Courses/Computer Science/CPSC 203/CPSC 203 2007Summer L60/CPSC 203 2007Summer L60 TermProjects/Stolen!

Group Members
Michael Slipp Warren Chan Lindsay Thomason Ling Yin

Initial Project Statement
People increase their risk of identity theft when purchasing items on eBay, primarily when they are not properly educated about how to protect themselves.

What is eBay?

 * eBay is an online auction and shopping website where people buy and sell goods and services.
 * Owned by an American Internet company, eBay Inc. (which also owns other well established businesses such as PayPal and Skype).

What is Identity Theft?

 * Identity theft is a criminal act whereby the collection and use of your personal information is done so without your permission and/or knowledge. This can lead to people receiving unwanted bills or charges to credit cards that they did not give approval of.
 * Personal information that could be obtained may include: your name, date of birth, address, credit card numbers, Social Insurance Number etc.

Phishing
Phishing is any instance where a person gives the appearance of a reputable or trusted source for the purpose of obtaining another person's personal information. A user could potentially copy any web page where a person inputs their personal information and have this duplicate site, commonly called a "spoof site", appear in a search. Any person who unknowingly submits their information to this site would be deceived into thinking that they are giving their information to a source they trust when they are actually a victim of identity theft.

eBay and PayPal both have forms where people submit their personal information to create an account with them:









However, a duplicate site could have the exact same appearance, but send the information to an entirely different source:





From this text file, anyone can view the code that created the webpage, and changing this code could maintain the site's appearance while redirecting the information to another computer.

Another form of phishing uses email: a fraudster finds a user's email address and sends them an email requesting that they re-submit their information. This email will typically look official and business-like, so many people trust that it is a legitimate request and send their information, having their identities stolen in the process.





Secure Socket Layer (SSL)
SSL security is a type of encryption that protects a person's information as it is sent between computers. eBay does use this technology, but it is not mandatory, or even the default option, when using the site. In addition, the pages where users can change their password or view their account balance are not protected by SSL. As a result, many users run the risk of having their information stolen by hackers without being aware that they are at risk, since SSL is an industry standard for submitting information and most users would assume that the page is protected. 

What can you do to protect yourself?
eBay has a list of account protection tips, so the first thing you can do is read them. On their website, they list the following tips: 
 * Don't share your password with others. Protect it. Remember: eBay will never ask for your password.
 * Choose a strong password and change it often.
 * Create a unique password by using a combination of letters and numbers that are not easily guessed.
 * Avoid using the same password for other accounts.
 * Use caution when someone asks for sensitive information through email. If you get an email requesting personal information and you're unsure whether eBay actually sent it, check your My Messages inbox in My eBay. If the email is not there, it's fake. Do not click any links or enter information. Instead, forward the email to spoof@ebay.com
 * eBay and PayPal offer you two-factor authentication to make your password even safer and stronger. The sturdy and portable PayPal Security Key is a small lightweight device that fits on your keychain.The PayPal Security Key generates a unique six-digit code that you add to your eBay User ID and password when you sign in. Because only you "hold the key", your account is even safer from unauthorized entry and identity theft.
 * Download the eBay Toolbar with Account Guard. This free eBay tool lets you know when you're on an official eBay or PayPal Web site. It also protects you by letting you know when you're giving your password to a non-eBay site.

General tips to protect your online identity include:
 * Purchase a computer security program, which will monitor your computer's activity.
 * Update these security programs regularly.
 * Never download attachments from email unless you are sure that it is safe (ie. you know the sender).
 * Monitor all your account statements to ensure that there is no unusual activity.
 * Always monitor your eBay account activities

Equally important is protecting your account while offline: 
 * Shred any papers that have any personal information on them before putting them in the garbage or recycling.
 * Do not give out any information by phone or email.
 * Check all your financial statements for potential discrepancies.
 * Close any unused bank or credit card accounts.
 * If possible, arrange for online financial statements to avoid having them stolen in the mail.
 * Contact card issuers immediately if cards are lost or stolen.

What is eBay doing to help protect you?
This is an online account with eBay that allows you to manage your eBay activities. Any communication from an eBay administrator will appear here, so if you receive any email that claims to be from an eBay administrator but does not appear in My eBay, it is most likely a fraudulent email. Account Guard is a feature of eBay's free toolbar that provides additional security features for eBay account holders. This service is able to:
 * My eBay
 * Account Guard
 * 1) Identify "spoof sites" and provide a warning to the user that the site could be fake.
 * 2) Protect you from entering your password into an unverified site by asking for additional verification that the site can be trusted.
 * 3) Provide a direct link to eBay's reporting system, where you can report a site that you think is fake.

eBay also utilizes technical and procedural safeguards, including firewalls, encryption, and Secure Socket Layers (SSL), to protect your personal information against loss or theft, as well as from unauthorized access and disclosure.

Conclusion
We have determined that eBay has sufficient protection for its users to be safe from basic identity theft attempts, but users are still vulnerable to more advanced attacks.