eBay justifies the lack of HTTPS by saying it has deployed other technologies to prevent account misuse.
eBay customers need to be extra cautious these days when accessing their account activity, personal information and stored messages. In fact, new research from Comparitech.com has found that many pages on the site, which require user input or contain their personal info, are not HTTPS encrypted.
While eBay does use HTTPS on its most critical pages, such as where payment or address information is entered, it still lacks encryption on several other sensitive pages. When customers send and receive messages from sellers, for example, their communications are not sent over a private channel.
Not only could a hacker intercept and read messages, they could modify them in what’s known as a “man-in-the-middle” attack - this could lead to fraud or spam being sent from user accounts. A man-in-the-middle attack occurs when the hacker not only intercepts your Web traffic, but also modifies it before sending it on. This could be used to change the contents of a message or some other user input, for example.
Paul Bischoff, security advocate at Comparitech.com, recently sat down with Inside Counsel to discuss why eBay customers need to be extra cautious when accessing their account activity, personal information and stored messages.
“This information could be intercepted and read by hackers or anyone else on the network, such as your ISP. A hacker could see the information displayed on those websites,” he explained. “On the pages where there is form input, such as the merchant messages, a hacker could even modify the contents of a message before it is sent. This is known as a man-in-the-middle attack.”
eBay justifies the lack of HTTPS by saying it has deployed other technologies to prevent account misuse, per Bischoff. These include obfuscation, for instance, in which an email address like firstname.lastname@example.org would appear as *********@gmail.com, but, these are only half-measures when compared to the security of full HTTPS encryption.
“eBay told us it is rolling out SSL (HTTPS) to more of its site in the future. There's really not a good reason for these pages to not be encrypted now,” he said. “HTTPS certificates are cheaper than ever. Some companies complain that implementing HTTPS results in less ad revenue, but there's little evidence to support such a claim.”
Unfortunately, hackers can easily access sensitive customer information. In fact, anyone with access to the network (such as your Wi-Fi network) could easily intercept the information using a network analysis tool like Wireshark, according to Bischoff. These tools can capture all of the Web traffic sent to and from a device on the network. Many of them are free to download and use.
So, what is the solution to this problem? How should eBay respond?
Bischoff said, “eBay should deploy HTTPS on any Web page that contains personal information or requires user input. There are no shortcuts here.”