ripped from http://www.empiresecurity.com/displayarticle135.html

its an interesting read so i thought i'd post it

We recently discovered a new auction fraud approach that is extremely clever. The criminal has taken the intent of online auction social engineering to its purist form, which is take your money. After all, the end result is getting your money, so why not just ask for it? Why spend countless hours hijacking accounts, posting false listings, getting discovered, hijacking more accounts, posting more listing, ad infinitum? Other than it's very profitable, it's also more work than necessary. The newest criminal figured this out.

The approach of the new social engineering technique is simple and elegant. It also appeals to the greed we all posses, but couples it with the inherent weakness of email identification.

Here's what to watch out for.

You are a regular Ebay buyer and frequently purchase high-end, high dollar merchandise. The criminal knows this because he searched closed auctions of this type and found your auction username. He saw everything you bought. The advanced search feature makes this a snap. The criminal can profile big money spenders in a matter of minutes.

Next, the criminal hijacks an account that has been dormant for a long time. A dormant account is one which is legitimate, but the user who established it hasn't been involved in any auction for six months or more. Ebay literally has hundreds of thousands of these accounts. The criminal chooses a dormant account because the real owner will not likely discover it has been hijacked, ever.

The criminal now has the next victim's username and a way to contact him, which he does. He has no idea what the victim email account is, so he uses the Ebay Contact Ebay Member feature. The criminal knows people generally like to help others, so he asks the victim a question like, "I noticed you bought an AlienWare computer from this seller. Did you like the product?"

This is where the security weakness of Ebay is exploited. The friendly and helpful Ebay user responds to the criminal and tells him the seller and product were outstanding. The criminal now has his victim's email address, because the response is sent outside of the Ebay system using the victim's real email address.

The next phase involves passive monitoring of the potential victim. Using Ebay advanced search options the victim is monitored. The criminal knows every current auction the buyer has placed bids. Additionally, the auction bidding activity such as ending time and bid levels can be monitored with Ebay Sniper software (search for Sniper on this site for the software).

It's important to note the significance of this attack. The auctions are real and are obviously not fraudulent. The Seller has built a reputation for auctioning expensive merchandise and bidders can easily find out the trustworthiness with little effort. Since the auctions are real, the attack phase is pulled of using established trust as the weapon.

Because the criminal is monitoring the auction, once it ends he goes to work. He sends an email to the winner he's been surveilling. The message will congratulate the person on winning the auction, which is true. Then it states how the victim can pay for the auction. It even offers a discount for using Western Union or other type of frequently used money laundering payment systems. The criminal even has the nerve to ask the user to ignore any automatically generated payment emails (from the legitimate seller) by saying they are outdated or whatever.

The victim at this time, has no reason not to believe the authenticity of the payment request. The email must be correct because only the seller knows about this transaction, and only the seller can contact him using email. He quickly pays the invoice not realizing he's been taken.

The criminal also has a backup plan. If the buyer did not win the auction, he send the bidder a second chance offer. The second chance offer is because either the winning bidder decided not to buy the item, or there are multiple items to sell. Once again, the buyer has no reason to doubt the email because only the real seller can contact him this way.

This social engineering is clever and works because it's based on what we know to be true. We did bid on a legitimate listing. We have no reason to suspect the auction isn't real because the seller is established and trusted. It's the ultimate smoke and mirrors.

Now for the scary part; This entire process can be automated by bots that search, contact members, harvest email addresses, monitor, and transmit winning notifications. If the criminals somehow get lists of auction usernames or email addresses, then game over. A bot could be created in one or two days. A bot could also be created to harvest usernames since those are a cornerstone of auction framework.

How can online auction houses put an end to this fraud? They need to build a complete system that includes integrated messaging and billing with absolutely no external electronic communication channels.

