The usual way of preventing a dictionary attack is for a Web site to lock an account after there have been several incorrect password entries. Typically, Web sites require customers whose accounts are locked to call their customer service departments and verify their right to access the account by giving information such as their social security number or mother's maiden name. While eBay is exploring the possibility of locking accounts after repeated failed log-in attempts, it doesn't do so currently, Pursglove said. EBay is worried that unscrupulous bidders might try to sabotage their competitors by locking out their accounts or that legitimate users may find themselves unable to log in after an attempted dictionary attack, he said. "It's one of the proposals that we're considering," he said. "We're trying to figure out a way that we can adopt it without disclosing how the process works." In the meantime, the company is recommending that customers check their accounts frequently and change their passwords to ones that are more difficult to guess. The company is also recommending that bidders check sellers' selling history to look for anything anomalous such as a sudden upswing in listings. Jarrett, an information technology consultant, said he was probably too lax about his passwords, using ones that were too easy to guess. But he said that eBay needs to do a better job of protecting accounts. "I find this vulnerability to be unacceptable," he said. "As a paying customer, I have the expectation that my information will be held securely." EBay's reluctance to put in place a lockout system may have more to do with it wanting to save money on customer service than anything else, said Rosalinda Baldwin, editor of The Auction Guild, a newsletter covering the online auction industry. If the company put in place a lockout system, it would have to provide people with instant customer support over the telephone so they could unlock their accounts. Currently, eBay doesn't list a customer support phone number on its site, instead directing all inquiries to email or to lists of frequently asked questions. Locking out accounts "would make sense," Baldwin said. "But they would have to hire some people to man a phone 24-7. That's not what they want to use our dollars for." That eBay is not taking a more active role in protecting customer accounts by implementing a lockout system indicates that the company is putting business concerns ahead of security concerns, said Richard Power, editorial director of the Computer Security Institute. The problem is that e-commerce has never fully dealt with security issues, and those issues are likely to become more acute in the near future, Power said. Criminal gangs and organised crime, for instance, are only now getting up to speed on the Internet and could prove a tough challenge to vulnerable e-commerce sites, he said. "I think eBay's foolish," Power said. "The thing that holds back people from buying on the Internet more than anything is insecurity."
For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Viruses and Hacking News Section.
Have your say instantly, and see what others have said. Go to the Security forum.
Let the editors know what you think in the Mailroom.
Talkback
Hey,
I was suckered into a laptop deal for $1250 through what appeared to be a reputable ebay account. He posted the auction, it was then canceled. I contacted him outside of it and agreed to a price. I sent him the money through western union under my name as the receiver so he couldn't touch the money until I got the package and changed the receivers name. He got a fake id under my name and stole the money. The thing is, the ebay name he posed under is extremely reputable and I believe it was hacked into like this article describes. I have no where to turn to. I am only 18 and have lost what I worked for the entire summer. ($1250). Please let me know if you know of anyone I can contact for a lawsuit or anyway I can get my money back. Waiting eagerly,
Jason
Mr. Pursglove has simply mastered the art of deception. In my personal experience and others I have found that about 5% of all auctions end in some sort of fraud, whether it comes to getting stiffed completely, or getting defrauded by misleading ads, or counterfeit goods. Mr Pursglove is just confirming that ebay does not INVESTIGATE but 1/100 of 1% of their fraud reports. He speaks the truth, while conveying a LIE. I was recently banned from ebay for contacting bidders on fraudulent auctions, and posting facts on my ebay "about me" page which ebay censored. Ebay simply does not investigate fraud, then reports this fact. Too bad ebay has such a monopoly on online auctions. I think the government should make ebay answer up. The big fraud seems to be this cover up Mr Purseglove.
You can go to the following address and file a report:
http://www.ifccfbi.gov/complaint/
I was a victim yesterday when I learned someone has listed a laptop for sale ($950.00)
using my account information. My ebay account was suspended, between yesterday and today, I am still trying to regain my account.
I've just been suspended from ebay because someone unauthorized has tried to use my account. It's good that ebay recognizes this, and close the account for the hacker. But what I don't understand is, why can't ebay let me get back into my account, change my password and continue with my business? I am losing lots of money from sales! If a hacker can get in to my account, how come they wont let ME get back in to my account faster, I mean, I can PROVE to them that I am ME!
She isn't the only one. It just happened to my family and I.The hackers sent a fraudulent email from eBay, and now they have my SSN, Bank numbers and so much more. It is becoming dangerous to even put anything online these days. It's horrible how people can take over someone's life just by a single email. If you would like more of this story please feel free to email me. I would be glad to tell you.
HAHA FUNNY