Beware of PayPal and eBay Related Phishing

Being a tertiary student is considerably different from the real world of business. There are, however, some identical crossovers between the haven that is university and reality that have enhanced my experience.

With the recent eBay announcement asking members to change their passwords due to a security breach, most users reset their passwords immediately. As a professional procrastinator, I put this off for a few weeks. Until I received an email from PayPal regarding an account issue.

I’m sure this was spammed to many other accounts. PayPal would never do this and I changed my password for eBay and PayPal immediately. This is known as Phishing and although you don’t need to be a computer virtuoso to realise when you’re being scammed, my knowledge certainly helped.

Web security is an oxymoron. Direct Data Access is required (as far as I know) to maintain web databases. Storing member information, credit cards etc. Information can be stolen, although most well developed systems make it extremely difficult to do so. Even then, it can still happen.

Search for:

• eBay hack (2014)
• Hotmail hack (2011)
• Playstation Network double hack (2011)
• Verisign hack (2010)
• Conficker Worm (2008). This is my favourite.

I also found this on http://2.bp.blogspot.com/-

Not clearly fake to the untrained eye. This log in screen could potentially reveal one’s information if entered. Make sure to look out for HTTPS in the URL bar as it is standard, especially with sensitive pages such as this.

This is an example of authentication and session management. The above example was not encrypted using SSL.

A typical website system back in the 2000’s went something like this:

1.       Web browser calls web server using a HTTP request (most of the time).
2.       Apache Web server (or Netscape etc.) receives request after going through the firewall.
3.       Server uses multiple web apps to access SQL database using a database connection (ADO, ODBC, etc)
4.       Server replies in HTTP. (HTML, Javascript etc)

There were so many exploitable loopholes it became a web circus (There is no Tex without terrible metaphors)

One example off the top of my head would be the gullibility of early firewalls. Direct web traffic (HTTP) is usually considered safe to most firewalls. Therefore allowing straight access through ports 80 and 443. One malicious URL makes its way into multiple parts of the system and problems begin to flourish.

Apart from security there are also privacy issues but that is another matter and I have only scratched the surface of security weaknesses.

P.S.

Having just finished this article, I received an email from twitter about security issues concerning the collection of metadata. Goes to show how intrusive the internet can be. More on this to come.