eBay sellers learned last week that cyber criminals hacked into eBay and accessed user data. eBay warned all users to change their passwords as a precaution, but aside from a general description of what took place, many questions remain unanswered.
We turned to Zulfikar Ramzan, Chief Technology Officer of Elastica, to provide some context around eBay’s security breach and asked him what online sellers should know. Dr. Ramzan holds a Ph.D. in Electrical Engineering and Computer Science from the Massachusetts Institute of Technology, with thesis work in cryptography. He has experience working with other companies that have gone through the exact situation now facing eBay.
Dr. Ramzan is remarkably candid in speaking about the threats facing the ecommerce industry and provides in-depth information about what such a hack means for eBay and its users in very easy to understand language.
EcommerceBytes: Have you worked with companies that have had security breaches such as the one eBay has experienced, and if so, what do you think is going on at eBay right now?
Zulfikar Ramzan: I’ve worked with companies going through this exact kind of situation numerous times. What is most likely happening right now is a deep investigation into understanding what happened and why. In particular, eBay has a number of strong people in their internal security and incident response teams, and all hands are likely on deck.
However, understanding the ramifications of an attack is a gargantuan process. So, I would highly suspect that eBay is engaging outside consulting firms who are peeling back all the layers of the onion to understand what’s going on.
EcommerceBytes: Many people are asking why it took so long for eBay to notify people. So I would ask you, why wasn’t the breach detected right away? And why did eBay wait two weeks after detection before publicizing?
Zulfikar Ramzan: I suspect that any delay is caused by the fact that these breaches are so difficult to detect, and even if they are detected, the ensuing investigation is highly involved. Before publicizing news of a breach, organizations will often want to understand its scope, ramifications, and root cause. They will also want to make sure they’ve plugged the holes in the dam before going public.
Unfortunately, the paradigm of security has shifted considerably in the last few years. It’s no longer a question of if you will get compromised, but rather a question of when. Understanding what happens in the aftermath of a breach turns out to be far easier said than done. The remnants of the original attack may no longer be visible and clever attacks may have long since covered up their tracks. Based on what we see, it take anywhere from nine to twelve months – or more in some cases – to discover that a breach has occurred.
Traditional technologies for securing organizations focus solely on preventing breach from happening in the first place. However, those technologies are not impervious. Motivated attackers already test the latest threats they’ve created against different security technologies. If the technology can block their threat, then they quickly make changes until they finally develop approaches that can bypass whatever protections an organization has in place. What we need today are more technologies for helping us better investigate what happens after a breach has taken place.
EcommerceBytes: Shouldn’t eBay have immediately notified users to be on the alert for phishing attacks?
Zulfikar Ramzan: It’s hard to speculate on the broader considerations around the timing of eBay’s announcement. However, in many cases, these investigations are highly complex and do take a while to carry out. To the extent it’s feasible, organizations will typically want to have a reasonably complete picture of what happened before talking about these events more publicly.
Phishing attacks associated with the eBay breach only began after it became publicized and my understanding is that eBay did start to notify customers about those risks. In a broader sense, eBay has been known to send out communications regarding phishing attacks, especially since they are a major target of those attacks. More so, they employ a number of phishing countermeasures.
See Part 2 of “Behind the Breach”: Storing Sensitive Data and look for Part 3 in tomorrow’s EcommerceBytes Newsflash.