Tuesday, July 27, 2004

eTV, eBay and News24.

As I mentioned in an earlier post, I send e-mail to eTV about the eBay hacking article that both they and News24 carried yesterday. My e-mail to them was as follows:

Date: Mon, 26 Jul 2004 20:26:05 +0200
From: Guy Antony Halse 
To: info(at)etv.co.za
Subject: ebay hacking article

Hi

After listening to your news article this evening discussing the hacking of
e-Bay's credit card database, I decided to do some basic investigation of my
own.

I find it strange that the only website carrying any form of coverage of
this is news24.com.  All the normal sources of IT-related news have no
mention of it at all (theregister.com, itweb.co.za, slashdot.org, etc).  Not
only that, no other major wire service carries information about it.  Nor
does Google's syndication service (news.google.com) carry any further
sources.

Some other inconsistencies piqued my interest.  For a start, e-Bay is an
auctions company.  They simply facilitate payments between two parties -
they don't handle money (apart from facilitation fees) as such.  As far as I
remember, they hive credit card transactions off to paypal.com, so it seems
odd that they'd keep records of credit card details themselves.

Your article mentioned http://www.419legal.org/.  It seems odd that a site
purporting to be part of the SAPS would be hosted on a .org domain rather
than a .org.za or .gov.za domain.  Looking at ownership information for that
domain
(http://reports.internic.net/cgi/whois?whois_nic=419legal.org&type=domain)
we find:

Registrant ID:GODA-05739656
Registrant Name:D. Squire
Registrant Organization:E-Payments
Registrant Street1:6 Wrenford Place
Registrant Street2:Hillary
Registrant City:Durban
Registrant State/Province:Kwa Zulu Natal
Registrant Postal Code:4096
Registrant Country:ZA
Registrant Phone:+27.7646957
Registrant Email:support@e-payments.co.za

Now there are a few interesting things I notice about this.  Firstly, the
South African Post Office's website (www.sapo.co.za) does not know anything
about the postcode 4096.  The postcode for Hillary is 4094.  In the same
way, the phone number "+27.7646957" does not correspond to the standard
10-digit (or 9 digit + international prefix) format of South African phone
numbers.

Of further interest is that this supposedly South African site is hosted in
the United States rather than in South Africa.  The hosting company's
generic web site can be seen at http://69.93.250.100/

Visiting the web 419legal.org web site, we discover that in order to search
the database we need to enter a credit card number (as opposed to a name or
some other identifying feature, such as surname + last four digits).  In
other words one has to reveal one's credit card number in order to "check"
it.

So my question is this: How sure are you of your sources for this story or
are you being unwittingly used to further fraud?

- Guy
-- 
Systems Manager, IT Division, Rhodes University, Grahamstown, South Africa
Email: G.Halse(at)ru.ac.za  Web: http://mombe.org/ IRC: rm-rf@irc.zanet.net
*** ANSI Standard Disclaimer ***                                   J.A.P.H

Well as I hadn't had a reply by the end of tonight's 6.15 news bulletin, I gave them a call ...

For the record, the number eTV give after their news bulletin is 021-481-4700. It appears this number corresponds to their customer care number (unsurprisingly) and you have to jump through a few hoops to get to someone who might actually be in a position to do anything useful. After sitting on hold for a few minutes and being passed through four people, I eventually got hold of someone who answered to the title of news editor.

It appears that mine wasn't the only e-mail they got last night. They realised from the number of concerned messages that something might be amiss, and so they've spent most of today researching things. I'm told that they've managed to get a statement from the police about what's going on, and they're going to carry a partial retraction of the story this evening on the 7pm new bulletin -- the news editor wouldn't give me details on the phone about what the story would entail, but mentioned that they were as concerned as I was about the possibility of people being inadvertently defrauded. So now we watch and wait I guess ...

Well that was disappointing. eTV did indeed carry the story in tonight's broadcast, fifth from the top. They said that ebay denied they'd been hacked and that their database was "virtually impossible" to hack. The article also mentioned that Jo'burg Commercial Branch had distanced itself from Mr Visser and that they were "still in the process of investigating Mr Visser's evidence." The intimation was that Mr Visser had spoken out of turn and without consulting his superiors.

What they didn't do was tell people not to type their credit card numbers into 419legal.org. Instead they carried a full-screen shot of the 419legal.org including the big header that says "419legal.org" on it. So while they didn't directly tell people to go there this time, they certainly pointed people in the right direction. The number of inconsistencies in the way the page is set up wasn't even mentioned.

Update: 2004-08-01.23h08
Okay I've been bad and I haven't posted the update to this. eTV did eventually get back to me, late on Friday afternoon. There e-mail says "With regards to your query below, we would just like to confirm that our news department are in the process of investigating this particular story." and not much else. That said, their Thursday night news bulletin did cover the issue of 419legal.org being a phishing attempt and they finally got around to telling people not to use the 419legal.org to check their credit card numbers. They instead suggested an e-mail address, this time on the saps.gov.za domain. Less secure perhaps, but certainly more trustworthy.

posted by guy at: 18:13 SAST | path: /issues | permanent link

eBay hacked ... or really?

