Online auction giant eBay this week revealed that one of its databases had been breached and advised its users to update passwords. However, passwords are not necessarily the weak link for eBay's security.
The eBay breach has generated a lot of interest and discussion about the modern state and usefulness of passwords. Some experts advocate the use of password management systems, and some wonder if passwords have outlived their usefulness.
Although debate about the usefulness and security of passwords is important, it's crucial to realize that the eBay breach is not actually about end-user passwords. Yes, it's true that eBay is recommending that users update passwords but not necessarily because those passwords have been compromised.
The database breach compromised encrypted password information, and there is no official confirmation at this point that those passwords have been decrypted.
What's more, eBay has long been a supporter of two-factor authentication, which also likely serves to protect users. With two-factor authentication, a second password (or factor) is needed to log on to eBay or PayPal.
Going a step further, to date, eBay has not said that it has any indication that any user account has actually been compromised by a fraudulent password.
What eBay has publicly stated, however, is that "employee log-in credentials were first detected about two weeks ago."
That's right. This was a breach triggered by an insider compromise.
That means that, somehow, an attacker tricked an eBay employee into doing something that led to the disclosure of the employee's credentials. That disclosure might have come from some form of phishing email, or perhaps it was something more dramatic like a breach of an employee's device. At this point, eBay has not publicly disclosed the specifics of how the employee compromise occurred.
Earlier this month, URL shortening service Bitly advised its users to reset accounts, also after an employee's credentials were somehow compromised.
More often than not, employees are being exploited as the weak link for the security of millions of users. It's great that eBay wants users to update their passwords, but if an insider compromise can exploit a hundred million user passwords from a database, users updating their passwords won't do much good.
Organizations should improve security to limit the risks of employee credentials being applied to exploit users. This can be done in several ways—from improved endpoint security for phishing emails to having more aggressive monitoring of employee accounts.
Going a step further, having proper role-based access control (RBAC) on database technology is a critical security control for any organization. Why does one user need full access to an entire database of more than 100 million accounts? By having proper RBAC in place, with the right granular control and monitoring, even if one employee account is compromised, there is a degree of risk mitigation.
Passwords are a key part of the modern Internet and are not likely to go away any time soon. No one password for any one user or employee should ever be the single weak link that undermines overall security. Modern security is about layers at every step of the software and infrastructure stack.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.