Charlie Sheen, Babe Ruth and the Case of the Stolen Identity
The auction site selling Charlie Sheen’s ’27 Babe Ruth World Series ring is unsecure – tread carefully.
The 1927 Yankees are considered one of, if not the greatest baseball team of all-time. They went wire-to-wire in first place, finished the season 110-44 and won the World Series. Their lineup – which included the likes of Babe Ruth and Lou Gehrig – was known as Murderers’ row (it was a different time).
Now, as you get caught up in the history and nostalgia that pours out of that forlorn era—at no point are you expecting to have your personal information stolen, are you?
Especially not by Charlie Sheen.
OK, just to be clear. Charlie Sheen, son of esteemed former US President Jed Bartlett, and brother to Gordon Bombay, ex-hockey player and coach of Team USA at the 1994 Junior Goodwill Games, is not actually stealing anyone’s personal information.
Charlie Sheen has just come forward as the owner of a verified 1927 Babe Ruth world series ring that is on auction until Friday at Lelands.com. There’s only one problem. The site doesn’t appear to be secure.
SSL encryption is a key component of web security. And it’s quickly becoming the de facto standard of modern website development. It’s a method for securing communication between two parties – the visitor of a website and the website itself. Without encryption, anything sent between your computer and the unencrypted website you’re visiting is unsecure. That means that any interested third party can eavesdrop on the connection and either steal or manipulate the information.
On an auction website, which is dealing with login details, along with personal and financial information, encryption is an absolute must.
The Lelands.com domain doesn’t appear to have an SSL certificate associated with it, although it is asking for a username and password. When you attempt to register it sends you to a domain called createauction.com that has a Domain Validated SSL certificate from Go Daddy. Createauction.com is the back-end engine for auction management that Leland’s is using.
The issue here is that Leland’s hosts an unsecure login page (as noted by Google in the image above). This means that a hacker or cybercriminal can easily steal someone’s username and password when the user is attempting to log in. From there, they can use those stolen credentials to gain access to names, addresses, contact numbers, email addresses and any other sensitive data that may be stored as part of a profile.
More disturbingly, part of the registration includes a credit verification. There is a field where the applicant is supposed to enter credit references, this can be accessed by anyone who logs in.
Factor in that this a high-profile auction – as of this writing the current bid was around $611,000 – and there will be plenty of eyes on Lelands.com.
Here’s How This Opens You Up to Identity Theft
Hypothetically, let’s say you’re a die-hard Yankees fan with roughly a million dollars of disposable income and a serious hankering for Babe Ruth’s old world series ring.
Perfect. You’re an ideal candidate for this auction. You could also be a prime target for identity theft.
So you go on Leland’s, you register for an account (you need one to bid), you enter all your personal information, give your credit references and pass their credit verification. This can take 72 hours though, so you wait until you get an email confirmation, then you log in to bid.
Unfortunately, due to the high-profile nature of this auction, there are lots of eyes on Lelands.com, which happens to be unencrypted. When you go to log in, dozens of parties are already eavesdropping on the connection (because they identified the vulnerability months ago) and every single one just saw your username and password.
Now any one of these parties can use that information to log in to your account, view all of your personal details, your credit references and anything else that makes up your profile with Leland’s. They could even place a bid for you.
And don’t think this sort of data theft is implausible, this happens thousands upon thousands of times every single day.
The SSL Store™ Would Like to Help
Call us crazy, but we’ve always dug Charlie Sheen’s portrayal of Rick Vaughn in Major League (the first one, not so much the second), and who doesn’t love Wall Street? We also love sports memorabilia and raising awareness about encryption: so this is a golden opportunity.
We’d like to help make sure that this auction is secure and goes off without a hitch.
To Lelands.com, we’d like to offer a FREE Extended Validation SSL certificate. This will secure your website from end to end, it will also authenticate your website. Just like it’s important that you independently verify every piece of memorabilia you buy/sell to ensure its authenticity—it’s important that websites do the same things. This EV SSL certificate will provide immediate visual authentication of your website and add consumer trust—which seems fitting considering your line of work.
This is a teachable moment. The internet continues to be full of risks, and connection security is an important thing to pay attention to. This is an excellent opportunity to educate everyday internet users on how to stay safe online.
One Last Word on Encryption
Encryption is vital to online security. Never enter personal details or sensitive information on a website without it. You can tell if a connection is secure by looking at your address bar. Currently, Google Chrome uses these visual indicators to display connection security:
Mozilla, which makes the popular Firefox browser, has already announced plans to follow suit. Microsoft and Apple typically fall in line with Google and Mozilla.
You should make a habit of checking the visual indicator next to the URL in your address bar. Check it without fail anytime you visit a new page. If the indicator says secure, you’re probably safe to enter personal information, passwords, login IDs, etc.
If it’s not, DO NOT enter any personal information. Ever. If you do, you’re putting any information you transmit at risk.
We hope that helps. Sadly, Babe’s world series ring is not on our roadmap. After all, we’re situated just a few blocks from Tropicana Field in St. Petersburg, FL—we’re Rays fans.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018in Hashing Out Cyber Security
How to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chromein Everything Encryption
Re-Hashed: How to Fix SSL Connection Errors on Android Phonesin Everything Encryption
Cloud Security: 5 Serious Emerging Cloud Computing Threats to Avoidin ssl certificates
This is what happens when your SSL certificate expiresin Everything Encryption
Re-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Messagein Hashing Out Cyber Security
Report it Right: AMCA got hacked – Not Quest and LabCorpin Hashing Out Cyber Security
Re-Hashed: How to clear HSTS settings in Chrome and Firefoxin Everything Encryption
Re-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithmsin Everything Encryption
The Difference Between Root Certificates and Intermediate Certificatesin Everything Encryption
The difference between Encryption, Hashing and Saltingin Everything Encryption
Re-Hashed: How To Disable Firefox Insecure Password Warningsin Hashing Out Cyber Security
Cipher Suites: Ciphers, Algorithms and Negotiating Security Settingsin Everything Encryption
The Ultimate Hacker Movies List for December 2020in Hashing Out Cyber Security Monthly Digest
Anatomy of a Scam: Work from home for Amazonin Hashing Out Cyber Security
The Top 9 Cyber Security Threats That Will Ruin Your Dayin Hashing Out Cyber Security
How strong is 256-bit Encryption?in Everything Encryption
Re-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3in Everything Encryption
How to View SSL Certificate Details in Chrome 56in Industry Lowdown
PayPal Phishing Certificates Far More Prevalent Than Previously Thoughtin Industry Lowdown