How the Once Impregnable EBay Fell Victim to Hackers (And You Can too)
Two months ago, hackers made off with security secrets at eBay that let criminals break into company servers and steal valuable customer information.
The full extent of the breach is unknown. So far, eBay has told its 148 million customers that they must reset their passwords, and that the breach does not appear to have involved any financial information. The breach is, however, just the latest front in the hacker war on consumer-facing companies.
Here's the skinny: Cybercriminals are getting much more sophisticated, the number of attacks keeps escalating, and that means as a small business owner you must be extra vigilant. Because the nature of these attacks keeps evolving, and you're in their crosshairs.
An Insider's View
But don't take it from me. I asked Liron Damri, chief operations officer of security company Forter, for details. Damri and his three co-founders spent about five years working security technology at Paypal, from 2008 until last year when they started Forter, a Tel Aviv-based security company.
First things first: Paypal is eBay's payments subsidiay, and it has its own security provisions. The hack attack affected eBay only, an eBay spokeswoman said.
Regardless, Ebay and Paypal security are state of the art, Damri says, or at least they were before the attack. Among the things that eBay and Paypal do is separate and encrypt customer data, so payment data is never stored together with customer names or other identifying information. That means hackers breaking into the system would have a hard time putting the various pieces of information together.
Ebay said as much on its website on May 21:
There is no evidence of the compromise affecting accounts for Paypal users, and no evidence of any unauthorized access to personal, financial or credit card information, which is stored separately in encrypted formats.
What Ebay didn't say is that it also uses behavioral analytics to score transactions and decline ones that seem fraudulent. Damri knows that because he worked for Fraud Sciences, a security behavioral analytics company based in Tel Aviv that eBay purchased in 2008 for $170 million and integrated into its Paypal subsidiary. The goal was to help eBay's online retailers increase the volume of their authentic sales, while decreasing the fraudulent ones that lead to payment chargebacks and losses.
"Knowing that eBay was hacked is another proof we can no longer rely on the fact that e-commerce sites are secure," Damri says. "This has become the new normal."
The breach was likely the result of some form of "social engineering," he says. This can happen if, say, a company insider is tricked into handing over critical information to a cybercrook posing as a trusted person or party within eBay.
"We all give out information all the time, and in this environment, it's easier to give over information you should not," Damri says.
Damri says there's always been a pretty strong firewall between Ebay and Paypal, where customers are discouraged from using the same logins and passwords for both sites.
And he recommends you do the same. Similarly, never store customer names with their credit card information. Some payment processors for e-commerce Websites offer a service that prevents you from ever storing that information on your servers--and that's a good idea, Damri and other industry experts say.
But here's the rub: Your online security tactics are set to become even more important going forward. As card companies Visa and Mastercard attempt to beef up security in the non-virtual world with so-called chip and pin technology, more cybercrime will migrate online, where such technology is essentially useless.
Behavioral analytics, such as Paypal and eBay already use, can be another weapon in your arsenal. Forter offers a service to online merchants that rapidly scores each transaction for authenticity, using an amalgam of public databases and other readily available information, such as from social media. (The company charges between half a percent and 1.5 percent of each transaction, but offers a 100 percent guarantee against fraud.)
It turns out that criminal transactions look very different from non-criminal ones. They tend to happen more quickly, for one thing, without making comparisons to other similar products. And systems such as Forter's measure the amount of time users spend on Websites before making a purchase.
"It is important to do this with no friction, and as smoothly as possible, so good people can walk through your door seamlessly and happily," Damri says.
In the process, you'll be keeping the bad guys out, and you'll boost your bottom line.