Does eBay have a major security problem?

[Cage]

I posted yesterday on what appeared to be an eBay scam.

http://www.ausphotography.net.au/for...es%28-%29-here

I phoned eBay and advised them of my suspicions, and there has been a reduction in the number of suss listings on that particular site from around 240 to 21, still 21 too many.

This is the site: http://stores.ebay.com.au/slkcellula...id=p4340.l2563

What this particular scammer is doing is hacking into a legitimate sellers site, usually one with a high number of feedbacks, 'borrowing' legitimate sellers listings, and then changing the body of the listing to advise the buyers to contact them before bidding so they can ask the buyer to pay by wire transfer. There is a very, very attractive 'buy it now' price if you pay by wire transfer.

While checking this morning to see what eBay had done about the problem I discovered another site that appears to have also been compromised.

Check these two listings out.

http://www.ebay.com.au/itm/2012-Moot...item337f29eb3b

http://cgi.ebay.com/ws/eBayISAPI.dll...tchlink:top:en

Same item, listing pilfered from who knows where, two different sellers stores.

How big is this problem?

When I phoned eBay again this morning the fellow I spoke to said he would send a report to 'Account Security'.

My patience was wearing thin and I tried to calmly point out that while his report was finding it's way to someone with the authority to take immediate action, people, eBay customers, were likely being ripped off.

I started my working life as an Auditor, and I guess some of those ethics and belief in honesty and fair play have stayed with me. I hate crooks and rip-off merchants with a passion.

Personally I have a separate Bank A/c and Debit Card set up to handle my on-line dealings, and transfer money to this account only when needed to make a payment.

I am wondering if it is not time to go public on this because anyone who has details on file with eBay may be at risk.

PS: While I've been typing this the listings have been removed by eBay. At least I got then off their bums and made them take immediate action.

- - - Updated - - -

I've just come across another site that also appears to have been compromised.

http://stores.ebay.ca/WasatchAuctions?_trksid=p4340.l2563

Same dud listings that were on the other two sites.

I've suggested to eBay that if they wish me to continue doing their investigating and auditing, they might like to offer me a contract.

This scenario only seems to involve one/one team of scammers, but who knows how deeply they have infiltrated.

[I @ M]

I have voiced my opinion about both pa$pal and e$ay before and it hasn't changed.
Even if the ratio of "bad" sales to good is 1 to 1,000,000 it is still one too many and after a while you get totally annoyed at hearing the same scams perpetrated time and time again and all it does is reinforce a perception that e$ay / pa$pal simply don't care because they aren't losing money from the problem.
They simply work on percentages and to them that 1 in 1,000,000 bad sale simply doesn't even register on their end of the year results so why spend $$$ to save cents.

[Warbler]

I'd add Hotmail to that list. Imagine my surprise to get spam sent to me from my own Hotmail account late last year, and I don't mean from a spoofed address. I logged into Hotmail and in my sent messages were spam to everyone on my contact list in there, myself included. I deleted everyone from my contacts and reset the password. Whoever hacked that account got in through Hotmail, and not my PC.

[I @ M]

Whoever hacked that account got in through Hotmail, and not my PC.

Do you still have a hotmail account?

If so, WHY?

There are a million much better alternatives to that type of account.

[Warbler]

Yes I do. I have it because I use it on websites where I have to provide an email account to log on or register. No point in using one I want to keep spam-free.

[Sifor]

Yes I do. I have it because I use it on websites where I have to provide an email account to log on or register. No point in using one I want to keep spam-free.

Slightly OT, but I use my personal gmail account for everything and never receive spam in my inbox (always gets detected by the spam filter).

[Warbler]

Slightly OT, but I use my personal gmail account for everything and never receive spam in my inbox (always gets detected by the spam filter).

I usually don't get spam in my email either. It usually goes to the Hotmail account, even the SPAM I get FROM gmail accounts.

Doesn't matter anyway. It's a disposable email, and I was commenting on Kevin's discussion about security. My point was that Hotmail wasn't secure either, and it wasn't the spam I was talking about.

[Cage]

If you see something like this in that 'too-good-to-be-true' listing. walk away.

The gmail address seems to change with each new site attack.

[I @ M]

Everything about this ad screams fraud!

It is very easy to close an e$ay or pa$pal account and never have to worry about these scams again, after all, just about everything on e$ay can be bought through other channels and sometimes at considerably better prices.

[bobt]

Even if the ratio of "bad" sales to good is 1 to 1,000,000 it is still one too many and after a while you get totally annoyed at hearing the same scams perpetrated time and time again and all it does is reinforce a perception that e$ay / pa$pal simply don't care because they aren't losing money from the problem.
They simply work on percentages and to them that 1 in 1,000,000 bad sale simply doesn't even register on their end of the year results so why spend $$$ to save cents.

