Feeds

Man hijacks 90 eBay accounts

Lax security, careless users

Securing Web Applications Made Simple and Scalable

An Australian man pleaded guilty to breaking into eBay and a local bank to steal AU$42,000 (about $34,000), in a case that demonstrates the problem of account takeovers on the auction site.

Dov Tenenboim, 21, of the Sydney suburb of North Bondi, stood accused of breaking into at least 90 different eBay seller accounts last year, mostly by guessing passwords. Tenenboim frequently figured out the credentials by matching usernames to passwords, prosecutors said. Other times he hacked into email accounts.

Following a familiar route, Tenenboim targeted users with highly favorable feedback ratings from their eBay peers. Posting under the guise of a trusted user with an established account makes it easier to dupe buyers.

After hacking the accounts, Tenenboim used them to advertise non-existent iPods, according to the Sydney Morning Herald. He also hacked into the Commonwealth Bank. He pleaded guilty to two counts of making a false statement to obtain money, two counts of obtaining money by deception and four counts of committing an unauthorized computer function. Tenenboim faces a maximum of 11 years in jail and fines of $9,900.

Account takeovers have been a persistent problem on eBay. Over the past several weeks, we've observed hundreds of fraudulent auctions being offered by users with unblemished records. Such hijackings are on the rise, according to a small but vocal group of eBay users, who also claim the breaches are the result of an unpatched security hole in the company's defenses.

eBay strongly denies such a hole and says the takeovers are the result of users having their log-in credentials snatched through lax passwords and phishing attacks. Tenenboim's methods appear consistent with such statements.

But eBay can't be let off the hook completely. The company employs lax password requirements that, for instance, allow a user ID of james34231 and a password of james34. (To be fair, Google Mail allowed the same combination, though the site warned it was only "fair.")

What's more, eBay, like the vast majority of online services, has no mechanism in place to allow account holders to log in using security keys that generate random numbers every minute or so. Such devices would render most current password attack methods ineffective.

eBay has said it is in the early stages of testing such a system for its PayPal users, and a spokeswoman says the key will also work on eBay. ®

The smart choice: opportunity from uncertainty

More from The Register

next story
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Boffins build FREE SUPERCOMPUTER from free cloud server trials
Who cares about T&Cs when there's LIteCoin to mint?
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.