Last night, Russell and I had a lively debate on #rucus about whether News 24's article on eBay being hacked was legitimate or not.

It seems that this discussion has become a lot larger than our little network and I've been asked to publish some comments I made on our local 'varsity discussion forums forum available in a more public place. So here we go:

Posted by guy: Jul 27 2004, 12:02 PM

There are lots of inconsistencies with this. My gut feel is that it is a scam and that eTV and News24 have cleverly been tricked into furthering malicious goals.

For example, why is "Johannesburg Commercial Branch" hosting information on a .com and .org domains when they have a perfectly good .gov.za domain. Take a look at http://www.saps.gov.za/divstat/commercial/ and http://www.commercialbranch.com/ and tell me which you trust more? Why is 419legal.org or commercialbranch.com not mentioned on http://www.saps.gov.za/crimeprev/nig.htm#nig

Also have a look at the registration information for those domains and notice they're registered to someone in Durban (odd for Jo'burg), that both the post code and the telephone number are almost, but not quite right, etc. Why is not registered in the SAPS's name, or why hasn't it been changed to be? Why were the domains were registered through a US-based registrar when we have several perfectly good registrars in South Africa.

The 419legal.org site is hosted by a generic hosting company in the USA, yet the rest of the SAPS's site is hosted on the government's own netblock in South Africa. Add to that the fact that they thank RealXchange.co.za for hosting -- yet RealXchange.co.za is hosted on a completely different network in the UK.

Then realise that every one of the logos and pictures you see on 419legal.org can be found on other web sites (for example, the Jo'burg commercial branch's logo is on the saps.gov.za site, the RealXchange face is on their web site, etc).

The final straw is that they ask you to enter your credit card number in order to check it. There is no way in hell that's good Internet practice. They could have asked for your surname and last four digits, or something similarly unique. They purport it to be a "secure" site, but notice how they don't have their own SSL certificate. Instead they piggy-back of someone else's (www2.securesiteserver.co.uk). Why is that? I suspect it is because they couldn't provide the necessary certificate of incorporation, etc required by all commercial SSL vendors.

It has scam written all over it in big letters.

There is more to this than meets the eye. Last night eTV carried it as headline news. I e-mailed them straight after their 8pm news bulletin to point out the inconsistencies we'd worked out by that point (we've found more since) and as yet I've had no reply from them. I was going to phone them but unfortunately they don't have a contact number for their news desk on their website. The broadcast it at the end of every news bulletin, so I'll call after the 6.15 one -- I'll probably post more on this later. (and I did.)

Update: 2004/07/28.11h07

It appears that this might be worse than we originally thought. Instead of being the sort of scam that we suspected, it looks like this might actually be sort of semi-legitimate. Neil hinted at this earlier today, and subsequent events seem to be bearing out that notion. I'm still trying to reconcile the idea that so many simple mistakes could have been made in the setting up of a legitimate site.

I've got nothing against the idea of hosting this sort of information online, I'd just prefer it was done properly. If this is indeed legitimate (and we're still waiting to find that out), it'd be nice if some of the inconsistencies Russell and I noticed were cleaned up, and, more importantly, if the whole idea of searching a credit card database was revised. Imagine a stolen credit card database being stolen again, or people illegitimately using the details therein to commit further fraud. If it is a project of the Jo'burg Commercial Branch, I'd like to see someone at the SAPS take responsibility for its proper running. I'd also like proper, traceable contact details to be available on the site.

Anyway, News24 have carried another article on the saga. It claims that a police statement is forthcoming, something we're all waiting with baited breath to read.

Update: 2004-08-01.23h14

It appears the whole ebay hacking saga is almost solved. Yay! IOL carried a story today that just about says it all. I'm just glad we're getting to the bottom of this and that, for once, people (read "the popular media") seem to be taking issues of Internet security seriously.

posted by guy at: 18:01 SAST | path: /issues | permanent link

June 2010 (1)
August 2008 (1)
July 2008 (1)
May 2008 (2)
October 2007 (2)
September 2007 (1)
April 2007 (2)
November 2006 (1)
October 2006 (2)
September 2006 (3)
July 2006 (1)
June 2006 (1)
March 2006 (2)
December 2005 (1)
November 2005 (1)
October 2005 (3)
September 2005 (1)
August 2005 (3)
July 2005 (4)
June 2005 (1)
May 2005 (6)
April 2005 (4)
March 2005 (5)
February 2005 (2)
January 2005 (4)
November 2004 (5)
October 2004 (3)
September 2004 (10)
August 2004 (5)
July 2004 (12)
June 2004 (6)
February 2004 (7)
January 2004 (16)