security is no longer about designing architecture with the aim of keeping the attacker out permanently, that’s a pipe dream. If they want to get in, they will get in.
Effective security is about accepting the reality of compromise; putting systems and processes in place that mean you discover and react in a timely fashion and, crucially, that you will make it extremely difficult for the attacker to leave with what they came for. How did you score?
You write at the end of your press statement, ‘The same password should never be used across multiple sites or accounts’. I agree. I’m going to end my ‘statement’ with this: sensitive data, especially that which you hold in trust, should always be encrypted – no exceptions.
Oh, and if your email, when you send it, offers me a link to click to go and change my password, you’re off my Christmas list – for good.