George Mason University
An Analysis of eBay
eBay and Security
As the number of users and revenue increases, the online trade using eBay has attracted lot of scammers to exploit unsuspecting customers. eBay for its part has tried to address these issues rather slowly and the affected users seem to be dissatisfied by the level of service they get. eBay basically does not use Secure Sockets Layer and even now the member login is plain http allowing hackers to eavesdrop during the transmission of member information. eBay does provide an alternative site for users who want to use SSL but it is not mandatory. Even if the users use SSL there are pages like change of password where SSL is not used. eBay addresses customer concerns through a page called SafeHarbor.
As eBay transactions are between customers, it has been very difficult to enforce credentials of seller. As the number of scam sellers increased, eBay was forced to address this issue. eBay installed an anti fraud software called Fraud Automated Detection Engine (FADE). FADE collects information about defrauded customers and matches the pattern of any suspicious activity to alert eBay’s private fraud busters. It raises alert when unusual changes are noticed like a seller selling highly priced items all of a sudden, trying to sell a lot of items in a little time period etc. FADE has data about geographical locations where customers experienced lot of scams. One example is Eastern Europe and if it sees some suspicious seller from this region selling goods dead cheap it alerts the fraud department. eBay reserves the right to cancel any auction and thus can stop any suspicious transaction. FADE is supposed to be a tool that improves with time but even with all these in place people are constantly tricked and even after almost 1 year of FADE training. The glaring example of this is the fraud committed by a couple from Arizona who allegedly cheated more than 100,000 and fled out of Arizona. In this case the couple started selling DVD’s first and after receiving some good feedbacks from buyers they started selling expensive electronics and gradually they stopped responding to email and other communication. After allegedly cheating in almost 500 auctions the couple cashed out money and fled. FADE failed to detect this case, which seems to have raised alarms at various levels. eBay acknowledged that FADE is not panacea for all and it can only decrease the number of online frauds but might be never able to stop all. The failure of FADE in this seemingly straight forward scam drew harsh comments from media all over as AuctionBytes.com, a auction watchdog called FADE “laughable” if it cannot catch these kind of scams.
Even with all regulations in place the number of complaints over auction scams has steadily increased as shown by the statistic below from FTC. eBay provides guidelines and assurances to customer about money transactions and the different options available to buyers. It provides informational pages about how to evaluate a seller based on the feedback program. A buyer can see the credibility of the seller and use his feedback to judge whether to go forward in accepting the transaction. eBay gives sellers the “Power Seller” status when a seller maintains exceptional feedback in a large number of transactions, although there were some scams committed by sellers abusing their power seller status. The various payment options available for the buyers are
1. Using Billpoint/Paypal
2. Using Credit Cards.
3. Using Escrow Services.
When using PayPal buyers deposit money into their PayPal account that they can create for free. When an auction is completed if the seller accepts PayPal as one of his choices the buyer gives consent to transfer money from his PayPal balance to the seller. The transactions in PayPal are all secure and it is encrypted by the use of SSL unlike eBay login. PayPal also assures customers that it never reveals the bank or credit card information of the buyers to the sellers. PayPal addresses fraud using “Buyer Complaint Process” in which it assures that it will try to recover money from the seller who defaulted on sending goods or cheated with the product. But it does not give any guarantees that the full money might be recovered and the time table for the process also seems to be long drawn one.
For credit cards eBay provides assurance that it won’t reveal the credit card information to the sellers and it is safe in being stored in their secure servers. Since credit card companies like Visa and MasterCard provide 100 % liability coverage for online transactions it seems to be one of the assured choices.
For transactions involving more than $500 eBay recommends usage of the Escrow services. Escrow services are third party validation methods in which the buyer gives the money to the Escrow service company and after receiving money the service informs seller to release the product. Escrow tracks the shipment and upon receipt by the buyer it releases the funds to the seller. eBay provides a listing of Escrow services it recommends but there were lot of scams done using many fake escrow services.
The figure below is one of the look alike.
Unsuspecting customers fall prey to sellers who are con artists and these sellers recommend specific Escrow service as the one above to the buyers and the readily believing buyer falls prey to these kinds of scams. The second picture above shows one of the look-alike sites of genuine Escrow service provided by http://goldenescrow.com/.
