more on more on eBay faces up to online fraud The online auctioneer eBay has admitted an "extreme growth" in the number of personal accounts being hijacked by fraudsters.]

["David Farber" <dave () farber net>]

---------------------------- Original Message ----------------------------
Subject: Re: [IP] more on more on eBay faces up to online fraud The online
auctioneer eBay has admitted an "extreme growth" in the number of personal
accounts being hijacked by fraudsters. From:    "Serge Egelman"
<egelman () cs cmu edu>
Date:    Sat, December 17, 2005 11:55 am
To:      dave () farber net
--------------------------------------------------------------------------



This is actually incorrect.  eBay's internal messaging service does use
email.  When you get a message from another member, it will be sent to you
via email as well.  Within that email, there is a link for "Respond Now." 
If you are not currently logged into eBay, this link will
redirect you to a login page before allowing you to respond to the
message.  Many phishers are now copying this (this is the most common eBay
phish that I've seen as of the past month or two).  They copy the eBay
message format, and insert a very ambiguous message hoping that you'll
think it's a legitimate question that needs a response (e.g., "Have you
shipped my item yet?").

This problem will always exist as long as eBay chooses to send out these
messages by email *and* redirects to a login page.

serge


David Farber wrote:
> Begin forwarded message:
>
> From: Jason Weisberger <jweisberger () mac com>
> Date: December 16, 2005 7:37:04 PM EST
> To: dave () farber net
> Cc: ip () v2 listbox com
> Subject: Re: [IP] more on eBay faces up to online fraud The online 
auctioneer eBay has admitted an "extreme growth" in the number of 
personal accounts being hijacked by fraudsters.
> Ebay simply doesn't use email to contact its customers without being 
offered a proactive impetus. You will never get an email from PayPal  or
Ebay asking you to click a link and enter your password. The most 
you'll see email from them, in that area, is in response to you  hitting
the website and reporting a password lost. They email you a  link to go
to an enter a code they supply to confirm your identity.  Then you
change your password. They also send me enough email to know  that
spoof () ebay com and spoof () paypal com is where to forward any  weird
looking email. They respond very quickly and let you know if it  is an
establish phishing attempt that they have seen already or if  its new,
thank you for forwarding it in AND then reiterate that you  should never
trust an unsolicited email asking for your password.
> Ebay uses an internal messaging system inside of your my.ebay page  for
passing messages back and forth between users and some Ebay  contacts.
They simply try not to use email for things that would in  turn open a
door and allow the spoofs to mistaken for legitimate.
> I'm also a little confused as the context or accuracy of the quotes  in
the BBC article, or the actual role of the gentleman interviewed.   I
know someone who is tied into the Fraud Investigations and Law
> Enforcement Relations global management infrastructure at Ebay and 
everything I've heard leads me to believe the opposite of what I read 
in the article. Ebay seems to invest a lot in investigating and 
preventing any sort of criminal activity, across all of its various 
business units, and works very closely with law enforcement in every 
country they have a presence in.
> On Dec 16, 2005, at 3:28 PM, David Farber wrote:
>
> > Begin forwarded message:
> >
> > From: Bob Frankston <Bob2-19-0501 () bobf frankston com>
> > Date: December 16, 2005 3:21:42 PM EST
> > To: dave () farber net, ip () v2 listbox com
> > Subject: RE: [IP] eBay faces up to online fraud The online  auctioneer
eBay has admitted an "extreme growth" in the number of  personal
accounts being hijacked by fraudsters.
> > Given the amount of phishing I’m surprised there are any uncompromised
accounts.
> > I'd be interested in knowing more about what eBay and others are  doing to
> > try to get ahead of the problem.
> >
> > Yes, I’m a bit obsessed about phishing because it compromises basic 
social
> > mechanisms and gets past the normal social controls on such  activity. The
> > Internet has introduced kind of relationships that defy our familiar
models.
> > I don't expect a simple answer but I'm still puzzled by the lack of 
visible
> > law enforcement activity -- are there examples of prosecution for such
crimes other than the individual sellers who get caught. I presume 
they are
> > the small disposable players.
> >
> > -----Original Message-----
> > From: David Farber [mailto:dave () farber net]
> > Sent: Friday, December 16, 2005 15:13
> > To: ip () v2 listbox com
> > Subject: [IP] eBay faces up to online fraud The online auctioneer  eBay
has
> > admitted an "extreme growth" in the number of personal accounts being
hijacked by fraudsters.
> > http://news.bbc.co.uk/1/hi/business/4533154.stm
> >
> > eBay faces up to online fraud
> > The online auctioneer eBay has admitted an "extreme growth" in the
number of personal accounts being hijacked by fraudsters.
> > Criminals are obtaining the secret passwords of eBay subscribers and
using their sites to conduct bogus auctions for non-existent goods. In
a growing number of cases, would-be buyers on the UK's most used