Here are some specific methods to combat online auction fraud using technology countermeasures:

1) Two-Factor Authentication - This type of authentication is based methods to prove your identity, such as something you know (password), something you have (RSA fob), or something you are (fingerprint). Yes, it should really be called two-factor identification, but that's not the point. We recommend something you know and something you have. If someone does steal an Ebay username and password, they still cannot access your account because they don't have your RSA (or other vendor) electronic key fob.

2) Restricted Workflow and Communications- The entire auction process should be executed within the auction online system. No more email messages to users to say they've won, been outbid, or have listed auctions. Especially no more emails to ask questions. These messages must be communicated, but they should take place within an online auction messaging center. If users need real-time notification of events, then they should be provided with a front-end client-side application that securely connects to the auction system. Note: The secure front-end could also server as a second factor authentication if it contains an electronic key used in conjunction with the user's password.

3) Restricted Online Payment - Ebay, for example, owns PayPal. This should be the only form of authorized electronic payment and it should be tightly integrated in the user's Ebay dashboard. No more returning to the auction to click the PayPal logo for payment because that is based on a time when PayPal was a separate company honing in on a service Ebay didn't provide adequately. The only way a user can guarantee the electronic payment will go to the real seller for the specific goods, is if the payment is initiated from the dashboard which contains a line item for the auction. The line item is also used to access other forms of payments, such as mail in.

3) Dormant Account Maintenance - Any auction account not used for six months or more should be deactivated. If the user wants access after that time, they can either create another account or prove their identity based on previously provided financial and personal information. Convenience to users should not take precedence over community security.

4) Automated Telephony System - Providers of online services have a simple goal, and that is to never have to speak with their customers. They want the system to provide all interaction with you because dealing with you person to person costs money. That is basic economics at the expense of good old fashion customer service. Taking this into account, users need better protection against account hijacking. Whenever a user changes their online profile, the telephony system should dial that persons work and home phone and provide an automated message requesting verification. The user verifies and approves the transaction by entering the confirmation code provided in the call. This would put an abrupt halt to identity theft, which currently impacts people well beyond the auction system by destroying their hard earned, real life, financial credit history.

5) IP Address Analysis - If a user lives in Texas and suddenly someone changes the personal account information from a computer in Europe, then that should set off alarms. Forget the alarms, the system should detect and prevent the action, then use the telephony notification system to notify the account owner. The account should remain locked until the user acknowledges and verifies the transaction. If the account has been hijacked, it should only be reactivated when the user provides personal or financial information that matches the original registration data.

Solving online auction security will cost millions of dollars. Although auction houses have taken steps to mitigate identity theft and fraud, it has not been sufficient protection for the buyers and sellers who make them millions of dollars each day. It's only a matter of time before there's a class action lawsuit against online providers whose services are regularly exploited by Internet criminals. Splashing warnings in the faces of the customers are not sufficient security countermeasures for the rampant fraud that plagues online systems. If a company knows about specific threats and do little or nothing effective to solve those threats, then release the hounds. A company simply cannot afford to reap billions of dollars in profits and dismiss realistic technological solutions to ensure customer safety.

Those who live by technology have a responsibility to provide secure technology. In other words, it's time to change the locks on the door because the bad guy has the keys.

Finally, the reason providers of any online system should be compelled to provide enhanced security to protect their users is based on the definition of system, relevant to system engineering. According to the United States Department of Commerce, National Telecommunications and Information Administration, Institute for Telecommunications Sciences, in Boulder Colorado, the definition of a system is:

system: 1. Any organized assembly of resources and procedures united and regulated by interaction or interdependence to accomplish a set of specific functions. [JP1] 2. A collection of personnel, equipment, and methods organized to accomplish a set of specific functions. (188)

This definition can be found at http://www.its.bldrdoc.gov/fs-1037/dir-036/_5255.htm

The definition of "system" includes procedures and people, not just the servers and software. The users of online services are actually part of the system, not apart from it. All security measures must include the people using the system. If it's well known user's are systematically robbed of their usernames and passwords, and eventually their identity, then the owners of the system are liable to mitigate the risk of exploitation to the best of their ability.