Websites would be able to better manage their incident response if they better controlled non-active users.
Speaking to IT Security Guru, Dr Guy Bunker, cyber security analyst at Clearswift, said that the eBay breach showed that it missed how many “active” users there are, as originally it said that there were 230 million people affected, and then it was 145 million active users.
He said: “They could have all had good reputations, but it means that they have bought or sold something in the last 12 months. What should eBay do about them? Should shut them down so cannot be subverted and put a message out that they are shutting them down.
“eBay needs to do it as if the user is not active, then good reputations can be misused. They should do automatic blocking/stopping of accounts for people who are not active and have not changed passwords, and there needs to be an interim period if they have not changed it in a number of weeks, so they are locked out.”
He explained that a standard scam on eBay is sell a pencil every week to get a good reputation, and then sell a car and don’t deliver it, so it subverts a good reputation, and eBay misses this.
Research released by Clearswift after the breach found that of 2403 UK adults, 49 per cent of adults would be less inclined to use eBay in the future. Bunker called this a knee-jerk reaction, as there are small business who sell stuff on eBay.
He said: “It comes down to security versus convenience, and it is convenient to sell stuff on eBay and there is a massive audience who buy and some who just look, so eBay provides a service and if you were to remove the service what would happen?
Commenting, Toyin Adelakun, VP at Sestus, said that many users only buy or sell on eBay infrequently, and yet might potentially receive fairly frequent emails from eBay if the company were to act as suggested here.
“Beyond presenting a poor user experience, were eBay indeed to start regularly or frequently sending a certain volume of email to hundreds of millions of users, the company could be providing the perfect cover for an email-based phishing attack,” he said.
“Once more, the overall lesson is that email is a decidedly poor vehicle for conveying credential data or meta-data, because firstly, it can be sniffed (i.e. read by unauthorised parties) en route; and secondly, it may in fact be a wolf in sheep’s clothing.”