website are paying thousands of pounds to apparently reputable
> > sellers after winning auctions on the site - only to find out they had
been dealing with criminals.
> > In an interview with Radio 5 Live, eBay would not reveal exactly how
many accounts had been hijacked, although a company spokesman refused
to deny that possibly tens of thousands had been compromised.
> > "Last year there was extreme growth," said Gareth Griffiths, head of
trust and safety for eBay. "Certainly last year it was a high-growth
area for us, it's a painful issue."
> > In one recent case, up to ten people are thought to have paid a total
of £15,000 for non-existent hot tubs, while another would-be buyer
thought he had purchased a £4,000 camper van - which turned out not to
exist.
> > Grab and go
> >
> > In both cases eBay accounts had been hijacked to sell off the non-
existent goods.
> > It gets to the point where that is obstructive to our inquiry
> > Ruth Taylor, North Yorkshire Trading Standards
> > The hijacking of sellers' accounts is a particularly sensitive issue
for the auction site, which relies to a large degree on the level of
trust between the buyer and seller of goods for its success. There are
more than three million items for sale on the site at any one  time.
> > eBay blames its account holders for not installing proper security on
their home computers and for replying to so-called "phishing" emails.
> > These are fake emails made to look like official eBay messages and
which demand the secret passwords to users accounts.
> > Viruses are also said to be infecting home computers by installing
themselves inside hard drives, where they monitor the keystrokes of
eBay users, make a record of passwords before sending them onto the
fraudsters.
> > 'Nothing to do with us'
> >
> > Describing the problem as an "off eBay" issue, Mr Griffiths said the
problem was "nothing to do with us".
> > In several cases examined by the BBC the eBay users who had their
accounts hijacked claimed to be computer literate and vehemently denied
that they had replied to phishing emails.
> > "There is no way I would have done that," said Dr Oliver Sutcliffe a
biochemist from Nottingham. His site was hijacked over the space of one
weekend to sell thousands of pounds worth of electrical goods.
> > EBay is also under fire from law enforcement officials and
> > manufacturers over levels of crime on the site and the levels of
cooperation they receive.
> > Trading standards officers who regularly investigate crimes
> > perpetrated on the site have accused eBay of being "obstructive" in the
way it shares information. North Yorkshire Trading Standards says eBay
can take up to two months to provide the names and addresses of
suspects it is pursuing.
> > "If it takes up to two months, then it is eating in to a lot of time
that we have to make prosecutions," said Ruth Taylor, who heads the
authority's special investigations unit. "It gets to the point where
that is obstructive to our inquiry."
> > Faking it
> >
> > Concerns have also been raised about the large amount of counterfeit
goods on sale on eBay.
> > Adidas told the BBC that it monitored up to 12,000 auctions involving
its goods every day on the British site - yet it estimated that up to
40% of all Adidas products available were counterfeit.
> > eBay says it has a special relationship with brand owners, who can
notify the site of auctions involving counterfeit goods which will then
be taken down within hours.
> > However, the Ben Sherman clothing brand says it recently took eBay five
days to take down an auction of counterfeit clothing - by which time
much of it had been sold.
> > "I think one must say that it's highly unsatisfactory," said Barry
Ditchfield, Ben Sherman's brand protection manager.
> > "With all the amount of profits that eBay makes, then there is ample
scope for additional staff. Frankly, it is totally unsatisfactory, not
just for Ben Sherman but for all brand holders.
> > EBay have rejected the accusations, saying that the company has a good
relationship with law enforcement officials.
> > "The satisfaction level is generally very high," said Gareth  Griffiths.
> >
> >
> >
> > Five Live Report: Policing eBay can be heard on Radio Five Live at
1930BST on Sunday 18 December or afterwards at the Five Live Report
website.
> > Story from BBC NEWS:
> > http://news.bbc.co.uk/go/pr/fr/-/1/hi/business/4533154.stm
> >
> > Published: 2005/12/15 23:56:44 GMT
> >
> > © BBC MMV
> >
> > -------------------------------------
> > You are subscribed as BobIP () Bobf Frankston com
> > To manage your subscription, go to
> >   http://v2.listbox.com/member/?listname=ip
> >
> > Archives at: http://www.interesting-people.org/archives/interesting-
people/
> > -------------------------------------
> > You are subscribed as jweisberger () mac com
> > To manage your subscription, go to
> >  http://v2.listbox.com/member/?listname=ip
> >
> > Archives at: http://www.interesting-people.org/archives/interesting-
people/
> -------------------------------------
> You are subscribed as serge () guanotronic com
> To manage your subscription, go to
>  http://v2.listbox.com/member/?listname=ip
>
> Archives at: http://www.interesting-people.org/archives/interesting-people/

-- 
/*
Serge Egelman

"Sobriety diminishes, discriminates and says no, while drunkenness
expands, unites and says yes!" -Henry James
*/






-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/