In March of 2007 online auction powerhouse eBay was
hit repeatedly by a hacker identifying himself as
Vladuz, believed to be a Romanian fraudster long sought
by Romanian police. Vladuz posted his name on several
eBay pages and taunted eBay to catch him. He was after
more than fame, though. According to an article in
eWeek, Vladuz was also posting fake items for sale
faster than eBay could take them down, and the
payments by the winning bidders went to him. Vladuz
also posted the account information of 15 individuals,
including their banking info, mothers maiden name,
credit card numbers, and much more.
Glen Emerson Morris has worked as a technology consultant for Network Associates, Yahoo!, Ariba, WebMD, Inktomi, Adobe, Apple and Radius, and is the developer of the Advertising & Marketing Review Data CD.
How bad the Vladuz incident was depends on who you
listen to. According to eBay, Vladuz did nothing more
than many hackers have done at eBay. According to
eBays critics (especially at firemeg.com), Vladuz was
either extremely lucky or one of the most talented,
and dangerous, hackers in the history of e-commerce.
In any case, the incident raised a lot of issues that
any business selling products or services on the
Internet ought to consider. If a security breach can
happen to a company with eBay's resources, it can
happen to smaller businesses, too.
All things considered, it's hard to believe eBay's
version of the incident. For public relations sake,
EBay has a lot or reasons to minimize the damage Vladuz
caused, and some of the things Vladuz did on the eBay site
have rarely been seen before.
Among other things, Vladuz made postings to different
groups on the eBay Website that only an eBay employee
should have had the security access to be able to do.
In addition, the rate and volume of the fake auctions
Vladuz was posting, using stolen but still valid user
accounts, could have only been done if Vladuz had
cracked the security surrounding eBays seller accounts
databases and was using some kind of automated tool to
make the auction postings. Even a large team of people
could not have posted so many items in so little time
(by some estimates over a million fake items were
posted by Vladuz).
In fact it is likely that there are eBay specific
software tools for sale designed to help hackers
ripoff eBay customers, just as there are rootkits for
sale at rootkit.com, for somewhat similar purposes.
Given eBays size, its not only a natural target for
hackers, its a big enough target that it would be
economical to develop and marketed specific software
for the sole purpose of bilking eBay buyers out of
their money. If true, its probably only a matter of
time before other hacker applications are created that
target specific shopping cart applications, and that
could spell trouble for smaller businesses online.
Most small businesses dont even have a security
staff, let alone one that continuously monitors the
security of their e-commerce Website. For smaller
businesses, its more likely that customers will
notice security breaches before anyone inside the
business does, and because of that businesses need to
have a system in place that will bring security
breaches reported by customers to the attention of the
right people. Setting up a process for this is
actually fairly easy.
Many of the companies used as bait by phishing
attacks, like PayPal and Washington Mutual, have
dedicated email address for customers to report
phishing attacks to. Phishing attacks send out email
asking consumers to update their ID or account
information and threaten consumers with suspension of
their account if they dont provide the information. A
few of the millions of people who receive these
phishing attempts fall for it, but the correct
response is to forward the email to the security
section of the company being used as bait. Usually
its firstname.lastname@example.org or some variation, like
This approach costs little if anything to implement,
and it could save your company a lot of heartache and
expense. If you have an e-commerce Website, you need
to make your customers aware of where they should send
email in case they see anything suspicious, and you
need to designate a person, or team, to constantly
monitor that emails mailbox.
Another thing your online business needs to do is
understand and comply with the growing number and
complexity of state and federal laws regarding what
companies are required to do in case of a known
security breach. In California, businesses are subject
to the following law:
1798.29. (a) Any agency that owns or licenses
computerized data that includes personal information
shall disclose any breach of the security of the
system following discovery or notification of the
breach in the security of the data to any resident of
California whose unencrypted personal information was,
or is reasonably believed to have been, acquired by an
unauthorized person. The disclosure shall be made in
the most expedient time possible and without
unreasonable delay, consistent with the legitimate
needs of law enforcement, as provided in subdivision
(c), or any measures necessary to determine the scope
of the breach and restore the reasonable integrity of
the data system.
1798.84. (a) Any customer injured by a violation of
this title may institute a civil action to recover
(b) Any business that violates, proposes to
violate, or has violated this title may be enjoined.
(c) The rights and remedies available under this
section are cumulative to each other and to any other
rights and remedies available under law.
In effect, even if a business was not responsible for
the security breach in the first place, it is still
liable for any cost to the consumer if it doesnt
immediately notify the consumer about the security
With identity theft becoming one of the most common
and expensive crimes consumers may be subjected to, we
can expect many states to follow Californias lead,
and possibly go even further. This means every
business should have a process in place to notify
customers when their account information has been
compromised. It can be done by phone, email or
certified letter, just so it is done immediately. It
will not be a good idea to wait until a security
breach happens to set up the notification process.
It may be impossible to prevent security breaches, but
it is definitely possible to minimize the damage they
can cause businesses and their customers, and the
sooner your business prepares for the worst, the
better off you and your customers will be.