Tuesday, July 27, 2004

eTV, eBay and News24.

As I mentioned in an earlier post, I send e-mail to eTV about the eBay hacking article that both they and News24 carried yesterday. My e-mail to them was as follows:

Date: Mon, 26 Jul 2004 20:26:05 +0200
From: Guy Antony Halse 
To: info(at)etv.co.za
Subject: ebay hacking article

Hi

After listening to your news article this evening discussing the hacking of
e-Bay's credit card database, I decided to do some basic investigation of my
own.

I find it strange that the only website carrying any form of coverage of
this is news24.com.  All the normal sources of IT-related news have no
mention of it at all (theregister.com, itweb.co.za, slashdot.org, etc).  Not
only that, no other major wire service carries information about it.  Nor
does Google's syndication service (news.google.com) carry any further
sources.

Some other inconsistencies piqued my interest.  For a start, e-Bay is an
auctions company.  They simply facilitate payments between two parties -
they don't handle money (apart from facilitation fees) as such.  As far as I
remember, they hive credit card transactions off to paypal.com, so it seems
odd that they'd keep records of credit card details themselves.

Your article mentioned http://www.419legal.org/.  It seems odd that a site
purporting to be part of the SAPS would be hosted on a .org domain rather
than a .org.za or .gov.za domain.  Looking at ownership information for that
domain
(http://reports.internic.net/cgi/whois?whois_nic=419legal.org&type=domain)
we find:

Registrant ID:GODA-05739656
Registrant Name:D. Squire
Registrant Organization:E-Payments
Registrant Street1:6 Wrenford Place
Registrant Street2:Hillary
Registrant City:Durban
Registrant State/Province:Kwa Zulu Natal
Registrant Postal Code:4096
Registrant Country:ZA
Registrant Phone:+27.7646957
Registrant Email:support@e-payments.co.za

Now there are a few interesting things I notice about this.  Firstly, the
South African Post Office's website (www.sapo.co.za) does not know anything
about the postcode 4096.  The postcode for Hillary is 4094.  In the same
way, the phone number "+27.7646957" does not correspond to the standard
10-digit (or 9 digit + international prefix) format of South African phone
numbers.

Of further interest is that this supposedly South African site is hosted in
the United States rather than in South Africa.  The hosting company's
generic web site can be seen at http://69.93.250.100/

Visiting the web 419legal.org web site, we discover that in order to search
the database we need to enter a credit card number (as opposed to a name or
some other identifying feature, such as surname + last four digits).  In
other words one has to reveal one's credit card number in order to "check"
it.

So my question is this: How sure are you of your sources for this story or
are you being unwittingly used to further fraud?

- Guy
-- 
Systems Manager, IT Division, Rhodes University, Grahamstown, South Africa
Email: G.Halse(at)ru.ac.za  Web: http://mombe.org/ IRC: rm-rf@irc.zanet.net
*** ANSI Standard Disclaimer ***                                   J.A.P.H

Well as I hadn't had a reply by the end of tonight's 6.15 news bulletin, I gave them a call ...

For the record, the number eTV give after their news bulletin is 021-481-4700. It appears this number corresponds to their customer care number (unsurprisingly) and you have to jump through a few hoops to get to someone who might actually be in a position to do anything useful. After sitting on hold for a few minutes and being passed through four people, I eventually got hold of someone who answered to the title of news editor.

It appears that mine wasn't the only e-mail they got last night. They realised from the number of concerned messages that something might be amiss, and so they've spent most of today researching things. I'm told that they've managed to get a statement from the police about what's going on, and they're going to carry a partial retraction of the story this evening on the 7pm new bulletin -- the news editor wouldn't give me details on the phone about what the story would entail, but mentioned that they were as concerned as I was about the possibility of people being inadvertently defrauded. So now we watch and wait I guess ...

Well that was disappointing. eTV did indeed carry the story in tonight's broadcast, fifth from the top. They said that ebay denied they'd been hacked and that their database was "virtually impossible" to hack. The article also mentioned that Jo'burg Commercial Branch had distanced itself from Mr Visser and that they were "still in the process of investigating Mr Visser's evidence." The intimation was that Mr Visser had spoken out of turn and without consulting his superiors.

What they didn't do was tell people not to type their credit card numbers into 419legal.org. Instead they carried a full-screen shot of the 419legal.org including the big header that says "419legal.org" on it. So while they didn't directly tell people to go there this time, they certainly pointed people in the right direction. The number of inconsistencies in the way the page is set up wasn't even mentioned.

Update: 2004-08-01.23h08
Okay I've been bad and I haven't posted the update to this. eTV did eventually get back to me, late on Friday afternoon. There e-mail says "With regards to your query below, we would just like to confirm that our news department are in the process of investigating this particular story." and not much else. That said, their Thursday night news bulletin did cover the issue of 419legal.org being a phishing attempt and they finally got around to telling people not to use the 419legal.org to check their credit card numbers. They instead suggested an e-mail address, this time on the saps.gov.za domain. Less secure perhaps, but certainly more trustworthy.

posted by guy at: 18:13 SAST | path: /issues | permanent link

June 2010 (1)
August 2008 (1)
July 2008 (1)
May 2008 (2)
October 2007 (2)
September 2007 (1)
April 2007 (2)
November 2006 (1)
October 2006 (2)
September 2006 (3)
July 2006 (1)
June 2006 (1)
March 2006 (2)
December 2005 (1)
November 2005 (1)
October 2005 (3)
September 2005 (1)
August 2005 (3)
July 2005 (4)
June 2005 (1)
May 2005 (6)
April 2005 (4)
March 2005 (5)
February 2005 (2)
January 2005 (4)
November 2004 (5)
October 2004 (3)
September 2004 (10)
August 2004 (5)
July 2004 (12)
June 2004 (6)
February 2004 (7)
January 2004 (16)