Saturday 24 May 2014

Cyber criminals steal eBay data

Users may receive bogus e-mails, warn experts
By Kenny Chee, The Straits Times, 23 May 2014

CUSTOMERS of auction site eBay in Singapore could be getting spam mail about prizes they have supposedly won or auction items they never bid on because of a major data breach of eBay's corporate network that the site revealed on Wednesday.

Singapore's Personal Data Protection Commission (PDPC) said people who believe their information has been stolen should lodge a report with the police to determine if an offence has been committed under the Computer Misuse and Cybersecurity Act. The commission told The Straits Times yesterday that it was "monitoring the situation closely".

Cyber criminals stole eBay customers' personal data, including names, encrypted passwords, phone numbers, e-mail addresses, home addresses and dates of birth.

eBay said on its corporate website that customers' financial or credit card details were not accessed. Account data from its online payment subsidiary PayPal were unaffected, too.

However, the company advised all customers to change their eBay passwords, which should not be the same as those for other online accounts.

It did not say exactly how many people were affected, but the firm said a large number of accounts might have been compromised, and it was "applying additional security" to protect customers.

The theft occurred between late February and early March, but eBay found out only about two weeks ago.

In the first quarter of this year, eBay had 145 million active buyers globally. In 2007, reports said the local version of eBay had over 16 million page views a month and more than 4,000 sellers.

The PDPC and Infocomm Development Authority of Singapore have not received any complaints over the eBay incident as of 6pm yesterday.

From July 2, organisations that collect, use or disclose personal data here have to comply with provisions under the Personal Data Protection Act, or face fines of up to $1 million. Provisions include having reasonable security measures to protect data.

Getting hold of even non-financial data is useful, said cybersecurity experts.

Sophos senior security adviser Paul Ducklin said e-mail addresses could be sold to spammers, so spam volume could increase slightly.

"Physical addresses and phone numbers could be useful on bogus application forms, or when trying to trick someone over the phone," said Mr Ducklin, adding that birth dates are still used by financial institutions to cross-check customer identities.

Mr Ducklin said a long and complex password - like one that has 14 characters and is well jumbled - should hold out for two months, provided measures are in place to scramble it.

Holding eBay log-in details, cybercrooks could pose as users to put in bids they could pocket, on the chance that victims reused their credentials in PayPal accounts for auction payments, said Ms Macky Cruz, the security focus lead at Trend Micro. She said eBay customers should monitor their online activities and be alert to strange transactions. Those who have trouble remembering multiple passwords for different accounts could use password managers to use one strong password to manage their accounts, added Ms Cruz.

The eBay breach comes after reports of other data breaches in recent months.In December, Standard Chartered in Singapore said 647 private banking clients' statements were stolen from a server at Fuji Xerox, which prints private bank statements for the bank. Globally, there were eight data breaches last year exposing more than 10 million identities each, a jump from one case in 2012, IT security firm Symantec said in an April report.

Aviation executive Aman Singh, 27, said he was shocked by eBay's breach. "I am apprehensive about using eBay again. If someone can hack into it, it can happen again, so I don't feel comfortable using it."

10 tips on how to protect your personal data online
By Kenny Chee, The Straits Times, 23 May 2014

Visiting a website and putting in personal details is not quite as simple and straight forward as it used to be, with cyber-criminals on the prowl to hack into website databases to steal personal particulars.

On Wednesday, eBay said that its corporate network was hacked and hackers made away with customer details such as their names, encrypted passwords, e-mail addresses, home addresses, and phone numbers. Cyber-security experts said such information, while not financial in nature, could be useful for crooks to send spam e-mails, fill-up bogus applications and more.

What can consumers do to protect their personal data when they are surfing online? The Straits Times speaks to cyber-security experts for some handy tips.

1. Avoid easy-to-guess passwords

One of the cardinal sins when it comes to cyber-security is to use a weak password that is short and made up of words found in the dictionary.

Using passwords that are easy to guess are a no go, too, because it makes it that much easier for cyber-crooks to use software to figure out what consumers' passwords.

Notorious examples to avoid at all cost include: password, 123456, 111111, 123123 abc123, Admin and iloveyou.

These are among the 25 most popular passwords from 2013 compiled by security and productivity software firm SplashData.

2. Get "wacky" with passwords

Cyber-security experts advise using a complex password to secure online accounts.

To make a password strong, Sophos senior security adviser Paul Ducklin suggested using one made up of 12 to 14 characters. It should comprise letters in upper and lower case, numbers and "wacky characters", which could include symbols like %, $, ^, +, - and *.

Ms Macky Cruz, the security focus lead at Trend Micro, said consumers could string a few words from a phrase they can remember easily as a password, and then replace some characters with symbols and use letters in upper and lower case.

