Inasmuch as the recently announced hacking of eBay sounded like déjà vu, some aspects of it do warrant further inquiry. The company’s standard “we are dedicated to the security of our customers and are transparent” approach is plausible, but its customers may in fact be in less danger than is automatically assumed.
A common retail hacking usually ends up with a large number of customers’ accounts charged small amounts that go unnoticed for some time, allowing the hacker to accumulate significant amounts and, hopefully, cover their tracks. The relative stealthiness of this approach usually works well with credit card charges that don’t attract the attention of the customers. With this approach the major distinction between hacking of a bank, VISA, or MasterCard and eBay is that eBay customers are usually very involved in every transaction, and are likely to detect any discrepancy faster than during a casual use of a credit card. This makes eBay a less attractive target for a hacker – the probability of quick detection is a lot higher and the yield per transaction is still small.
Hackers clearly understand that, which raises the question of why they chose to hack eBay. Something other than the retail accounts must have attracted them to eBay, and eBay’s announcement that they had no indication of a significant spike in fraudulent activity on their site corroborates that. The answer probably lies with the huge overall amounts of money passing through eBay every day. I suspect that the hackers went after large corporate transactions with banks and vendors. There are very effective methods of hiding electronic theft from companies that are well beyond the scope of this post. Such methods can deal with large amounts and are assured a very low probability of detection for a significant time, enabling the thieves to cover their tracks. The key here is that with the high level of automation and the large number of transactions via eBay’s corporate network, hackers can reasonably hope for significant time before the transactions are scrutinized manually. The fact that “cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay’s corporate network,” and that the hack occurred “between late February and early March” and was detected only in early May supports this scenario. Furthermore, the accuracy of the attack detection and the time range cited suggest that eBay has only a vague idea of what actually happened and when.
All this tells us that eBay customers’ accounts are in less danger than may appear. Moreover, if someone gets your address, birthday, and telephone number, you cannot – you can’t take back and secure that information by changing your password — which does not offer much protection in the first place. However, eBay should take a very close look at its corporate finances from February through May of this year – they may be missing a few million.