Viewpoint: 21st May 2014


Viewpoint: 21st May 2014

Following
today’s breaking news that eBay are to ask all customers to change passwords
due to a cyberattack, Brendan Rizzo, technical director EMEA at encryption
specialists, Voltage Security, said:

“It is
unlikely the attackers would be able to use the stolen passwords, since eBay,
abiding by good security practices should have ‘hashed’ and ‘salted’ its
passwords. If this was performed correctly, then users should not
be concerned about their passwords being compromised. The more worrying
aspect of this disclosure is that it appears that the other personally
identifiable information was left completely unprotected. This
information would give the attackers almost all of the information they need to
undertake fraudulent activity on the compromised user’s behalf.

This breach highlights a need for companies
to place tighter controls on how user credentials are stored and
protected. If data is left unprotected, it’s not a matter of
“if” it will be compromised – it’s a matter of
“when”. While there is no doubt that eBay has top of the line
security in place to guard against attacks, even the best security systems in
the world cannot keep attackers away from sensitive data in all
circumstances. The length of time it took eBay to discover this attack is
evidence that attackers can still find a way to slip through a company’s
defences undetected. When a company is storing sensitive information
about their customers, the risk is to the data itself. Therefore, a
company needs to assume that all other security measures may fail, and the data
itself must be a primary focus for protection – usually via encryption.
It is critical to note that this protection needs to include all potentially
sensitive information and not just financial related data.

If eBay had employed format-preserving
encryption to protect the data itself, the attackers would have ended up with
unusable encrypted data instead of the current outcome where users’ personal
information has now been exposed to an untold number of cyber criminals.”

Share

Twitter Facebook LinkedIn WhatsApp

Related News


Newsletter Sign Up

Sign up to receive our newsletter