. mombe.org
home of the mad cow
  Not A Blog
home :: issues :: ebayetv

Tuesday, July 27, 2004

eTV, eBay and News24.

As I mentioned in an earlier href="http://blog.mombe.org/2004/07/27#ebayhacked1">post, I send e-mail
to eTV about the href="http://www.news24.com/News24/South_Africa/News/0,6119,2-7-1442_1563327,00.html">eBay
hacking article that both they and href="http://www.news24.com">News24 carried yesterday. My e-mail to
them was as follows:

Date: Mon, 26 Jul 2004 20:26:05 +0200
From: Guy Antony Halse 
To: info(at)etv.co.za
Subject: ebay hacking article
After listening to your news article this evening discussing the hacking of
e-Bay's credit card database, I decided to do some basic investigation of my
I find it strange that the only website carrying any form of coverage of
this is news24.com.  All the normal sources of IT-related news have no
mention of it at all (theregister.com, itweb.co.za, slashdot.org, etc).  Not
only that, no other major wire service carries information about it.  Nor
does Google's syndication service (news.google.com) carry any further
Some other inconsistencies piqued my interest.  For a start, e-Bay is an
auctions company.  They simply facilitate payments between two parties -
they don't handle money (apart from facilitation fees) as such.  As far as I
remember, they hive credit card transactions off to paypal.com, so it seems
odd that they'd keep records of credit card details themselves.
Your article mentioned http://www.419legal.org/.  It seems odd that a site
purporting to be part of the SAPS would be hosted on a .org domain rather
than a .org.za or .gov.za domain.  Looking at ownership information for that
we find:
Registrant ID:GODA-05739656
Registrant Name:D. Squire
Registrant Organization:E-Payments
Registrant Street1:6 Wrenford Place
Registrant Street2:Hillary
Registrant City:Durban
Registrant State/Province:Kwa Zulu Natal
Registrant Postal Code:4096
Registrant Country:ZA
Registrant Phone:+27.7646957
Registrant Email:support@e-payments.co.za
Now there are a few interesting things I notice about this.  Firstly, the
South African Post Office's website (www.sapo.co.za) does not know anything
about the postcode 4096.  The postcode for Hillary is 4094.  In the same
way, the phone number "+27.7646957" does not correspond to the standard
10-digit (or 9 digit + international prefix) format of South African phone
Of further interest is that this supposedly South African site is hosted in
the United States rather than in South Africa.  The hosting company's
generic web site can be seen at
Visiting the web 419legal.org web site, we discover that in order to search
the database we need to enter a credit card number (as opposed to a name or
some other identifying feature, such as surname + last four digits).  In
other words one has to reveal one's credit card number in order to "check"
So my question is this: How sure are you of your sources for this story or
are you being unwittingly used to further fraud?
- Guy
Systems Manager, IT Division, Rhodes University, Grahamstown, South Africa
Email: G.Halse(at)ru.ac.za  Web: http://mombe.org/ IRC: rm-rf@irc.zanet.net
*** ANSI Standard Disclaimer ***                                   J.A.P.H

Well as I hadn't had a reply by the end of tonight's 6.15 news bulletin, I
gave them a call ...

For the record, the number eTV give
after their news bulletin is 021-481-4700. It appears this number
corresponds to their customer care number (unsurprisingly) and you have to
jump through a few hoops to get to someone who might actually be in a
position to do anything useful. After sitting on hold for a few minutes and
being passed through four people, I eventually got hold of someone who
answered to the title of news editor.

It appears that mine wasn't the only e-mail they got last night. They
realised from the number of concerned messages that something might be amiss,
and so they've spent most of today researching things. I'm told that
they've managed to get a statement from the police about what's going on,
and they're going to carry a partial retraction of the story this evening on
the 7pm new bulletin -- the news editor wouldn't give me details on the
phone about what the story would entail, but mentioned that they were as
concerned as I was about the possibility of people being inadvertently
defrauded. So now we watch and wait I guess ...

Well that was disappointing. eTV did
indeed carry the story in tonight's broadcast, fifth from the top. They
said that ebay denied they'd been hacked
and that their database was "virtually impossible" to hack. The article
also mentioned that Jo'burg Commercial Branch had distanced itself from Mr
Visser and that they were "still in the process of investigating Mr Visser's
evidence." The intimation was that Mr Visser had spoken out of turn and
without consulting his superiors.

What they didn't do was tell people not to type their credit card numbers
into 419legal.org. Instead they
carried a full-screen shot of the 419legal.org including the big header that
says "419legal.org" on it. So while they didn't directly tell people to go
there this time, they certainly pointed people in the right direction. The
number of inconsistencies in the way the page is set up wasn't even

Update: 2004-08-01.23h08
Okay I've been bad and I haven't posted the update to this. eTV did
eventually get back to me, late on Friday afternoon. There e-mail says
"With regards to your query below, we would just like to confirm that our
news department are in the process of investigating this particular story."
and not much else. That said, their Thursday night news bulletin did cover
the issue of 419legal.org being a phishing attempt and they finally got
around to telling people not to use the 419legal.org to check their credit
card numbers. They instead suggested an e-mail address, this time on the
saps.gov.za domain. Less secure perhaps, but certainly more trustworthy.

posted by guy at: 18:13 SAST | path: /issues | permanent link

Bloxsom Powered

© 2002-2005, webmaster@mombe.org
RSS Valid XHTML 1.0!

Creative Commons License