BBC NEWS | UK | eBay urged to tackle fraud better

Internet auction site eBay should do more to tackle fraudsters targeting the site, a consumer magazine has said.
Computing Which? called on the site to be more active in identifying its fraudulent users.

Have you Been a Victim of eBay Fraud?

A few weeks ago I was caught out in an eBay/Paypal Scam and lost just under £150. Not much you say, but it was part of a scam collecting just over £7500.

And it was not so much the money that wound me up, it was the attitude of eBay and Paypal. (Both are really the same company, even though they deny it, and legally I suppose they are not, but one owns the other, and they each do an awful lot of business between themselves. But there is more on that below).

The BBC article above talks about how Which! (the consumer group/online magazine) are suggesting to eBay that they need to do a lot more to protect its users, or at least make them aware of the possibilities of fraud.
If you knew the values of fraud going on right now, it would probably deter most people from going near the site, but then eBay and Paypal won’t disclose it.

My Story

I had obtained a spare Pentium processor and placed it online for sale at a price of just under £150 if you used the ‘Purchase Now’ button and also allowed bidding on the items.
There were several enquiries on the item, but no bids in the first few days and I was helping one guy work out if it would work in a server that he had when I someone actually bought it at the higher price using the buy now feature. My first reaction was why would anyone want to pay what I had asked for, since there were already cheaper ones on sale at the same time. I expected a low bid to win the sale, but wasn’t going to turn down someone paying full price. But that was the first time I became skeptic about the purchaser so I made sure that I authenticated the buyer.

I won’t name the buyer because at the moment I am discussing legal action. The buyer contacted me via eBay and Paypal, there was a few exchanges of emails via this and then I sent an email to her Yahoo account which is totally separate from her eBay and Paypal account.

As it turns out, the buyer had allowed their PC to be hacked, and the thieves had retrieved full control and access to the buyers PC, stealing ALL of her passwords to ALL of the accounts that she had access to. Or that is what she told Paypal investigation.

There had been 4 or 5 purchases made by the ‘buyer’ of the same types as she had previously made, so nothing stood out there. I waited a day before shipping the item and sent it off. Later that evening I received an email from eBay telling me that the ‘buyers’ account was suspended and was being investigated for potential fraudulent activity. They also advised me NOT to ship the item, (great timing).
I replied to their email with the tracking details of the item, the destination address, and other details. I’ve never heard anything back on that part. The only confirmation I received from them amounted to a "Sorry, you’ve been done and lost out" email and confirmation that the ‘buyers’ account had been hacked. (It wasn’t just their account, the user had given away every password she owned).

Paypal immediately took the money that was paid to me by ‘the user’, (albeit by the fraudsters) and put it in a holding account. Two weeks later they confirmed that the users account had been hacked and told me that they were returning the money back to the ‘purchaser’.

So hold up, the owner of the computer gives away the passwords to all of her accounts, someone makes fraudulent use of the machine and her accounts, and it is the seller that gets penalised.
When I asked eBay and Paypal about the insurance for items under £500, they replied it wasn’t covered as it was not the ‘type of sale’ they covered.

When I have tried to contact both fraud departments of eBay and Paypal, they gave me a list of FBI/Interpol and told me to contact the Internet Fraud Group to take any further action.

eBay & Paypal Helping the Fraudsters

For a long time now I have been receiving ‘Phishing’ emails reportedly sent from eBay and Paypal, asking me to log into my account and sort something out.
Well, I am not not that of a numpty that I would fall for such a scam (via this method, when it comes to shipping goods to someone who isn’t who they are, now that’s a different matter, 10 out of 10 on the numpty scale).
You might have seen a few of the emails, they look very convincing. They even have all the eBay and Paypal graphics. You see that is because those images are hosted on eBay and Paypal Servers, and all the "phishers’ do, is Hotlink those images in their mass emails. Well that for one could be sorted out in the time it takes to make a config change to their servers. You can stop other servers from using images and then the emails would not look the same. Usually, the only difference in the ‘Phishing’ email is that the login part of the email is based on a scammers server and all it does it record your details and then forwards you to some other part of eBay’s site. Well they could stop that too, but they don’t (well they shut down the site, but they could also detect referrals from non-eBay/Paypal sites and display a message to say you have just been scammed, you need to do this or that. But they don’t.

