eBay
Security Framework
Unlike most leading e-commerce sites, eBay does not automatically encrypt much of the data sent between customers' computers and eBay's servers, which means that when customers type their password into eBay's Web site, that information can be viewed by hackers.
Most e-commerce sites use Secure Socket Layer (SSL), a technology that encrypts sensitive information such as customer passwords and account activity while the data is in transit to another computer.
eBay users have the option to log in using SSL, but the default is to use an insecure login. Even if customers log in using SSL, they are taken to non-SSL pages if they want to change their password or view account balances.
SSL has been the de facto standard for transmitting passwords and other data since Netscape introduced the protocol in the mid-1990s. E-commerce sites such as Amazon.com and Buy.com use it to secure customers' orders. Customers of online brokerages such as E*Trade Financial can't access any personal data except through pages secured by SSL.
Information sent without SSL can be monitored by hackers using so-called "packet sniffing" programs. However, in recent years, there have been few reports of breaking into accounts by sniffing out passwords, security experts say.
eBay has blamed the recent examples of identity theft on its site on automated programs that execute a so-called "dictionary attack," taking a known user ID and trying to match it with a list of common passwords and a dictionary of words.
Gaining access to accounts through scams such as these are much easier than trying to find user passwords via packet sniffing programs, security experts say. With a packet sniffer, a hacker would have to know what stream of data to monitor and would have to weed through a lot of useless data to find a password or something else that's useful.
Making SSL the default option when people log in and using it to protect sensitive data on the site may not in reality provide a lot of added security. But eBay would be wise to use SSL more thoroughly on its site to manage user expectations. |