In the wake of one of the biggest cyberheists ever, TechRadar Pro received dozens of comments from security specialists, arguing and debating about the reasons and the consequences of this high-profile cyberattack and most importantly, how end-to-end security need to change. We complied the best of them below.
Using the same passwords?
"The fact that an eBay database containing highly sensitive user information was compromised through employee log-in credentials demonstrates that end users continue to be the weakest link in the chain and the most valuable to be attacked. The reality today is that existing protection on a PC, such as AV, is ineffective and it is simply too easy to be evaded. It is based on an outdated model of trying to detect and fix attacks after they occur. And it doesn't work against today's more sophisticated attacks. Moreover, once an attacker is in they can jump around to virtually any part of an organization and steal at will. Endpoint protection needs to be overhauled to address protection against all attacks before they compromise sensitive systems." Gaurav Banga, co-founder and CEO at Bromium.
" While eBay has confirmed that no financial information has been breached, personal information, including date of birth, names, emails, phone numbers and postal addresses have all fallen into the hands of the hackers. With such a delay in acknowledging the attack, the true extent of the data loss is not yet known and it's imperative that further analysis is done before we can make any further assumptions. For now, when eBay users receive the request to change their password, they should do so immediately and do the same on all other sites where the same password has been used. The information gained by the hackers is also useful in phishing attacks and for secondary password (reset) information – the effect of this falling into the wrong hands should not be under-estimated." Dr Guy Bunker, SVP Product at Clearswift.
"The worrying thing is that many people use a single password for more than one internet site and so if the passwords are compromised, they could be at further risk from cyber-criminal activity. The time lapse here highlights the urgency for customers to change not only their eBay and PayPal passwords but also on any other site that they use the same log-in details for. Many people will also be asking whether this is related to Heartbleed. I suspect that the two are not linked, although of course we can't rule it out. The Heartbleed bug has been around for two years and was discovered after this attack took place. However, eBay states that the leaked information was a result of a compromised database, whereas Heartbleed is a vulnerability that lies in the mechanism used to encrypt data." David Emm, senior security researcher at Kaspersky Lab.
Blame the employees
"eBay's won't be the last organisation to fall foul of weak employee security practices, but it can be a learning point for big and small businesses. Enforce regular password changes, educate staff about the real risks associated with keeping passwords written down in plain sight or in obvious hiding places like the top drawer of a desk, monitor networks for rogue Wi-Fi access points and invest in software to let you manage, control and isolate the barrage of mobile devices that staff and visitors bring in to the workplace and connect to public and private networks." Sergio Galindo, general manager, Infrastructure Business Unit at GFI Software
"The attack raises a number of questions, not least 'how did this happen in the first place'? Reading between the lines of the company's brief statement it appears that employees have been hit by a phishing attack, falling for a scam and tricked into giving their credentials away. If this information was only protected by username and passwords, and employees were so easily duped it really is concerning. As one of the world's leader e-tailers eBay should be treating information as we would the Crown Jewels - through layers of protection." Professor Alan Woodward, Department of Computing at the University of Surrey.