ZoneAlarm - ID LOCK ALERT (eBay link) help please!!!

Discussion in 'other firewalls' started by Cyborg, Dec 17, 2003.

Thread Status:
Not open for further replies.
  1. Cyborg

    Cyborg Registered Member

    Joined:
    Dec 8, 2003
    Posts:
    78
    LowWaterMark you seem to have a good understanding of ZoneAlarm. I am but a noob in the ways of the PC and all programmes therein but I am learning slowly.

    I had a pop up which was stated "Zone Alarm Pro Alert"

    The box stated:- ID LOCK ALERT

    "Do you want to allow a clear text password to be sent to inktomi1-cdf.server.ntl.com?" (my ISP server)ID

    Technical Information

    Destination IP 62.252.32.4
    Application Msn6

    "MSN is trying to send your eBay Password to inktomi1-cdf.server.ntl.com"

    When I clicked for further information the following was the message:-

    "What happened?

    ZoneAlarm Pro detected an attempt to send your EBay password to a remote site. The address of the remote site does not match your Trusted Site information, so ZoneAlarm Pro has blocked the transmission.

    Should I be concerned?

    Yes. This may be a case of Internet fraud. Identity thieves can create Web sites or e-mails that look like they belong to trusted e-commerce sites, and trick you into sending your personal information to them. See the Details tab for more information.

    I have version which causes me few problems to be honest and in the case of resources and such I have an high end PC so I do not know if my PC is slow or not because of it."

    Prior to receiving this message I had just contributed to an E-mail address of an admin guy in a clan I am in. This is the first time I have sent money to this clan but I do use eBay all the time for shopping and also sending money to my previous clan without problems. Normally I would go via the clan website link but this time I was trying to login directly to my eBay account. I have done this before without problem. When I enter my user name and passwod the above messages come up.

    It could be something and nothing and perhaps a change in ZoneAlarm that I have made without knowing or an update that has maybe affected things.

    I am presuming it is ok to say Yes to the above but at the moment I keep saying No and cannot therefore get access to my account details. Am I safe to say yes to the above? The ZoneAlarm forums are as good as useless. I have run TDS-3, SpyBot, SpyWareBlater, SpyWareGuard, Ad-Aware and have Norton Antivirus 2003. All seems ok with these programmes.

    Can you or anybody else come up with a reason for this please? In the version of ZoneAlarm Pro I have there is an option called "ID Lock and under the medium settings I have it mentions eBay and unauthorised destinations, and that "if I am an eBay user allows me to submit a fraud report to eBay" which all sounds very worrying so far as I am concerned.

    I need to get access to my account so that I can change the password. Unless I say Yes to the pop-up I will not be able to get into eBay and yet if I say yes I could be getting myself ripped by a fraudster. Please help thanx.
     
  2. Cyborg

    Cyborg Registered Member

    Joined:
    Dec 8, 2003
    Posts:
    78
    I hasten to add that I pay via PayPal but when I first opened my PayPal account I did so via an eBay link. I am concerned here :'(
     
  3. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,877
    Location:
    New England
    Well, first of all are you sure that you are connecting to eBay itself? Have you checked the URL closely to make sure you are really at the official eBay sign in screen? What URL are you using?

    You know that on the main eBay sign in screen there is a blue link below the "Sign In" button that says "Secure sign in (SSL)" Do you use that? If you don't, you should. It uses SSL (using an https: sign in page) which will encrypt your login information rather than sending it in "clear text". Try using that next and see if that prevents the warning.

    Now, what is it you are saying about "inktomi1-cdf.server.ntl.com"? You say that site is "my ISP server". What do you mean by that? What server exactly is it? Do you mean you know what server box that is, and you trust it, or are you saying simply that it's name contains your ISP name in it?

    Also, note that ZAP's ID LOCK simply scans the data stream being transmitted to websites looking for specific text (items you've entered into the "myVAULT"). If your eBay password is a common string of characters, it is possible others tranmissions might also contain it and thus you might get alerted falsely.

    There might be reason to worry here, but also maybe not. It simply could be seeing an unencrypted copy of your eBay password being used because you aren't using the secure sign in page.
     
  4. Cyborg

    Cyborg Registered Member

    Joined:
    Dec 8, 2003
    Posts:
    78
    Hi LowWaterMark, thanx for responding,

    You asked me:- "are you sure that you are connecting to eBay itself?"

    The answer is yes www.ebay.com or www.ebay.co.uk but I was not aware of the SSL sign in, I am now and that advice is greatly received. My motto should be slow down and look more carefully before I submit personal details I guess.

    You mention "clear text" which is what ZoneAlarm is asking to transmit. What exactly is "clear text" and is it safe?

    You ask:- "what is it you are saying about "inktomi1-cdf.server.ntl.com"? You say that site is "my ISP server" and "what server box that is, and you trust it,"

    This is my setting on my Internet Connections on my PC. I have a Proxy address set up which seems to work better than the Automatically Detect Settings Option in XP. Basically my ISP is NTL Cable and this is their Cardiff Server through which all my mail will travel. I can change it whenever I wish as I have a list of all the proxy server addresses that NTL use. I trust it to the point that I have not had problems before with NTL, apart from the W32.Welchia and W32.Blaster worms, which they failed to respond to quickly enough.