Another kind of scam that broke recently with regard to eBay is the SPAM scam where in a programming glitch allowed hackers to get into user’s email id’s. They then sent emails to the ids, which looked almost as though it was coming from eBay to the unsuspecting eyes. Users were asked to update their information including credit card information. eBay woke up some time after this broke and started sending real mail, which further caused confusion among the consumers. The scammers were able to make people believe that the mail was coming from eBay and they in fact created a site, which almost looked like eBay. Below is an image of the fake page.
How easy is to do a SPAM scam?
We decided to research on this area of SPAM scam with the idea of replicating the email spoofing only for experimenting reasons and to find out how much effort is really required to do this.
As we found out the scammers utilize the vulnerabilities in the most popular mail protocol, the Simple Mail Transfer Protocol (SMTP). As the name implies the protocol is very simple and a basic version of SMTP can be implemented just by using four commands. SMTP is an application level mail protocol, which runs on top of TCP/IP and it, is used to send and receive mails using port 25.
One of the main vulnerabilities is that SMTP does not have provide any inherent sender authentication, which means that con artists can spoof as any legitimate sender and send to any legitimate email id. This problem has been complicated by mail relaying of Mail Transfer Agents or MTA which forward mail between source and destination. Although new versions of MTAs like Sendmail do prohibit relaying by default, it is still estimated that one third of MTAs out there permit relaying (Source: Internet Email by O’Reilly).
As we seen above eBay, during last year inadvertently exposed legitimate email ids for some time, which were used for SPAM scam. Suppose we had access to legitimate email ids then we can use a real eBay message to construct a fake message that instructs the user to enter their personal information on a look-alike eBay page thereby gaining access to user’s personal information. We used one of the legitimate emails sent by PayPal to one of our project members and then constructed the fake message with names changed and the login page directed to a look-alike eBay page which can easily be maintained by a anti social element. After constructing the message the only other need is to look for an email server, which relays mail without doing any sender authentication. We used one of the school servers to accomplish this with the test session given as follows.
Test SMTP Mail Session:
The below session (in Italics) gives the SMTP test session with the SMTP commands given in capital letters. As we see with just five SMTP commands namely HELO, MAIL FROM, RCPT TO, DATA and QUIT we were able to send a spoofed email acting as though the mail is from PayPal.
osf1 ~ telnet ise.gmu.edu 25
Connected to ise.gmu.edu.
Escape character is '^]'.
220 ise.gmu.edu ESMTP Sendmail 8.11.6+Sun/8.9.3; Sun, 20 Apr 2003 15:17:29 -0400 (EDT)
250 ise.gmu.edu Hello osf1 [220.127.116.11], pleased to meet you
250 2.1.0 email@example.com... Sender ok
250 2.1.5 firstname.lastname@example.org... Recipient ok
354 Enter mail, end with "." on a line by itself
subject:An Important Message From PayPal
Content-Type: text/html; charset="ISO-8859-1";
OTHER HTML MESSAGE GOES HERE.
250 2.0.0 h3KJIiF05102 Message accepted for delivery
221 2.0.0 ise.gmu.edu closing connection
Connection closed by foreign host.