I agree that scams like this represent everything bad in the trading world, but you still can't simply stop using these global sites simply because there are a few rotten apples in the barrel.

Mankind as a whole has a significant proportion of "bad" people, but you don't shut the doors and windows and lock the world out. Unfortunately, if we want to live in society then we just have to recognise that crap happens, and deal with it. It's great that people find and expose scammers, but the presence of scammers still isn't going to stop me shopping on ebay or using paypal.

[I @ M]

but you still can't simply stop using these global sites simply because there are a few rotten apples in the barrel.

Sorry, but I really have to ask "why can't we simply stop these global sites"?

Mankind as a whole has a significant proportion of "bad" people, but you don't shut the doors and windows and lock the world out. Unfortunately, if we want to live in society then we just have to recognise that crap happens, and deal with it. It's great that people find and expose scammers, but the presence of scammers still isn't going to stop me shopping on ebay or using paypal.

I have to agree that we simply can't shut the doors and windows and lock the world out. What is needed if the truth be known is for people to actually make a stand against such activities. But, maybe, just maybe if more people thought about it a little harder they might come to the realisation that by continuing to use these "global sites" that are actively hosting scammers that they are endorsing the activity, if there was a mass walk out of customers then those global sites might just think that they had better do something to actually have a level of security and stop the scammers before they hit the www. As it is at the moment, the more people that continue to use the sites thinking that they are "doing something" against the scammers, the less that those sites will do to prevent scams occuring.

I can imagine the boardroom discussions along the lines of ---

Exec 1; Should we increase security on our site to prevent our valued customers being ripped off or should we save the dollars and just tell them that everything is safe?

Exec 2; Well, the bean counters tell us that increasing security will cost us a heap of dollars but doing nothing and pretending that our site is safe costs very little and seeing most of our customers act like and keep coming back anyway, any increase in security measures will negatively impact our bottom line at the end of the year and the board will have to forego the end of year festivities.

Board after vote; Unanimously passed that we do nothing and let our loyal customers continue to be scammed because that way we have a good share dividend and a healthy party. Mind you, if we start losing customers because of these terrible terrible scammers we might just have to tighten our belts and do some house cleaning. In the meantime we suggest that we stop debating trivialities of a handfull of people losing a few thousand dollars and adjourn to a roast lamb lunch before it turns to mutton.

[bobt]

Sorry, but I really have to ask "why can't we simply stop these global sites"?

I think what you are hoping for is a Utopia. We are in the middle of one of the greatest changes in human interactivity that has ever happened, and we are becoming a global community rather than isolated individual communities. This is a huge change, and one which is evolving. Any evolutionary process is a learning curve, so we can expect flaws, faults and imperfections. Security problems are inevitable with such a massive scale of electronic interactions, and yet if we recoil from that global scenario we will be doomed to a more parochial, fragmented world. There are massive benefits politically, financially and personal from living in a global community - but there is always a price. That price is imperfection, and the only way we can make things work more efficiently and become more secure is to fix problems as they arise rather than chucking the whole system and running back to where we came from.

Every time something like PayPal or eBay comes into existence it is a new frontier, and we can't expect perfection from the very start - or ever if it comes to that. As long as these groups respond to security flaws that's all we can ask. It appears to me that they do respond whenever a new vulnerability appears, and that's reasonable. There are not too many products that are perfect, not too many humans who are perfect and we need to factor that in before condemning a whole system.

[I @ M]

Oops, I have left a word out of my quoted post. I should have inserted using after stop.

I agree wholeheartedly with your theories on a changing world Bob but sticking to the topic of e$ay I disagree.

How long have e$ay been in existence?
I think that with the mega $ they have made in that period they should have been able to build a secure site by now.

How many people are scammed every day on that site?
I don't know the answer to that question, quite probably the general public will never know the answer to that question as I believe e$ay don't publish statistics that would be negative to their public perception.

Sure, embrace the global phenomenon that is e$bay and idealistically call it a frontier but look at your participation as either reactive or proactive in aiding the growth of that site along with the associated scammers.

Pro actively exploring that frontier to me means making a stand and saying "we love your idea but we aren't going to use it until it is fixed to safeguard our $"

Reactively embracing the technology such as this with the associated "flaws" to me implies a lot of people apathetically saying " ah well, there are a few teething problems but you have to expect that" and taking into account the length of time that e$ay has been operating I reckon they are on their 3rd set of dentures by now and simply patching a few cracks to look like they are actually doing something. Bit like a government really and we all know how many people in this world act like when pork barrelled by smiling politicians -----

[Cage]

ebay have invented their own oxymoron.....Account Security.

