…one man's contribution to the Weeeeerly Wild World
Many people are users of Ebay, and many people will have heard about the ‘recent’ cyber attack on the service’s database and the subsequent request to change passwords. Here’s part of the e-mail I just received from Ebay:
This attack occurred between late February and early March and resulted in unauthorized access to a database of eBay users that includes customers’ name, encrypted password, email address, physical address, phone number and date of birth.
However, the file did not contain financial information.
I’m not so concerned about the time delay – facts and firm advice need to be given regarding these things and knee-jerk reactions and avdice changing as new information surfaces does not help. However there are lines to be read between:
#1 only passwords were/are encrypted within the database. Why?
#2 names, physical addresses, phone numbers and dates of birth may not be deemed to be financial information, but they are very relevant and can be “as good as” when it comes to financial information, and more worryingly (see #1) identity theft/fraud.
Changing our passwords every time we have cause to be concerned about their potential misuse is pretty straightforward, but we can’t change other information quite so easily (if at all). So why encrypt the former but not the latter?
Of course, the naive among us are lead to believe encryption = impenetrable, which isn’t true (encryption means there is a key, and there are times when the encrypted information is decrypted, for example).
Of course many people may know our date of birth, friends, family members, indeed some professional advice I have heard is to give out bogus dates of birth to non-important websites that request it for account creation purposes, but surely we’re potentially committing a crime at worst, or digging ourselves into a future hole at best, if we use fraudulent/knowingly give false information to a financial service/bank which is what PayPal is (and Ebay = PayPal, so the details surely have to match).
Another concern, we, the naive amongst us should know, is that knowing your data of birth and e-mail address may be all someone needs in order to gain access to your e-mail account – click the “Forgot my password”/”I cannot access my account” link the next time you check your e-mails via webmail to see what questions you get asked. And once access to your e-mail account has been achieved one can then click the “Forgot my password” link on Ebay or PayPal to have a password reset link e-mailed to that e-mail address.
Even accounts that increasingly like to phone you or text you a code when you have account access issues aren’t totally safe, of course – Ebay’s database may have released enough information to allow someone to compromise that area too.
Of course not everyone’s accounts are so straightforward, but we should not be lead to believe everything is fine as long as we change our password – our internet, the services we use may be relying on a house of cards that could come toppling down at any moment.
Perhaps the database was compromised and some people have smug looks on their faces regarding their achievement and nothing more will happen. Perhaps the database will be “sold on the black market” (whatever that means). Who knows? Until such a time, we’ll just have to enjoy using these services while we can.