The Little Black Book of Security

2009-04-19T13:31:00.000-07:00

When I found this pile of EBay logins circulating around the Net, I did whatever any security person does in such a situation - ask around for "contacts at company x", so I could get them the data. However, this was going to take a good few hours so in the meantime, I could indulge in one of my favourite past-times.

See, I do have lots of security connections at different companies and people who can GET me the contacts I need, but I always make a point of going through "standard" channels first, just to remind myself what its actually like for a regular web-user who finds something that shouldn't be out there.

More often than not, it just reminds me that most methods of reporting illegal activity are fundamentally broken.

What's alarming is that if it hadn't been me - or some other security person who'd found this data...if it was some regular web-user who didn't have that support structure to fall back on...this data would probably still be lying around online for people to use and abuse as they see fit.

I won't bore you with all the details, but I started off by calling the Paypal phone number. This predictably ended in disaster, because you have to login to Paypal and be assigned a unique reference number. The operator at the other end couldn't understand that the problem had nothing to do with my own account (though he did spend about five minutes telling me all the security procedures he was going to deploy on my account to prevent any further fraud, which is nice of him if somewhat misplaced).

Later that day, I went through a procession of vaguely hopeless "support staff" on EBay Live Chat. I demanded some kind of dedicated support team EMail address due to the severity of the problem - I think it was support guy number two who gave me an email address, eventually. Hooray! A dedicated, no-nonsense address to get things sorted out.

Then I Googled it, and upon seeing the second entry down rolled my eyes. In for the long haul, baby....

I think it was the day after this (or maybe the day after that) that I tried one more time.

Dispensing with the first Live Support guy thrown in my general direction, I was put through to someone on the "Security Team". After finding out this person couldn't help me either, I was suddenly dumped into a chat with what I can only assume was the Final Boss of the Internet - or at least, the top dog, crap-we're-running-out-of-support-staff King of Live Support Security Team Guy.

The below webchat is 100% genuine, and I have screenshots to prove it (though I've removed some unnecessary text, typos and other junk). You may blink, rub your eyes and slap yourself in the face a couple of times while reading it.

This is entirely natural.

Just imagine that I'm not a security researcher - I'm a regular web user, who just found 5,000+ logins and I really, really want to get this to someone who can do something about it.

That's all.

Now watch it go horribly wrong.

3:03:27 PM System
Connected with A
3:03:32 PM A: Hello and thank you for contacting Account Security Live Help, my name is A. Please give me a moment to review what you have already typed.
3:06:33 PM A: Thank you for patiently waiting, based on what I just read, you want to report a stolen eBay account, am I correct?

3:07:19 PM Paperghost: To be accurate: five thousand, five hundred and thirty four stolen accounts

3:08:23 PM A: I see, thank you for taking the time to report this issue. I will be reviewing it shortly. For future reports you wish to make, please use our webform:

http://

It will reduce any possible wait time in our chat sessions and also ensure that the information is sent to the correct team so they can review it in a more timely manner.

3:09:00 PM Paperghost: You want me to paste five thousand, five hundred and thirty four ebay username and passwords into a contact us form?
3:09:14 PM Paperghost: isn't there an email address that works that i can just send it to?

3:10:53 PM A: You can use the link that I just provided you and below that there is "EMAIL US" link where you can send or paste those names.
3:11:43 PM A: Please separate it with a space in between them.

3:14:14 PM Paperghost: that contact form page wants me to paste in each username one at a time - there are over five thousand usernames in a word document. that contact form has a limit of 10,000 characters. the sum total of the stolen data comprises 243,347 words including spaces. It isn't physically possible for me to send it to you via that form

3:16:49 PM A: Sorry but that is the only link for us to report an account that was taken over by unauthorized third party.

3:17:56 PM Paperghost: Well I have over five thousand stolen accounts here that need to be reported so someone is going to have to find me an email address I can send an email with a word document attached to it to

3:23:15 PM A: What I am going to do is to report all the users that you have and report it to our Trust and Safety team, if you don't mind, typing all those member's in our chat window.
3:24:26 PM A: As I check on the link that I just provide you, you can separate all those name by putting a comma on it.

