You may have read about the tens of millions of usernames and passwords which have been recently been compromised/hacked/leaked on major websites in the last few weeks. If not, here are a few of the stories:
- 30 million passwords leaked from LinkedIn due to unsalted SHA-1 hashes stored centrally.
- 6 million passwords hacked at Last.FM, the popular music discovery service.
- 1.5 million passwords leaked from eHarmony.
In the last year other services have experience serious security breaches:
- 100 million accounts compromised on the Sony Playstation Network (PSN). Sony offered free credit monitoring and games to all PSN users to compensate them, a major departure from the typical “change your password” / sweep it under the rug response.
- All RSA SecureID tokens were compromised by the theft of RSA intellectual property and cryptographic keys. RSA tokens are used by most enterprises to login remotely as part of multi-factor authentication scheme.
How can you protect yourself?
Signup for a service like 1Password or LastPass, which offer convenient browser extensions. They generate unique passwords per website that you user, so the breach of security at Facebook won’t affect your password on Mint.
How can Web Developers protect users?
Move to standardized authentication methods, like OpenID or Facebook/Twitter/Google login integration. If the authentication mechanism is outsourced, your customers and users don’t need to worry about how you store their passwords.
If you absolutely want to store user passwords, please read How to Safely Store a Password and use bcrypt to do the heavy lifting. Then even if your login/password database is compromised, nothing will come of it.
At least, if you’re using Chrome. While I’m not the only one to notice this, no action has yet been taken by either The Independent or Google. Here’s the problem, as seen on The Independent home page:
As you can see, they show a yellow toolbar across the top of their site with the text: “The Independent now has a Google Chrome Extension. Get the latest news on the topics you like, direct to your browser.” There is an install button and a grey x to hide the bar. However, this is mimicking the kosher Chrome UX for extensions. For example, when extensions crash, they display a similar bar:
I’m not sure what’s to be done; the marketing is deceptive and shady, tricking people into thinking that Google/Chrome/their browser is encouraging them to install a new/cool/shiny extension for The Independent’s website. The extension itself, which I am not installing ever, seems relatively innocuous.
I just sold three Apple iPhone 4s on Ebay and wanted to write some thoughts on my experience as a seller. I have a 100% positive feedback rating, so I’m a good seller. However, I haven’t sold very many items over the years, and am no way near a “power seller” or a paypal merchant. I’m just a regular guy with an ebay and paypal account, and some stuff to sell.
Here are my listings:
- Apple iPhone 4 Black (32GB) Factory Unlocked – Any SIM!, sold for $984.99
- Apple iPhone 4 Blk (32GB) Factory Unlocked: No Contract, sold for $919.99
- Apple iPhone 4 Black (32GB) Factory Unlocked – Any SIM!, sold for $969.99
So my total revenue from these sales was $2,791.17. Now comes time for the fees. According to eBay’s fee schedule, by selling in the auction format, and starting my listings at $.99, I pay a $.99 listing fee, and a $50 fee when the item sells. Paypal also took their cut, a total of $93.80 at a rate of 2.9% for two payments, and 3.9% for a guy from Sweden. Finally, priority shipping with maximum insurance cost $13.50 a package, for another $40.50. So, here’s how I made out in the end:
- Cost of iPhones: 3 * $812 = $-2,436
- Cost of Shipping: $-40.50
- Cost of Ebay Fees: $-153.00
- Cost of Paypal Fees: $-93.80
- Total Cost: $-2,723
- Total Revenue: $2,791.17
- Profit: $67.87 (2.7%)
- Profit without Ebay/Paypal Fees: $314.67 (12.9%)
Fortunately I also sold a fourth iPhone on Craigslist for $875, bringing in another $63 of profit. The bottom line here–and it’s a bit sad–is that I made more selling a single iPhone on Craigslist than I did selling three on eBay. My buyer paid significantly less; all parties came away satisfied. I also didn’t have to deal with shipping costs, as I met the guy in NYC. There were no Paypal fees to pay, because my buyer paid me in cash, which we sat in a sleek black car, and counted twice.
So my recommendations for those looking to sell high-value items for profit in the future are the following:
- Don’t use eBay. The suck out most of your profits. Instead, try listing on Craigslist or other community sites.
- Don’t use Amazon either, as their commission, while lower than eBay’s, is still quite high.
- If you have to list of eBay, try to charge more for shipping. At $15 I could cover my expenses (just barely). At $20 I would have made back a little more! Be aggressive on shipping, and look at similar auctions to determine what you should charge. I definitely under-offered here, leaving money on the table.