Last Wednesday, eBay Inc. has announced that their user database has been compromised, and hackers were able to get away with “encrypted passwords and other non-financial data” of more than 145 million of eBay customers. eBay has informed us that financial information has not been affected and that they have not detected any increased fraudulent activity on their platform. Still, just in case, you should change your password and they are very sorry for this inconvenience.
Quite frankly, for any person working in the field of information security, this announcement raises a lot of inconvenient questions.
Apparently, the breach has occurred over two months ago, sometime in late February or early March. Yet, the official acknowledgement of the incident has only been made public last week. What took them so long? Does it mean that the hack went unnoticed for weeks if not months? In fact, both US and EU have security breach notification laws, and if the eBay case is not a direct violation of these laws, then in my opinion the laws have to be strengthened to avoid similar situations in the future.
It has been reported that the attackers managed to compromise employee log-in credentials, gain access to eBay corporate network and then proceed stealing customers’ emails, phone numbers, addresses, birthdates, and encrypted passwords. To me, this is a clear indication of a wildly inadequate security infrastructure or possibly of serious deficiencies of their service platform. The fact that eBay employees have complete access to their customer database strongly reminds of a similar case involving a certain intelligence agency and an idealistic system administrator. Apparently, eBay security team has never heard about Edward Snowden :)
Yet, what I find most disturbing is that by labeling this incident a mere inconvenience that only requires a password change as a precaution, eBay is actively downplaying the privacy-related implication of the hack. Hackers have managed to get away with enough personal information of millions of people from around the world to be able to use it for nearly any kind of cybercrimes on a massive scale: spamming, phishing, spreading malware, identity theft and so on. And, of course, if you’ve used the same credentials on another website, it will potentially be compromised as well.
Yet, even after a long chain of high-profile corporate security breaches (eBay, AOL, Target and, of course, the Heartbleed bug) general public still seems not to fully realize the extent of both security- and privacy-related consequences of these events. After hearing people saying something like “oh no, I have to come up with another strong password again” or “I already changed my password after reading about Heartbleed, isn’t it not enough?” I decided to try to make a list of measures every user has to take to protect themselves against past and future security breaches like eBay’s. Feel free to leave your suggestions in the comments if you believe I forgot something.
1. Think twice before giving an online service too much of your personal information. Does an obscure online game really need to know your birthdate or mother’s maiden name? A hacker might use this knowledge to impersonate you and get access to your online banking, for example. Life Management Platforms may be the future, but unfortunately we are not there yet, so protecting your personal information is still your personal responsibility.
2. Whenever possible, try to avoid using password authentication at all. Quite many online services already offer stronger alternatives to passwords, most often some kind of two-factor authentication. Google has their own 2-step verification platform, Facebook and Twitter support SMS-based verification codes, Dropbox even goes a step further and lets you choose from several different strong authentication methods. You’ll find a comprehensive list here, for example. Also look for buttons or logos of third-party strong authentication services like MYDIGIPASS, M-Pin or Duo Security. Surprisingly, eBay still doesn’t support strong authentication, yet its subsidiary PayPal does, and I strongly recommend starting using it ASAP.
3. Never, never, NEVER use the same password on different websites. Also never trust a password strength indicator on any website. The only truly strong password is a long randomly generated password, unique for each online service you’re using. And, by the way, never try to create a random password manually, humans are really bad at that. Use a specialized program or online service for that purpose.
4. Obviously, nobody can possibly remember all those complex unique passwords for many online services, but the worst mistake is to write it down and stick it to your monitor. Use a password management software instead. A modern password manager is more than just a secure encrypted storage for your passwords. It will offer many additional features like generating new secure passwords, automatically filling in login forms in browsers, storing secure notes and even warning you when a website you have an account on gets hacked and letting you change the password immediately. The most popular example seems to be LastPass and for a good reason. Besides offering all of the above for free, for a reasonable fee it provides access from mobile devices, a number of multifactor authentication methods, and other useful features.
5. When choosing a password manager, one has to take privacy implications into account as well. It’s not enough to protect your password vault from hackers, one has to consider the possibility that your entire list of passwords may be handed over to government authorities after a court order or simply land in one of NSA data centers. Therefore, always choose a solution that has a strong master encryption key that is only known to you. You may even opt for a standalone program like 1Password or KeePass and use third-party tools to synchronize its database, but this is less convenient.
6. Last but not the least: keep educating yourself about the latest developments in security software. Vote with your wallet for the developers that integrate privacy-enhancing measures into their products. Put pressure on your local lawmakers. After all, the future of information security depends on you as well.