Information Revealed not from
eBay"> England also said that the information posted to the forum was not from eBays internal systems, given that it included information eBay does not collect: bank account numbers, PIN numbers, credit card verification numbers and so on. "Thats information we would never have," England told eWEEK. "Nor would we have cause to have collected it. This person had posted to a discussion board, but we have no idea where he got [the data] from. Most likely a phishing site or phishing scams."eBay claims that with all of the 15 accounts posted in this most recent incident, internal systems detected unauthorized access attempts. Thus, the accounts were locked down before the hackers posts were even made, England said. England declined to give examples of the suspicious behavior that triggered eBays internal fraud detection system, so as not to tip the companys hands to criminals who could modify their behavior to avoid detection. Vladuz the phishing impaler sticks it to eBay. Click here to read more. "Its the typical antifraud behavior modeling," she said. "If you give us information, we do verify [it]. If you give us credit card information that doesnt sync up with your name, were going to shut [the account] down." eBay will continue to monitor the accounts to ensure that no more illicit access attempts are made, England said. eBay recommends use of the eBay toolbar, which has a warning that flashes red when users navigate to an illegitimate site. eBay Forum members were incensed at the idea that eBay had neglected to contact the eBay members about their information being breached. Indeed, if eBays internal systems had been breached and the customer information stolen through such means, eBay would be legally obligated to notify victims under Californias Security Breach Information Act. However, since the information revealed was not from eBay, as demonstrated by the inclusion of data eBay does not collect, eBay is not responsible for notifying victims. "Legally, eBays not responsible," England said. "This is one of those situations where this isnt a breach of eBays systems or securities. Legally I dont believe we have an obligation to inform people. As a corporation eBay feels its the thing to do. We put the safety of our community first. If we feel one of our members information has been compromised, were going to contact them and let them know." Regardless, people associated with Firemeg.com reached out to the victims before eBay did, to ensure that they knew of the breach. According to the site, at least one of the victims was distraught at the news. "One woman broke down and was near tears, if not fully crying, her voice trembling with each question she asked," the site says. "She said that all information was correct and was current and that she was very scared. She couldnt even remember her eBay user ID or password. She said that she uses eBay during the holidays to buy gifts, and gets a new eBay ID each year because she ends up forgetting the password and/or username. She was terrifiedIm sure due in part to the little she has heard about identity theft."
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.
Romanian hackers seem to either have it in for eBay or find eBay and its users easy targetsor both. For the past two months, a Romanian hacker using the handle "Vladuz" has been prancing through eBay, convincingly posing as an internal eBay moderator on eBay forums, posting lists of hijacked eBay accounts for sale, advertising copyrighted tools to hack eBay and partaking in his countrymans habit of taunting others. For a slideshow of his or her handiwork, click here.