Monday, June 25, 2012

Plausibility of Security Breaches

(For PCWorld Pakistan)

Are These Self-Inflicted?

Are the security breaches happening with some of the leading names in the online space, rightly justified? What seems to be the case, a domino effect elucidates best. Tracing back to late 2011, PayPal was in the limelight as the most phished brand due to an omnipresent market penetration strategy and favorable market repute. According to a study conducted by Anti-Phishing Working Group (APWG) reporting findings from April this year,, China’s largest e-commerce site had surpassed PayPal as the most phished site. An interesting observation that can be conjectured from this, is that PayPal had indeed managed to surpass the leading e-commerce brands Amazon and eBay, in being targeted. Customer security continues to be the largest concern of PayPal nevertheless. The concern appears to be quite reasonable from what the ‘others’ have had to go through.

Cashing on the business of e-commerce, social/professional networking forums are the eloquent trendsetters these days. Not in competition as such, these often complement the business models of internet merchant intermediaries like PayPal, Mobile Payment Solutions etc. Two of the globally-leading networking forums have had massive password leaks in the recent past with unfortunate consequences.  Twitter, a micro-blogging platform and the second-largest networking forum had more than 55,000 passwords leaked to Pastebin. While Twitter immediately commanded a reset of Twitter passwords, another gaffe was waiting to happen.

With a level of severity exceeding the Twitter infraction by 10-fold, account passwords of the 6.5 million LinkedIn users were hacked and posted online in hashed format. As compared to Twitter, the accounts leaked weren’t of a few but of the entire LinkedIn community. A repercussion to the same was a class action suit filed by an Illinois resident, Katie Szpyrka holding LinkedIn responsible for not using adequate safety measures, to provide immunity to its users against security breaches and account hacks. LinkedIn was found guilty of saving the account passwords of its users in an unsalted SHA1 hashed format, which is below the basic industry standard encryption methods, promised in the contractual obligation between LinkedIn and the accountholder. The complaint filed against the professional networking giant identifies an SQL Injection, a process through the website is rooted to attack the databases, to have led  to the password leakage.

Holding ‘Anonymous’ Resposnible??

In the case of LinkedIn, how plausible would it to be consider the security-breach to be self-inflicted? A technical glitch left unaddressed was maliciously catapulted against the largest professional networking forum, members to which aren’t all premium accountholders. Leaked passwords of premium accountholders are likely to have opened access to, and endangered, credit card information of these using their accounts to buy services. Had the encryption firewalls met the bare minimum industry standards, the resultant could have been avoided. In a way, there is reason to believe the security breach was indeed called for.

Recalling the case of PayPal, there is an even more of a reason. According to, PayPal was considered to have mucked into unwarranted territories with the launch of a mobile payment service that works without Near-Field Communication (NFC) technology. To avail the facility, PayPal accountholders simply needed to enter a phone number and a PIN code. According to many security evangelists, there were serious security shortcomings to the plan. Not requiring the interjection of a physical device, such as a credit card, or a smart-phone for the transaction to be completed, renders a PayPal mobile payment account quite permeable.

A posted comment of Wall Street Daily reader pretty much summarized the flaw, “With NFC, someone has to steal your phone. [With] the proposed PayPal solution, someone could key log your phone number and PIN. NFC appears to be more secure to me.” That is so because the NFC chip comes built-in within the mobile phone. There are however, a limited number of phones equipped with the chip. A feature used by Google Wallet, the NFC Chip turns the smart-phone into a digital wallet, protected by two PIN codes and three layers of encryption. Other than Google Wallet that lets you make use of the app by ‘adding funds’ synced with your credit card, ISIS (a joint venture of Verizon, AT&T, and T-Mobile) is another Mobile Payment Solution built of NFC. PayPal is another competitor to Google Wallet, but not a potential one given the unaddressed vulnerability checks.

When it comes to PayPal therefore, a self-inflicted attack can be assumed quite reasonably to be the case.

Countering the same, PayPal is running a ‘bug bounty’ program.  As announced by PayPal’s Chief Information Security Officer in a blog post, PayPal is offering security researchers with verified PayPal accounts, monetary rewards for reporting Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), SQL Injection (SQLi) and Authentication Bypass vulnerabilities. How will this influence others to follow that have faced/are privy to security attacks(s), is quite uncertain.

What is certain though, is the necessity for websites with necessitate account-opening for P2P interaction or e-commerce, to fortify the security algorithms. Appreciating the crucifying the need for the same, PayPal is offering community-wide monetary incentives. A smarter move would have been to revisit the operational model of PayPal’s Mobile Payment Solution, firstly.

The accountholder’s security compromised shouldn’t be a casualty to an enhanced business model of a website.






Powered By | Full Text RSS Feed | Amazon Plugin Wordpress | Android Forums | Wordpress Tutorials


Post a Comment