"eBay have identified a possible security flaw and are requiring all developers update their passwords."
"The developer blog reports that eBay have recently identified a means by which someone could have" "gained access to eBay Developers Program account information."
We're not surprised this happened. The surprise is eBay in public admitting a "security flaw".
Important Security Update: developer.ebay.com Posted by Laurel Kline in Critical Notes from Tech Support, Business News & Developer Website Monday, Aug.10.2009, 3:06 PM PT
This is Kumar Kandaswamy, and I manage the eBay Developers Program. I'd like you to read this important message about account safety.
The safety and security of the eBay Developers Program is a top priority. While we believe that people are basically good, we also must live with the reality that there are fraudsters out there who have made it their illicit "profession" to find ways to exploit others on the Internet.
Occasionally, fraudsters attempt to gain unauthorized access to the eBay Developers Program. eBay has recently identified a means by which someone could gain access to eBay Developers Program account information. This type of access DOES NOT allow the capture of financial or other sensitive information, such as credit card or bank account information or Social Security numbers. Fortunately, we have not detected any unusual activity with any Developer account.
Out of an abundance of caution and to help ensure the security of the eBay Developers Program, we are requiring that all developers take the following steps:
Take advantage of our new, stricter password standards and change your eBay Developers Program (developer.ebay.com) passwords. It is not necessary to change eBay (www.ebay.com) passwords.
If you believe you or your customers have been the victim of fraudulent activity, contact us immediately at [email protected].
Sincerely, Kumar Kandaswamy
There's much unintentional eBay humor with the statement from Kumar Kandaswamy that "safety and security of the eBay Developers Program is a top priority." Because historically that has not been the case.
Follow us.
Once upon a time Sergiu Daniel Popa was brought to the attention of the public by Dan Browning of the Star Tribune. As reported in his article "Suspect in 'phishing' scheme indicted":
"A Romanian immigrant was indicted Tuesday in federal court in Minneapolis on charges that he operated a computerized "phishing" scheme for several years that raked in financial records and personal identification from thousands of individuals"
"Sergiu Daniel Popa, 20, of Shelby Township, Mich., was indicted on three counts"
Days later there would be a post about the article on the eBay Stores Forum. This was followed quickly by eBay user ID spopa2006 stating, "Listen guys. I am Sergiu D. Popa. I am that horrible guy!" and "I will make your life a hell." And much much more.
When this activity and background was reported to eBay, their reponse was to delete the spopa2006 posts. He was able to keep his eBay account active. If you look quickly, you can view his Feedback Profile as of 11 August 2009 01:07 GMT.
"Hey there. I wrote a similar project in C++ by using pointers. However, the implemented network interface i used in C++ is no longer supported and I am not a C# guru as I am in c++. Tell me whether or not you got your solution. You can email me at [email protected]"
The activities of a registered eBay Developer. You know the ones who work on the software that eBay buyers and sellers use.
"22-year-old Romanian national has admitted he participated in a US-based phishing operation that raked in some $700,000 over a three-year period."
"Sergiu Daniel Popa, who for the past seven years has lived in New York and Michigan, pleaded guilty in federal court in Minneapolis to two felonies related to the scheme. He faces a maximum of 10 years in federal prison and a fine of $500,000."
"FBI agents began their investigation of Popa in early 2005."
Kumar Kandaswamy is crowing about protection from "fraudsters attempt to gain unauthorized access to the eBay Developers Program", but described here is a convicted hacker who eBay gave Developer Program access?
With spopa2006's regular eBay account active, you have to wonder if his Developer Program access remains active. And if he gave others access to his account, during his extended absence.
Kumar Kandaswamy said, "we have not detected any unusual activity with any Developer account".
Oh, Please!
How many times does a warning have to be given to eBay before someone listens?
And given the lax vetting process, one really has to wonder if there are other "Popa's" signed up to the Developer Program?
.
"So, people hire you to break into their places... to make sure no one can break into their places?" "It's a living." Martin Bishop, Sneakers (1992)
"eBay have identified a possible security flaw and are requiring all developers update their passwords."
