(Source: The Star Online)
The name “Alibaba” and “Taobao” are probably very familiar to many of us, especially to avid online shoppers. However, for those who may not know who this Alibaba e-commerce giant from China is, Alibaba is arguably the world’s biggest online commerce company that provides consumer-to-consumer, business-to-consumer and business-to-business sales services via web portals. Moreover, it also provides electronic payment services, a shopping search engine and data-centric cloud computing services. Alibaba operates through its three main sites; Taobao, Tmall and Alibaba.com, which boasts hundreds of millions of users. Based on Wall Street Journal, Alibaba is the world’s fastest growing e-commerce market with total transactions on their sites amounting to $248 billion, more than eBay and Amazon.com combined! Back in its homeland, Alibaba accounts for 80% of all the nation’s online sales by September 2014.
Taobao, often dubbed the “Chinese eBay”, is Alibaba’s consumer-to-consumer portal and the 12th most-visited website globally according to Alexa. The virtual bazaar contains hundreds of million product listings is free for its users, but sellers can pay for ads to stand out from the crowd.
You may be thinking, well how does this all relate to cloud computing? As you may have heard from news that, just last week Alibaba’s Taobao was victim of a hack whereby over 20 million accounts on the shopping site were exploited by hackers. Firstly, the cyber criminals obtained a database of 99 million usernames and passwords from unknown sources, possibly from previous breaches. Then, using Alibaba’s cloud computing platform, the hackers had been working at entering the details into Taobao logins ever since October 2015. The hackers found that 20.59 million matched exact details of users on Taobao accounts, thanks to the existing account information. It appears that the attackers had simply ran the usernames and password combos into Taobao hoping to get matches from consumers using duplicate logins across a number of sites, and they were lucky to come up with an extraordinarily high success rate. The Taobao accounts were successfully accessed because the username and password combinations used for Taobao were the same as other sites which had been hacked earlier, or had their database retrieved.
Taobao operates through an online consumer-to-consumer world, where buyers are not buying from a website but instead regular sellers, in which the success of a seller often depends on their history and reputation. A lot of it depends on the trust buyers would have in the seller, and this is influenced by positive reviews, credibility of the sellers in honouring their transactions and active biddings which boosts their products’ prices.
Taobao’s compromised accounts had mainly been exploited for the purpose of fake reviews and fake bidding. According to reports, the criminals had been using the hacked accounts to place fake orders on Taobao so as to deliberately boost seller’s rankings, a practice commonly known in China as “brushing”. In addition, the hackers managed to sell the accounts on in order for them to be used for illegal fraud.
Following the news of the accounts breach, it had led to a decrease as much as 3.7% Alibaba’s US-listed share price during last week’s Wednesday trading. Certainly, even with efforts from the company after discovering and blocking vast majority of the hackers’ access attempts, Alibaba has already faced the impacts of a big corporate hacking which saw one out of every 20 of their annual active buyers’ accounts compromised.
Would it not have seemed suspicious to Taobao’s authentication servers for repeated failed login attempts? Shouldn’t there have been ‘rate limiting’, whereby the site or account gets locked out after too many unusual connection attempts? Where was the cybersecurity to identify attack patterns of massive password guessing?
As mentioned, Taobao is one of the busiest websites in the world in terms of visitor traffic. Therefore, processing hundreds of millions of logins (even if they came from the same internet region such as Alibaba’s cloud network) is a routine which would overlook those attempts of repetitious logins. With nearly 100 million stolen account names to work with, the hackers did not need to try thousands of passwords per account to get a good hit rate.
Well, what is cloud computing? Quite simply, cloud computing means storing and accessing data and programs over the Internet instead of your computer’s hard drive, computing resources are shared rather than having local servers or personal devices to handle applications.
The idea that sensitive data, perhaps trade secrets, financial records or confidential legal documents, are not locked up on company premises but hovering somewhere off-site in their cloud’s provider data centres can be disconcerting to many people. By leveraging a remote cloud based infrastructure, a company in essence gives away private data and information, things that might be sensitive and confidential. It is then up to the cloud service provider to manage, protect and retain them, hence making the provider’s reliability so important.
Furthermore, with cloud computing, a user would be trusting their data to a service and hardware that you have little or no control over. When you might be picking a cloud provider, would you be a slave to that provider? Automatic data back-up and high levels of security are not guaranteed, and outages and downtime do still happen with cloud computing. Which is why when deciding on a cloud provider, it is crucial to investigate and select a cloud provider who is reliable and guarantees of uptime and repairs in case of an outage.
Nevertheless, cloud computing can in effect be great business enablers for companies when any risks can be managed, which could drive a company with cheaper, faster and more efficient ways of working. Cloud computing is regarded as moving from its infant stage of technology adoption towards maturity where its growth is picking up rapidly. Overcoming any possible disadvantages of limited control over the safety and security of data, privacy issues, vendor lock-ins, control, technical difficulties and other issues can hopefully be mitigated in hopes that the advantages will further develop its potential for the future and offer more fine-tuned services and solutions.
 The Guardian
 Java Code Geeks