I remember that at the beginning of this year a strange news has made it around the globe: a 7 years child almost bought a British Harrier jet fighter on the online auction site eBay. The price of the plane was around 113 thousand U.S. dollars. How was this possible? The child found the “toy” on eBay while playing on his father’s computer and immediately loved it. Seeing a “Buy Now” button available, he clicked on it and closed the transaction, because his father was logged in on eBay with the credentials saved.
What’s to be learnt from this story?
There are two critical things to be learnt and there are some others which are also important.
1. The child was able to use his father’s computer account. Either the account was without a password, or the child had the password of the account.
Always make sure that every user of the computer is using a different account and that those accounts are protected with a password. This has advantages for everybody:
- privacy – each user can protect his data from the others (even for the administrator if he wants, using ACLs)
- security – if one account gets infected with a malware, the chances to infect everybody else using that computer are sensibly reduced
- possibility to have different settings for almost everything – every user can have his/her own background picture, shortcuts, email and browser settings. Let’s not forget also that you don’t want everyone to see who are your friends in your instant messaging program.
2. The child was able to purchase something on behalf of his father. Because the computer had already stored the session cookie of his father account on eBay, he only had to open the browser and everything was available to him. An eBay is created in such a way that with one click anyone can purchase anything (without limits) and even if the user doesn’t have the money in reality (e.g. a credit card is registered as default payment option) the merchandize can be purchased.
The problem in this situation was that the login session is persistent. While this makes everything easy for the user, it also exposes it to such dangers. The solution to this problem is to not save the password in the browser and to not allow the website to make a persistent cookie. Unfortunately, the default on ebay (both .com and .de) is to keep the user signed in.
Additional advices to be considered:
- Always set a password on your computer account. Microsoft still doesn’t understand that it has to enforce this, but they are more interested in the usability than in security.
- Set your computer to automatically lock the session after a timeout. You can do this starting from the “Power Settings” or from the Screen Saver (it depends heavily on the Windows version you are using).
How did the story with the fighter end?
Actually, they weren’t able to pay for it, as this was not really a bargain. So, they explained the situation and asked the owner of the jet fighter to cancel the auction.
Data Security Expert