Passwords should also be changed on a regular basis, said Mr Eugene Teo, Symantec Singapore's senior manager for security response.

Another good practice is to use a two-factor log-in if it is available, said Mr Teo. This could involve a password and a one-time password generated by a security token.

3. One password for one account

Another bad habit among consumers is to reuse the same password for multiple accounts, said Ms Cruz.

This is problematic because a hacker can use one password to log into a variety of online accounts and pose as the victim. Things get worse if the crook accesses an online account linked to payment methods, as this means he is one step closer to stealing money from the victim.

People who have trouble remembering different passwords for different accounts might want to try out password managers, experts advised. These can use one strong password to manage several online accounts.

4. Revealing your pet's name online may be risky

Perhaps more worrisome is that with access to different online accounts, a hacker can start creating a profile of the victim. The hacker's job is made infinitely easier if a victim publicly shares personal details online such as on social networking sites.

With that information, a crook could use it to guess security questions - such as asking for pet's names a user unwittingly disclosed in a Facebook post - to online accounts to reset a consumer's password.

Users who use personal information as passwords - like their birth dates or pet's names - should be wary of revealing such details online for obvious reasons.

Crooks could also use a consumer's data to craft very targeted e-mails to trick the victim to give-up more personal information.

For instance, the hacker could pose as a Facebook friend and send an e-mail to gush about seeing the victim's selfie on Instagram with a celebrity at a fan meet. The hacker might then urge the victim to check out a link to his own photos from the event.

When the victim clicks the link, he could be sent to a malicious website that automatically downloads malware onto the user's computer. This malware could then start sending the hacker a lot of sensitive information about the user, such as log-in details when he visits a banking website.

5. Information you should avoid sharing

Consumers should avoid storing or sharing credit card information on retail, commerce, or social networking websites, said Mr Teo.

They should also not provide more information than necessary when signing up for an online account. If the information that the website has requested does not make sense, then it probably is.

When posting online, such as on a public forum or mailing list, do not share personal details, he added, because information shared online can remain in cyberspace indefinitely.

6. How to figure out if an e-mail is bogus

Looking at an e-mail sender's name is not a good gauge of whether the mail is bogus because it can look like the real deal.

More telling is the sender's e-mail address. If it looks really strange and unrecognisable, chances are it is not legitimate. Any links and attachments in the e-mail should not be opened as well.

Also, if the message in the e-mail seems very terse and uncharacteristic of a friend, the e-mail is likely to be a fake one.

7. What you should do with bogus e-mail

Such e-mails should not be replied to as well as it can be a signal to hackers that a user's e-mail address is actively checked, so they might send over more spam e-mails.

Organisations typically do not ask for consumers' log-in details, personal details or financial information in e-mails. Hackers do, however.

So, if such e-mails arrive seemingly from a bank or a retailer, they should be deleted. Consumers who are unsure should call up the organisations to check, although dialling numbers in the questionable e-mails should be avoided.

Other tell-tale signs include bad grammar and spelling mistakes in the e-mail message, urgent sounding e-mails, and e-mails from organisations users have no prior relationship with.

8. How to tell if websites and links are legitimate

By hovering the mouse cursor over a web link without clicking it, it is possible to see its Web address. If the address comprises a string of numbers, it is likely a bogus link.

Fake sites and links sometimes have addresses that do not tally with the content or organisation stated in the e-mail. They may also contain spelling mistakes of the organisation's name.

Legitimate sites that are secure also tend to have "https" in their Web addresses instead of just "http".

Many Web browsers can also tell users if a website is legitimate. Typically, if a green padlock appears beside the Web address bar, it means the website has been verified to be run by legitimate organisations and is a secure website.

Mr Teo said some security software can also help verify if a site is a secure or malicious one, as well as determine if websites called up in search engine results are safe to visit.

9. What to do when a website is hacked

If, like in eBay's case, a consumer learns that a website he has an account with has been hacked and personal data could have been stolen, he should change his passwords as soon as possible.

The password should be complex and also not be the same one used for other online accounts.

Ms Cruz advised affected consumers to keep a close watch on their online activities and look out for any strange transactions online or in their bank accounts and credit card statements.

10. Closing an account may not mean end of story

After a data theft incident, some concerned users might close their accounts to limit the risks from hackers taking over their digital lives.

However, it does not necessarily mean the information associated with the compromised account is safe. The data could still be stored somewhere.

Mr Teo said one consideration for users is whether their information on a website is encrypted from one end to another, and stored securely.

Users will have to do their due diligence to check that a website they want to sign up with is trustworthy. They could check out website policies and look at the site's past history to determine if past data breaches or security issues have been reported before, said Mr Teo.

No comments:

Post a Comment