3:24:38 PM Paperghost: How am I supposed to type more than five thousand usernames into a chat window? You realise most of the account owners will be retired or deceased by the time I finish typing?

3:25:55 PM A: As I check on the link that I just provide you, you can separate all those name by putting a comma on it.
3:26:10 PM A: Just copy and paste it on the username.

3:28:18 PM Paperghost: The word document I have has one username per line, and there are more than five thousand lines of text in the document. it would take me about six months non-stop typing to cut and paste each name from the document then paste it into this chat box

3:29:25 PM A: I have an alternative link for you to report those members, just copy those name and paste in on the link below:

http://

3:31:08 PM Paperghost: That page is not going to accept five thousand lines of userdata submitted to it - and even if it did, i'm not sending all those usernames and passwords via a standard http:// page
3:31:25 PM Paperghost: you realise i could send you the whole thing via email in three seconds and bam, its done

3:32:06 PM A: That is an alternative link that connects you to our Trust and Safety team.

3:33:55 PM Paperghost: your trust and safety team must have an email address i can send this information to, this is crazy
3:37:57 PM Paperghost: what option do i pick on the drop down menu
3:38:05 PM Paperghost: as none of them are applicable as these arent my accounts
3:38:43 PM Paperghost: never mind, i tried it and it crashed my browser.

3:39:19 PM A: First drop down is misuse of eBay -> report a user.

3:42:05 PM Paperghost: as i said, unfortunately it crashes my browser. i don't think the form is designed to handle that much text

3:42:48 PM A: How about sending 100 username at a time?

3:44:12 PM Paperghost: there are FIVE THOUSAND usernames on there. do you have any idea how long that is going to take?

3:45:02 PM A: I do apologize but that is the only way. If you want you can try sending that at spoof@ebay.com.

3:45:28 PM Paperghost: i've already sent it to spoof@ebay.com. twice. is there someone there who can check if theres a mail there from xxxxxxxxxxx

A: Yes we have a designated department that handles those mails, and once they have receive it they will immediately review before sending a respond to you.

3:48:44 PM Paperghost: Yes but can someone at least confirm its in that departments mailbox even if they don't open it up
3:49:10 PM Paperghost: I'm trying to help you reclaim five thousand stolen ebay accounts here and it doesn't seem to be going very well

3:49:40 PM A: As much as I want to help you with that, I don't have the necessary tools to check on the mailbox.

3:50:56 PM Paperghost: and nobody there is able to contact anyone from that team to check if its there?

3:52:21 PM A: Don't worry since you already forwarded an email, what we can advise is to please wait for an email confirmation in regards to the investigations.
3:53:24 PM Paperghost: Okay
3:53:45 PM A: I do understand your concern. And we thank you also for taking your time reporting those members.
3:53:49 PM Paperghost: Thanks
3:54:16 PM A: You're very much welcome and thank you for using eBay, I hope you have a great day.

.....doh.

As it turns out, I was (eventually) sent a reply from the EMail address I was given by one of the support people. It said:

"Dear eBay member,

Thanks for your email. We want to help resolve any problems with your
account as quickly as possible.

The fastest way for us to help you is through Live Help, where you can
have a one-on-one chat with one of our customer service agents. The chat
happens right in your web browser, so you don't need any special
software.

Please let the chat agent know that you already sent us an email, as
that will help us speed things along.

We won't receive any replies to this email, so please contact Live Help
for further assistance."

You couldn't make it up.

Of course, all of this was kind of irrelevant - the wheels were already in motion behind the scenes, and I'd consulted the Little Black Book of Security. Because of that, the data had already been passed onto the people it needed to go to, despite the frontline support boobery, and I'd been assured it was being sorted out.

But again - if I didn't have access to that Black Book....what would have happened to this data? Would it still be sitting online for all and sundry to take what they wanted? Would I be going back into Live Chat in an endless cycle of utterly pointless attempts to get someone to do something about it?

Sad to say, but based on the evidence above - quite probably.

It's kind of amazing that such a basic thing - look, here's some fraud and I want you to fix it - can't get past the brick wall that is frontline customer support.

And also kind of depressing. No....make that alarming. Actually, make that puzzling.

No....come to think of it, make it all of the above.

And then some.

About Me

The Little Black Book of Security