"The developer blog reports that eBay have recently identified a means by which someone could have" "gained access to eBay Developers Program account information."
We're not surprised this happened. The surprise is eBay in public admitting a "security flaw".
Important Security Update: developer.ebay.com Posted by Laurel Kline in Critical Notes from Tech Support, Business News & Developer Website Monday, Aug.10.2009, 3:06 PM PT
This is Kumar Kandaswamy, and I manage the eBay Developers Program. I'd like you to read this important message about account safety.
The safety and security of the eBay Developers Program is a top priority. While we believe that people are basically good, we also must live with the reality that there are fraudsters out there who have made it their illicit "profession" to find ways to exploit others on the Internet.
Occasionally, fraudsters attempt to gain unauthorized access to the eBay Developers Program. eBay has recently identified a means by which someone could gain access to eBay Developers Program account information. This type of access DOES NOT allow the capture of financial or other sensitive information, such as credit card or bank account information or Social Security numbers. Fortunately, we have not detected any unusual activity with any Developer account.
Out of an abundance of caution and to help ensure the security of the eBay Developers Program, we are requiring that all developers take the following steps:
Take advantage of our new, stricter password standards and change your eBay Developers Program (developer.ebay.com) passwords. It is not necessary to change eBay (www.ebay.com) passwords.
If you believe you or your customers have been the victim of fraudulent activity, contact us immediately at [email protected].
Sincerely, Kumar Kandaswamy
There's much unintentional eBay humor with the statement from Kumar Kandaswamy that "safety and security of the eBay Developers Program is a top priority." Because historically that has not been the case.
Follow us.
Once upon a time Sergiu Daniel Popa was brought to the attention of the public by Dan Browning of the Star Tribune. As reported in his article "Suspect in 'phishing' scheme indicted":
"A Romanian immigrant was indicted Tuesday in federal court in Minneapolis on charges that he operated a computerized "phishing" scheme for several years that raked in financial records and personal identification from thousands of individuals"
"Sergiu Daniel Popa, 20, of Shelby Township, Mich., was indicted on three counts"
Days later there would be a post about the article on the eBay Stores Forum. This was followed quickly by eBay user ID spopa2006 stating, "Listen guys. I am Sergiu D. Popa. I am that horrible guy!" and "I will make your life a hell." And much much more.
When this activity and background was reported to eBay, their reponse was to delete the spopa2006 posts. He was able to keep his eBay account active. If you look quickly, you can view his Feedback Profile as of 11 August 2009 01:07 GMT.
"Hey there. I wrote a similar project in C++ by using pointers. However, the implemented network interface i used in C++ is no longer supported and I am not a C# guru as I am in c++. Tell me whether or not you got your solution. You can email me at [email protected]"
The activities of a registered eBay Developer. You know the ones who work on the software that eBay buyers and sellers use.
"22-year-old Romanian national has admitted he participated in a US-based phishing operation that raked in some $700,000 over a three-year period."
"Sergiu Daniel Popa, who for the past seven years has lived in New York and Michigan, pleaded guilty in federal court in Minneapolis to two felonies related to the scheme. He faces a maximum of 10 years in federal prison and a fine of $500,000."
"FBI agents began their investigation of Popa in early 2005."
Kumar Kandaswamy is crowing about protection from "fraudsters attempt to gain unauthorized access to the eBay Developers Program", but described here is a convicted hacker who eBay gave Developer Program access?
With spopa2006's regular eBay account active, you have to wonder if his Developer Program access remains active. And if he gave others access to his account, during his extended absence.
Kumar Kandaswamy said, "we have not detected any unusual activity with any Developer account".
Oh, Please!
How many times does a warning have to be given to eBay before someone listens?
And given the lax vetting process, one really has to wonder if there are other "Popa's" signed up to the Developer Program?
.
"So, people hire you to break into their places... to make sure no one can break into their places?" "It's a living." Martin Bishop, Sneakers (1992)
eBay Developer Important Security Update - Oh Please!
eBay Developer Important Security Update - Oh Please!
