eBay security draws scrutiny

Unlike most leading e-commerce sites, eBay does not automatically encrypt much of the data sent between customers' computers and eBay's servers, which means that when customers type their password into eBay's Web site, that information can be viewed by hackers.

Most e-commerce sites use Secure Socket Layer (SSL), a technology that encrypts sensitive information such as customer passwords and account activity while the data is in transit to another computer.

"SSL is typically a no-brainer on any Web site," said John Pescatore, research director for Internet security at Gartner.

eBay users have the option to log in using SSL, but the default is to use an insecure login. Even if customers log in using SSL, they are taken to non-SSL pages if they want to change their password or view account balances.

"They are doing their users a disservice," Pescatore said. "They really should make SSL the default option."

eBay did not return repeated calls seeking comment.

The importance of securing account information on eBay and other sites has become more apparent in recent months. Since January, a growing number of eBay members have seen their accounts taken over and used to set up fraudulent auctions. The scam artists parlay the members' good reputations into bids--then take off with the cash.

eBay has said that such scams are relatively few in number and that overall, the percentage of confirmed fraudulent auctions is less than one one-hundredth of 1 percent of all listings.

But customers are concerned. Identity theft and auction fraud are the top two most frequently cited consumer fraud complaints filed with the Federal Trade Commission.

SSL has been the de facto standard for transmitting passwords and other data since Netscape introduced the protocol in the mid-1990s. E-commerce sites such as Amazon.com and Buy.com use it to secure customers' orders. Customers of online brokerages such as E*Trade Financial can't access any personal data except through pages secured by SSL.

Information sent without SSL can be monitored by hackers using so-called "packet sniffing" programs. However, in recent years, there have been few reports of breaking into accounts by sniffing out passwords, security experts say.

eBay has blamed the recent examples of identity theft on its site on automated programs that execute a so-called "dictionary attack," taking a known user ID and trying to match it with a list of common passwords and a dictionary of words.

The company has also warned members about fake e-mail that appears to come from eBay asking for users' passwords or other account information. Wells Fargo, Bank of America and PayPal have warned customers of similar scams in recent months.

Gaining access to accounts through scams such as these are much easier than trying to find user passwords via packet sniffing programs, security experts say. With a packet sniffer, a hacker would have to know what stream of data to monitor and would have to weed through a lot of useless data to find a password or something else that's useful.

"You're drinking from a fire hose," said Chris Christiansen, a security analyst with IDC.

But attackers will go after the weakest link, Pescatore noted. The paucity of sniffing attacks may be simply because of the success of SSL, he said. By not using SSL, eBay may be inviting people to snoop on its data, he said.

"Most burglars don't use the front door to break into a home; they use an open window or some other way. But if you left the front door open, the burglars would use it," Pescatore said.

Making SSL the default option when people log in and using it to protect sensitive data on the site may not in reality provide a lot of added security, said Matthew Berk, an analyst who covers Web site technologies and operations for Jupiter Media Metrix. But eBay would be wise to use SSL more thoroughly on its site to manage user expectations, he said.

"What's probably more tangible than the actual security risk is the perceived security risk," Berk said. "As an industry leader, they need to make every effort to convince users that they are using the most secure methods possible."