What concerns me most about this current scam is that I stumbled onto it by accident and advised ebay, who took action on the account involved, but didn't seem to do any further checking.

When I checked back to see what had been done to rectify the problem, I looked a bit deeper and within a couple of minutes had found several more compromised sites.

I advised eBay.com.au about them and was gob-smacked to receive a reply telling me that as the reported sites were on eBay.com, I would have to report it to the .com site myself. They have to be kidding.

Buck passing on a global scale. I emailed the account holders direct and advised them that their sites had been compromised, and suggested they contact eBay urgently.

My biggest concern is that if I can suss out four of five infiltrated ebay stores in a matter of minutes, just how many other sellers are involved.

[FallingHorse]

Funnily enough, the only SPAM I ever receive is after using the Ebay 'contact seller' function

[bobt]

I think that with the mega $ they have made in that period they should have been able to build a secure site by now.

Pro actively exploring that frontier to me means making a stand and saying "we love your idea but we aren't going to use it until it is fixed to safeguard our $"

Reactively embracing the technology such as this with the associated "flaws" to me implies a lot of people apathetically saying " ah well, there are a few teething problems but you have to expect that" and taking into account the length of time that e$ay has been operating I reckon they are on their 3rd set of dentures by now

However, at what point in a product/site's evolution can you confidently state that it is now 100% guaranteed ? Would Rick positively guarantee that this site is 100% perfect? Has Windows ever been 100% perfect? Windows has been around for years and years yet no-one assumes it to be 100% free of security issues. ebay/Paypal may well have been 100% free to the best of everyone's knowledge, but that 100% suddenly changes when a new bright spark finds a way to overcome that security.

Software (and those sites are essentially software driven) can never be relied upon now and forever, and if we waited for Windows to be 100% forever then we'd never be able to use it! Ditto eBay and Paypal.

If you're really serious about not using something until it's 100% secure and reliable, then you really need to cancel your Internet subscription, because the whole thing is far from secure. The bottom line is simply to use what resources we have, constantly monitor their performance (as has happened here with eBay and PayPal) but otherwise to proceed with caution. The only other alternative is not to proceed at all. Be alert but not alarmed! (Well ... maybe be a bit alarmed!)

[I @ M]

ebay/Paypal may well have been 100% free to the best of everyone's knowledge, but that 100% suddenly changes when a new bright spark finds a way to overcome that security.

Bob, not to harp too much on a point, but, this thread is ALL about e$ay and their seeming disregard for scammers.
The differences between e$ay and many other www sites that don't engage in any retail activity should be blindingly obvious to even the most www unaware user on the planet so I will totally refrain from discussing any other site other than e$bay.

Back to your quoted comment --- e$ay as far as I am aware has NEVER been regarded as secure and/or trusted despite "being around for years" and probably never will be until their hip pocket hurts from savvy consumers that know that they can get an = bargain on other sites without the risk of the scammers that e$ay seemingly knowingly ( and ignore ) host and close their accounts and move on to far greener pastures.

[bobt]

Bob, not to harp too much on a point, but, this thread is ALL about e$ay and their seeming disregard for scammers.

Fairynuff .....

Back to your quoted comment --- e$ay as far as I am aware has NEVER been regarded as secure and/or trusted despite "being around for years" and probably never will be until their hip pocket hurts from savvy consumers that know that they can get an = bargain on other sites without the risk of the scammers that e$ay seemingly knowingly ( and ignore ) host and close their accounts and move on to far greener pastures.

I guess that comes down to market forces really. Let's agree that scammers exist on ebay, and that ebay doesn't do enough to stop them. What do we do individually? We vote with our feet. However, if there isn't a real alternative, then we simply cut off our noses to spite our face. If I want to buy something at a good price, chances are I'll end up on ebay if it's the only game in town.

If we find out about a scammer, and publicise that - then eventually if enough of us complain ebay will have to sit up and listen - and that's good. However, in the meantime I'll still be buying stuff there until I have a viable alternative. That's where monopolies have a huge advantage - and ebay is pretty much a monopoly.

[Steve Axford]

I agree Bob. I use ebay and Paypal and have never been scammed. I've bought stuff at markets and have been scammed (only small time). I think that the only way to never get scammed is to never buy anything. Life is a risk. Weigh up the odds and play to the best of your ability. If you see a $10,000 lens for $2,000, be a little suspicious - wherever it is.