10 August 2009
EventHorizon1984
In the article "Passwords compromised for eBay developers," Chris Dawson of TameBay wrote:
We're not surprised this happened. The surprise is eBay in public admitting a "security flaw".
The equivalent of code monkey felgercarb can be found in this security announcement from the eBay Developers Program blog, regarding the "possible security flaw":
Important Security Update: developer.ebay.com
Posted by Laurel Kline in Critical Notes from Tech Support, Business News & Developer Website
Monday, Aug.10.2009, 3:06 PM PT
This is Kumar Kandaswamy, and I manage the eBay Developers Program. I'd like you to read this important message about account safety.
The safety and security of the eBay Developers Program is a top priority. While we believe that people are basically good, we also must live with the reality that there are fraudsters out there who have made it their illicit "profession" to find ways to exploit others on the Internet.
Occasionally, fraudsters attempt to gain unauthorized access to the eBay Developers Program. eBay has recently identified a means by which someone could gain access to eBay Developers Program account information. This type of access DOES NOT allow the capture of financial or other sensitive information, such as credit card or bank account information or Social Security numbers. Fortunately, we have not detected any unusual activity with any Developer account.
Out of an abundance of caution and to help ensure the security of the eBay Developers Program, we are requiring that all developers take the following steps:
If you believe you or your customers have been the victim of fraudulent activity, contact us immediately at [email protected].
Sincerely,
Kumar Kandaswamy
There's much unintentional eBay humor with the statement from Kumar Kandaswamy that "safety and security of the eBay Developers Program is a top priority." Because historically that has not been the case.
Follow us.
Once upon a time Sergiu Daniel Popa was brought to the attention of the public by Dan Browning of the Star Tribune. As reported in his article "Suspect in 'phishing' scheme indicted":
Days later there would be a post about the article on the eBay Stores Forum. This was followed quickly by eBay user ID spopa2006 stating, "Listen guys. I am Sergiu D. Popa. I am that horrible guy!" and "I will make your life a hell." And much much more.
When this activity and background was reported to eBay, their reponse was to delete the spopa2006 posts. He was able to keep his eBay account active. If you look quickly, you can view his Feedback Profile as of 11 August 2009 01:07 GMT.
This all would be rather uninteresting save for the fact that spopa2006 was a poster on the eBay Developer forums:
The activities of a registered eBay Developer. You know the ones who work on the software that eBay buyers and sellers use.
Feeling that "safety and security" yet?
Oh, and did we forget to mention that this took place in 2007? For those interested we kept the details in a June 2007 article, Sergiu D. Popa Response To Dan Browning Star Tribune Article.
Well there is innocent unless proven guilty.
BAMM!! But wait, there's more.
In October 2008 Dan Goodin followed up with "Romanian national cops to $700,000 phishing trip":
Kumar Kandaswamy is crowing about protection from "fraudsters attempt to gain unauthorized access to the eBay Developers Program", but described here is a convicted hacker who eBay gave Developer Program access?
With spopa2006's regular eBay account active, you have to wonder if his Developer Program access remains active. And if he gave others access to his account, during his extended absence.
Kumar Kandaswamy said, "we have not detected any unusual activity with any Developer account".
Oh, Please!
How many times does a warning have to be given to eBay before someone listens?
And given the lax vetting process, one really has to wonder if there are other "Popa's" signed up to the Developer Program?
.
"So, people hire you to break into their places... to make sure no one can break into their places?"
"It's a living." Martin Bishop, Sneakers (1992)
/*
Technorati Profile
EventHorizon1984 Log
//
Posted at 19:14 in Commentary, eBay, eBay Customer Service, eBay Spotlight, Legal | Permalink
Tags: Chris Dawson, Dan Browning, [email protected], developer.ebay.com, developer.ebay.com, eBay, eBay Developer, eBay Developers Program, fraudsters, Kandaswamy, Kumar Kandaswamy, Laurel Kline, Passwords compromised for eBay developers, Popa, popa dan sergiu, security, Sergiu D Popa, Sergiu Daniel Popa, spopa2006, TameBay
| Reblog (0)