As we see it is almost impossible to differentiate an original and a spoofed message. However with more serious look into the received message it is not very difficult to determine that this message did not come from PayPal as the “Received” headers show that the mail was indeed sent from a non-PayPal email address. This requires little bit of technical know- how from the receiver’s viewpoint but not all the users of Internet have technical background. The scammers always target the ignorant and unsuspecting users and this kind of above setup is good enough to fool them. The expanded headers of the received scam mail are shown below (in Italics)
PINE 4.21 MESSAGE TEXT Folder: INBOX Message 2 of 280 ALL
Received: from mail01.gmu.edu (mail01 [18.104.22.168])
by mserver2.gmu.edu (iPlanet Messaging Server 5.2 Patch 1 (built Aug 19
with ESMTP id <0HDN0091KPS7XP@mserver2.gmu.edu> for vsriniv1@ims-ms-daemon
(ORCPT email@example.com); Sun, 20 Apr 2003 15:21:43 -0400 (EDT)
Received: from portal.gmu.edu (portalmemo.gmu.edu [22.214.171.124])
by mail01.gmu.edu (iPlanet Messaging Server 5.2 Patch 1 (built Aug 19
with ESMTP id <0HDN004JOPS7QQ@mail01.gmu.edu> for firstname.lastname@example.org
(ORCPT email@example.com); Sun, 20 Apr 2003 15:21:43 -0400 (EDT)
Received: from mx-d.gmu.edu (mx-d.gmu.edu [126.96.36.199])
by portal.gmu.edu (8.8.8/8.8.8) with SMTP id PAA00824 for
Sun, 20 Apr 2003 15:21:42 -0400 (EDT)
Received: from megalon.ise.gmu.edu(188.8.131.52) by mx-d.gmu.edu via
31917; Sun, 20 Apr 2003 15:19:48 -0400 (EDT)
Received: from osf1 (osf1 [184.108.40.206]) by ise.gmu.edu
with SMTP id h3KJIiF05102 for firstname.lastname@example.org; Sun,
20 Apr 2003 15:19:17 -0400 (EDT)
Date: Sun, 20 Apr 2003 15:19:17 -0400 (EDT)
Subject: An Important Message From PayPal
Content-type: text/html; charset=ISO-8859-1
[ The following text is in the "ISO-8859-1" character set. ]
[ Your display is set for the "US-ASCII" character set. ]
[ Some characters may be displayed incorrectly. ]
OTHER HTML MESSAGE GOES HERE.
As we discussed above eBay provides limited security during customer authentication. But PayPal, the main service mostly used for payment process uses SSL by default. A normal E-Commerce transaction consists of three players, a buyer, a merchant and a bank that accepts payment for merchants. Normally the buyer purchases a product from the merchant and sends his payment information, which might include his credit card number, or his bank information across the web to the merchant. The merchant then sends the payment information to his bank that authorizes the payment after which the merchant sends the product to the customer. A few common vulnerabilities are listed below although there are many more vulnerabilities.
Ø The transaction between the buyer and seller is plain and a web intruder
can easily sniff the packets to get the much important information like credit
Ø It is also possible for someone to masquerade as the seller and illegally acquire the unsuspecting buyer’s payment information. In either case the buyer’s sensitive payment information is a risk and can be used by other elements to illegally use them.
SSL was developed to particularly address the above vulnerabilities. In SSL the transactions between the customer and PayPal are encrypted. Let us now see on how SSL works.
Brief Overview on how SSL works:
Secure Sockets Layer (SSL) was developed by Netscape to provide data encryption and authentication between a web client and a web sever. First the browser client sends the server the browser’s SSL version number and the cryptographic preferences like the algorithm to be used and the number of bits the key will use. The server when it gets the message then sends its SSL version number, its cryptographic preferences and its digital certificate. The digital certificate is signed by a Certification Authority (CA) and is encrypted by the CA’s private key. So the client on receiving the certificate checks to see if the CA is on it’s trusted list and if it is then uses the CA’s public key to decrypt the message. It then generates a symmetric session key, which it sends to server encrypted with the server’s public key. The browser also informs the server that all the forthcoming transactions will be encrypted using session key and with this the handshake on the part of client is over. The server also sends an acknowledgment that it will use the session key and informs the client that the handshake on its part is over. Thus the SSL session starts and now follows with the regular transactions. The main concept behind SSL is the usage of two keys that are public and private. A message can be encrypted by any one of these two keys but only the other key other than the one used for encryption can only decrypt the message. The public key of a user is available to all and the private key is kept secret by the user and is only accessible by the user.
A limitation with SSL can be the usage of keys the encryption can be shallow as 128 bit encryption has not been accepted universally and mostly International users use 40 bit encryption. The other limitation of a normal SSL transaction between buyer and merchant is that the information even though transferred in a secure way might not be stored properly by the server either intentionally or unintentionally leading to credit card identity theft. This is because SSL was not developed for commercial financial transactions and there is no mechanism to see if the merchant is genuine. However this problem does not arise with PayPal, as it is a genuine financial arm of eBay and the credit card numbers are never revealed to the sellers. PayPal also stores the credit card information in secure servers, which are not connected to the public network.
eBay | GMU | Feedback