funsec mailing list archives

Re: Re: Phishing Defense a Key Factor in eBay-VeriSign Deal

From: "Mark P. Fister" <mark () fister org>
Date: Wed, 12 Oct 2005 23:24:19 -0700

On Wed, Oct 12, 2005 at 05:27:56AM -0600, Dr. Neal Krawetz wrote:

I cannot help to think that the eBay-VeriSign deal is going to
be really *bad* for the Internet in general.


I am a PayPal employee, but I was an eBay employee.  Let me clear all of
this up, okay?

First, just to be clear:

1. PayPal bought the payment gateway business only.  VeriSign remains
   completely separate.

2. eBay will have little (if any) influence in the management of the
   new payment gateway product.  It's PayPal's.

3. At least initially, this deal can't be bad for the Internet, since the
   payment gateway business unit will be run by the same people who run
   it today: certain VeriSign employees that PayPal has made offers to.
   So, nothing's changing there!

4. eBay and PayPal are internally VERY different.  Different release
   cycles, different technologies, different customers, different laws
   regulating the two, different security infrastructures/needs, different
   cultures, I could go on...?

eBay and PayPal has a long history of being non-responsive to
customer issues.


History is just that: history.  Blips have happened.  No company is
perfect; however, a responsible company will always clean things up as
best as it can.  Let me say this: things have become far, far better since
eBay introduced Live Help and PayPal introduced telephone numbers on their
respective live sites.  The future will get even better, I suspect.  One
could envision eBay and PayPal offering Skype chat support, although I
have no personal knowledge of this being "in the plans".

I'm sure Richard Smith can pull up news quotes faster than me :-)


Google Groups or Google News should give you plenty of power. :)

Some of the basic issues are:

  - eBay doesn't help customers with account or services issues.


What do you mean?  I assume by "account" you mean "eBay seller fees"
account and by "services" you mean customer support for the additional
services eBay offers, like Selling Manager, Selling Manager Pro, etc.

In both cases, eBay does help customers with those things, so you must
mean something else?

  - eBay doesn't help customers recover stolen accounts.
    (They recommend making a new account.)


This is a sticky one.  As you can imagine, a seller could be a fraudster
and *claim* it wasn't *he* who failed to deliver on all of those auctions,
it was *some hacker*.  So imagine that eBay helped that fraudster nuke some
bad feedback.  And then it happened again?  And again?  "I'm a victom of the
same guy!"  eBay: "Okay, no problem!"  NOT a good idea, think about it.

Anyhow, policies on these things are spelled out in the Terms and Conditions
(that nobody reads).

  - PayPal won't use "stop payment" for unauthorized transfers.


Ahh, but this is where PayPal Buyer Protection comes in handy.  Full
refund, if the transaction is protected (see the blue shields on qualified
auctions and fixed price or store items?).

  - eBay and PayPal went over a year with a known cookie exploit for
    hijacking accounts.  It's hard to say that they take security seriously.


XSS is tricky and - as you can imagine - typical quality assurance engineers
aren't trained in such matters.  While I have no excuse for my employer having
the hole in the first place, I can say that there is an excuse in how long it
took to fix the problem once it was exposed.  Here's how things went down.  I
expect that, since this is a closed, non-disclosure mailing list, that this
won't get spread around tremendously (not that I'm giving away any secrets,
but corporate problems aren't always smiled upon when they get out).

Background: I know the below because I was on the development team responsible
for fixing the problem.  I myself wasn't part of it, however.

First few weeks:

Things were in an uproar.  Someone was resourced to fix it.  Someone who,
unfortunately, was just an average engineer in the group responsible for
fixing it, not someone who was already an XSS guru.  As you can imagine,
the amount of research into the problem was pretty large, and then the
documentation and research of the code necessary here is ... non-trivial,
especially considering eBay's great feature of allowing HTML in
descriptions, emails, and more...

Now multiply that complexity times *TWO*, because at the time eBay had two
parallel source bases to worry about (the legacy source base in C++ and the
new one in Java).  Because of this, we're talking 100+ days of project work,
here.

Months have gone by (what with dev time and QA time), and then the fixes
are all rolled out.  Then, two things became apparent:

1. The fixes that we spent a HUGE amount of time working on (in order to
   cover all of the corner cases) were rolled out to the live site and
   didn't completely work.  Then, massive amounts of red tape and churn
   happened.  The razor focus and magnifying glasses were put on the
   problem, causing one of those, "put your balls on the table" reactions.

2. Human error played games with us here.  Ouch.

Sigh.  It wasn't really a year where eBay did nothing.  It was basically
a company doing its best mixed with plenty of SNAFU.

  - Contact points for eBay and PayPal used to be virtually impossible to
    find.  And there were NO phone numbers.


Again, used to be.

    I guess you can say that one good thing has come from phishing:
    PayPal now lists phone numbers for help on their web site and
    in the WHOIS entry -- but they are international calls for people
    outside the USA.  (Yes, eBay is still a black hole.)


Not completely true.

1. For certain levels of sellers, phone support is available.
2. Live Help (similar to IM) is great and available to everyone.
3. Email support is available to everyone.
4. Skype in the future?

Not exactly a black hole.

And I'm sure there are more issues...

Now, considering that VeriSign is a gTLD provider (generic Top Level Domain,
for those non-DNS folks) and manages all .COM and .NET domains...
Imagine the horror of a domain hijacking!
You won't be able to call a 24/7 support center, and their email reply
(three days later) says, "We're sorry, you're going to need to register
a new domain.  Via PayPal."

I can also envision a strong push for a ".paypal" and ".ebay" gTLD.
Hmmm... "www.bankone.paypal"!

I wonder if we can petition ICANN to yank the .COM and .NET from
VeriSign and assign it to someone like GoDaddy.  (At least I have had
good experiences with GoDaddy -- they are responsive.)


Again, eBay, Inc. will have nothing to do with gTLDs, since it did not
acquire any such technologies.  Those remain with VeriSign.

                                      -Neal
--
Neal Krawetz, Ph.D.
Hacker Factor Solutions
http://www.hackerfactor.com/


-- 
Mark P. Fister
http://www.fister.org
Skype: callme://FisterDotOrg
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

Phishing Defense a Key Factor in eBay-VeriSign Deal Fergie (Paul Ferguson) (Oct 11)
- <Possible follow-ups>
- Re: Phishing Defense a Key Factor in eBay-VeriSign Deal Dr. Neal Krawetz (Oct 12)
  - Re: Re: Phishing Defense a Key Factor in eBay-VeriSign Deal Florian Weimer (Oct 12)
    - Re: Re: Phishing Defense a Key Factor in eBay-VeriSign Deal Mark P. Fister (Oct 12)
  - Re: Re: Phishing Defense a Key Factor in eBay-VeriSign Deal Mark P. Fister (Oct 12)