[unisog] Fraudulent eBay Site

Dan Riley dsr at mail.lns.cornell.edu
Wed Apr 23 00:40:28 GMT 2003


Gary Flynn <flynngn at jmu.edu> writes:
> Jeff Bollinger wrote:
> > Please be aware that http://www.ebayauthorize.com is not
> > affiliated with the actual eBay company (http://www.ebay.com).
[...]
> Now I'm put in the position of ignoring this or posting
> a warning to my local population based on Jeff's data
> that may subject me to libel in the case that
> www.ebayauthorize.com is legitimate. :(

I see maybe a dozen of these impersonations a year--ebay, e-gold,
paypal, aol password "phishing", etc.  (e-gold seems to be the
currently popular target).  Telling your local population "don't trust
ebayauthorize" isn't the answer--it'll be a different threat next
month.  Telling them what not to trust doesn't scale, cyberspace isn't
trustworthy, and I don't see any reason to believe that will improve
anytime soon.

> How to best explain to non-technical end users what web sites to
> trust?  Certificate chains don't even help if the names are well
> chosen and who is going to look at those anyway.

Just getting them to look for the lock (without any warnings) is a
good start--most of the phishers don't have certs (the few that do,
usually it's self-signed or the CN doesn't match the hostname).  Tell
'em to look for https://...ebay.com/ (the trailing slash is important,
to avoid https://scgi.ebay.com@192.168.1.1/phish.cgi).  Give 'em some
examples, and tell them the truth--that there are people out there
trying to *steal* their money, or, worse, their identity.

If that's too complicated, tell them not to trust any URL in email.
If they get email from ebay, they should type "ebay.com" into their
browser themselves to check it out.  This is exactly analogous to the
standard advice for phone calls--only give your credit card info to
numbers you lookup in some trusted directory and dial yourself; do not
give your credit info to strangers who call you.

And while I'm ranting--anyone with a signin page, make the form page
SSL protected.  ebay is a prime example of how to get this *wrong*.
Go to ebay.com and click signin--the page that goes to *isn't* SSL
encrypted.  The form action is, but that's too late--the page that
*presents* the form should be SSL encrypted so customers can check for
certficate validity *before* submitting the form.  This is *so* basic,
and so commonly wrong--I'm tempted to say that companies like ebay
*deserve* whatever liability they get from training their customers to
fill in forms that can't easily be determined to be "secure" in
advance of submission.

I'm starting to foam at the mouth, aren't I?  Ok, I'll stop.  But
there *really* ought to be a BCP about SSL encrypting any form with
an encrypted action, so the cert can be checked before submission.
This is so basic, but so many of the e-tailers (inluding amazon) get
it *wrong*.  Perhaps because their business depends on the illusion
that cyberspace is trustworthy?

-- 
"about 15 percent of the people are screwballs, lightweights and boobs
   and you would not want those people unrepresented in Congress."
	    -Alan Simpson, former US Senator (R, Wyoming)



More information about the unisog mailing list