Why don’t they do this? Because it will cost money and time. That eats in to profits and in the end, that is all they are concerned about.

How do they Protect Sellers/Buyers ?

Basically nothing. You have about as much protection as the Iraqi National Guard did in the Gulf War (1 or 2, take your pick).

Take this scenario: I place an advert in a newsgroup that my eBay and Paypal Username is for sale. Someone contacts me, pays me a few thousand pounds and then they go use my account and buy lots of goods and have them shipped to various places. Chances are, most of the goods will get through.
I then log in a few days later and "Oh, shock and horror", and off I run to eBay and Paypal. They have no way of proving that I ‘sold’ my passwords, you see I also installed a ‘Keylogger’ trojan application on my PC just to make it look convincing. It even connected to a real server someone in Pakistan that can’t be traced now because its down. The group who bought my password told me about that when I set up the selling of my passwords.
So all the people selling stuff have now shipped their goods and had the money they were paid taken back.
Paypal have now refunded all the money to my account, and I have the couple of thousand from the ‘thieves’ in my other account.

The main threat to buyers is people shipping goods and not receiving payment. They always advise using Paypal, as you are ‘covered’ by insurance. Complete trash. You are lucky if you are covered. The best protection is to use VISA or MASTERCARD which has some level of coverage automatically for online fraud.

NEVER pay through a 3rd party Escrow fund as they are fraught with danger in themselves.

Have you been caught out?

I want to hear from you if you have been caught out by an eBay scam. My email is on this page somewhere, if not leave me a comment and I will get back to you.

Legal Action

At the moment myself and a number of the other people caught out in this scam are taking legal action against the owner of the account for failing to keep her PC safe and secure from hackers whilst using it for online purchasing/selling. It’s an angle that has not been tried before, and is quite complicated and taking some time to sort out, since we are based in 4 different countries. The good thing is that the owner of the PC is in the states and they will sue the arse off anything that moves out there and they are keen to proceed (more money grabbing probably).
The basic premise of the argument is that she failed to maintain her computer and is therefore liable for the fraudulent activity. We already have the records we need to prove the incompetence, and because of the laws in the state where she lives, obtaining the records from the ISP will be easy enough to sort out.

Links
http://news.bbc.co.uk/1/hi/uk/4749806.stm
http://www.eBay.co.uk/
http://www.which.net/computingwhich/

KATU 2 – Portland, Oregon

Williams says the hijackers simply try to log in to an eBay member’s account by trying to guess their account password.

Unless the user has made the effort to use a complicated password, hackers unfortunately have a fairly easy time guessing a password, letting them log on as users and hijacking the account.

Once inside an account, hijackers can change banking information, steal personal information and post non-existent items for sale as a “Buy It Now” auction, the kind that requires no bidding and can be run automatically.

Hijackers usually target sellers with a lot of “positive feedback,” which are positive transaction comments left by satisfied customers.

Most people on eBay feel that positive feedback is an assurance of an honest deal.

Once hijackers post items on the hijacked eBay page, it is impossible for eBay buyers to tell the site has been hijacked and if the site is a commercial page with a lot of good feedback, that is just another way to lure in buyers.

Williams paid for the non-existent camera using PayPal, the online payment system owned by eBay. He says there is no telling who actually received his money.

Williams says he follows eBay’s online security warnings, but when he reviewed them again, no mention of the hijacking scam was mentioned.

eBay & PayPal Scams

Ferreting out a fake

Learn to detect phishing scams

Reputable firms such as eBay and PayPal have been besieged by email scammers attempting to pilfer valuable credit card details from unsuspecting customers. These emails often are quite well-done and look very authentic. However, a seasoned eye can quickly ferret out the truth. Those less savvy may want to follow a simple bit of advice: never follow a link in email unless you absolutely trust the sender. If you’d like to move from unsavvy to seasoned, here’s how to ferret out malformed link scams.

Fraud – Ebay Fraud Blog
Fraud Prevention, Information and News about Fraud Online