    You say:- If your eBay password is a common string of characters, it is possible others tranmissions might also contain it and thus you might get alerted falsely.

    I do have a fault I guess of using the same passwords but this is due to medication I am on. I try to keep things simple otherwise I get lost. I suggest there is a better way to ensure password protection even for us who lack a sufficient number of braincells to remember even what day of the week it is :D My password for contacting my ISP via Customer Services is the same as eBay as it is PayPal oops but in saying that I have managed to change my PayPal password although I have forgotten it already :'( and that was only last night.

    eBay still presents problems however with this "clear text" ID LOCK ALERT via ZoneAlarm. If I turn off the option in ZoneAlarm i.e. it is currently set to Medium on the ID LOCK which mentions about security and fraud in eBay which is why I set it to Medium, if I turn it off I suppose it will let me in but that would be stupid I guess and leave me wide open to further problems. There must be some eBay issues around otherwise why would ZoneAlarm actually take time out to put this in their software?

    So I hope this is helps and you can assist me further,

    Merry Xmas
     
  5. Cyborg

    Cyborg Registered Member

    Joined:
    Dec 8, 2003
    Posts:
    78
    Hi again LowWaterMark,

    I have just managed to sign into eBay but using the SSL as you suggested. I have tried to ammend my details but as soon as I do this I get the ZoneAlarm popup ID LOCK ALERT response which is silly as I am in the Secure Part of eBay and yet you cannot access via the SSL to change details.

    I may be better off cancelling my eBay account and re-registering under a different name and perhaps use a different credit card when or if I next make a purchase. Does my PC however leave a trace via my E-mail address so there is still a link to which represents me? Science fiction to me but is that how PC's and cookies work.

    Merry Xmas,

    Cyborg
     
  6. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,877
    Location:
    New England
    Okay, this makes sense. First, "inktomi1-cdf.server.ntl.com" is provided by your ISP as a proxy server, right? A proxy server gets between you and the web sites you visit, usually for certain benefits like caching common web elements (such as images and static web pages) to speed up browsing. Whenever you access a page (like the non-SSL based eBay pages) all the data passes through that proxy server. So, Zone Alarm sees you sending passwords or whatever else you have monitored by ID Lock and warns / blocks it because you never told ZAP to trust the proxy server.

    Now, I don't use eBay. But, I can tell you I really don't like the fact that there are any pages there that accept your password without a secure session via SSL (https: links). At any site that takes financial information (paypal, eBay, etc) I'd hope there would always be https page links available for managing this information. You should attempt to use those whenever they are available.

    From what you described above it sounds like the profile management page at eBay is not on a secure page with an https link and yet it must require your password (or it is being passed by cookie or other mechanism) to have set off the ID Lock Alert again. Was the alert message in ZAP targetted at eBay.com or your proxy server again? Not that it makes much difference, it is still a sign that your password is being passed in "clear text".

    "Clear text" simply means that the data is not encrypted. Using Wilders as an example, when you type in the reply message box and hit the "Post" button the text you typed is not encrypted. It is sent "clear text" because after all you are typing it for the world to see so encrypting it would be pretty useless.

    Encryption via SSL based webpages is meant to protect pieces of confidential information such as credit card numbers, real name and address, passwords, etc. The amount of SSL pages that should be available at a site depends upon the type of site it is. For myself, I expect 100% SSL pages at online banking sites. For shopping sites, I expect the "checkout" process where name, address and CC info is entered, to be SSL but not all the browsing pages as that would be over kill. I'd hope that eBay, paypal and similar sites would use SSL on pages where confidential information is passed, but not all pages at eBay as that would be unnecessary, as well.

    So in summary, the earlier alerts you mentioned seem all related to your ISP's proxy server. That in and of itself is not a concern. The concern is that the ultimate site you are visiting is not using SSL for those pieces of data that I would really expect them to.

    If this is simply the way eBay works, then I don't read the ZAP alerts as anything unexpected. It is not saying your data has been intercepted, it is simply saying it is passing through your ISP's proxy server in clear text. That's not good if ultimately a credit card number or paypal account access information is also directly passed clear text. But, for less important information it might be okay.

    Edit: Oh, using the same password at multiple sites is really not a good idea. Especially when some sites are much less secure and others much more secure. For example, let's say your paypal password is "mypwd1" and you have that entered in ZAP for monitoring. Then you use that password here at Wilders. ZAP doesn't realize what you are doing, all it can do is monitor the data stream and if it sees the text "mypwd1" being sent to a non-trusted site, it will alert and block it. So, trying to send your Wilder's password here would give an alert about your "paypal password" being sent here. Do you see how that can be a problem? ZAP would never know which password it really was, since after all they look exactly the same.

    I recommend separate passwords for all "secure" sites like banking, paypal, eBay...
     
  7. Cyborg

    Cyborg Registered Member

    Joined:
    Dec 8, 2003
    Posts:
    78
    Well what can I say LowWaterMark apart from thank you for the time you have taken to explain the answers to my problem in such detail. You certainly know your stuff and I for one am extremely grateful

    I will take onboard all that you have suggested. It all makes so much more sense now and I feel more able to recognise what I should be doing and looking for with online transactions and password details.

    Once again thank you,

    Merry Xmas
     
Loading...
Thread Status:
Not open for further replies.