Friday, February 23, 2007

ebaY on Vladuz, Deny and Lie

23 Feb 2007

TAG has been deeply concerned over the completely open ebaY back end, which has allowed the hackers and the counterfeiters complete access to unlimited ebaY accounts and listings. All ebaY has done, so far as we can tell, is to disappear threads on their site discussing the subject, and attempt to intimidate and threaten websites that have recorded the incidents, and provided access to this information to the public.

On the first of February, TAG wrote to Rob Chesnut, Senior Vice President of Trust and Safety at ebaY, in a futile attempt to get some reassurance that ebaY was actually doing something to close this hole. We referenced the articles on the TAG website we have written on this subject and asked what we consider the most basic question:

If as ebaY claims, the Vladuz back door program does not exist, then HOW are the Chinese counterfeit sellers hijacking thousands of accounts and using those accounts to sell their merchandise and get their payment through PayPal, all without needing passwords on those accounts?

Unfortunately Rob did not see his way clear to respond - on or off the record - and instead shunted the email off to a new and inexperienced ebaY PR person. We can just imagine how the folks at ebaY were probably laughing in their coffee cups about sticking this ingénue with responding to bid bad TAG.

The email we received said:

I have to say we were rather disappointed that you didn't try and contact us prior to writing the piece as when we read your article we have noticed it contains many inaccuracies.

We can hopefully address your 'concerns about the Vladuz problem' with the facts below. Once you've had a look at these, it would be great if we can chat about whether you will amend your current article.

- Some messages were published on a community board on the eBay.de (Germany) web site by a person who gained access to a small number of employee email accounts.

- Our corporate email system operates on an entirely separate database and server system than those that store customer information.

- At no point did he have access to our corporate networks, tools, financial databases, or desktops, and at no point was any user information exposed.

There is no way of gaining access to our internal networks without a securid token issued by IT.

- By policy, our Customer Support Reps cannot store or include any personal data of any user in their email account.

- We take these incidents very seriously, and we are working closely with US and International authorities to investigate it further.

We responded with:

Are you just a PR person or do you actually understand how ebaY works? I have been intimately acquainted with the ebaY system since 1997 and been writing about it since 1999. How long have you been with them?

Since ebaY usually refuses to talk to me, I rarely contact them in the first place. On the very rare occasions I have talked to someone at ebaY on the record, all I have gotten is information that is less than the truth, definitely less than the whole truth, and usually just corprospeak babble. ebaY lies so frequently, it is hard to tell the rare time they might actually be speaking the truth.

This is simple – give me a realistic explanation of how the Chinese hackers have unlimited access to US ebaY accounts so that they can cherry pick the ones they want, in alphabetical order, with specific profiles, without the need for passwords, with the ability to redirect PayPal payments to themselves, with the ability to change information within actively running legitimate listings, and I MIGHT believe what you have to say about there being no access to your corporate networks, tools, financial database or desktops.

How much of this information is available because of the tools Vladuz is selling, remains to be seen, but the research I have done does point to Chinese hackers being aware of the Vladuz tools. One could theorize that they have used his tools and improved on them, so that they now have their unlimited access to ebaY user accounts.

Now admittedly, this is not exactly friendly or diplomatic, but it was bluntly honest, our normal mode of communication.

ebaY's Public Relations response was:

I must say that I was quite surprised by your response to us. As a new member to the eBay PR team, I was in good faith trying to reach out and build a new relationship with you, because we as a team were hoping to engage with you in the same manner we do with all other journalists and bloggers. We wanted to create a successful working relationship based on honesty, trust and mutual respect. But, it's obvious from the tone of your email below that you do not wish to start a productive and positive working relationship with us, which is a shame.

I have already provided you with the facts for the story you have already published. As I mentioned before, we would expect you to amend your story to reflect the accurate facts, however, I shall leave that to your own judgment about what is most valuable for your readers to know.

Given your apparent disinterest in helping your readers by developing a productive relationship with us that is based on the qualities we value, we have decided it would not benefit any of us to continue the effort with future responses to any of your inquiries.

We tried again and responded with:

In the past I have tried friendly discourse with ebaY, and have received no valid answers to my questions. In the past I have been aggressive and have received no valid answers to my questions. My approach has made no difference in getting valid answers out of ebaY. There is also a history of ebaY acting in a bad faith way against me – so there is a good reason why my attitude is not one based on mutual respect.

I would be happy to open a new channel and start fresh with you, if you would give me valid answers to my valid questions.

In my email to Rob I did not ask about Vladuz hijacking pink accounts to play games on the German boards. This is a non-issue as far as I am concerned, except that it demonstrates additional vulnerabilities. What I did ask about was the FACT that Chinese hackers have unlimited access to US ebaY accounts so that they can cherry pick the ones they want, in alphabetical order, with specific profiles, without the need for passwords, with the ability to redirect PayPal payments to themselves, and with the ability to change information within actively running legitimate listings.

This is happening every day and I have records of dozens of screenshots of this activity on ebaY. Can you please address this very important issue?

At present, all the facts I have do not in any way agree with the things you say are facts. The evidence is to the contrary. There is not evidence, for instance, that even though ebaY might end listings on these hijacked accounts, they have any way to prevent the items from being listed again, or can in any way limit the 1 to 2 million or so listings a day being posted by these Chinese hijackers.

It would be wonderful if ebaY were to turn over a new leaf and develop a relationship with their community that was based on honesty, truth and mutual respect. As the person who has been writing about ebaY the longest, with a firmly established position in the industry as being forthright, trustworthy, and ethical, if you could actually develop a rapport with me, where honesty and openness ruled, it would be a great accomplishment indeed. This would reflect well on you, and on ebaY, and I challenge you to change the current climate between TAG and ebaY, and in turn with the entire industry.

Needless to say, the ebaY PR wonk did not respond. We were amused by the phrase that said, " I have already provided you with the facts for the story you have already published. As I mentioned before, we would expect you to amend your story to reflect the accurate facts"

Of course ebaY did not in any way discuss the issue of the nearly 2 million listings daily on hijacked accounts. The listings that are relisted as fast as ebaY can remove them - sometimes 3 or 4 times a day. This image is a pictorial view of what is happening on ebaY every day.




They did not discuss the ongoing fake second chance offers that continue to be sent to bidders on high priced items, despite ebaY's now hiding the bidder IDs. ebaY did not discuss that Vladuz has posted on several ebaY chat boards using ebaY employee IDs or creating his/her own ebaY employee IDs, such as his latest posting on the ebaY DE board



In fact all ebaY has done is deny and lie.

They say Vladuz, "...gained access to a small number of employee email accounts" when it is obvious that Vladuz can access whatever ebaY employee accounts, whenever he/she wants, on whichever ebaY site he/she chooses. They say, "...no one can access an ebaY account without a password" though we have proved this is not true. ebaY says, "...the hijacked accounts are due to people responding to phishing email", though we have proved this also is not always true, and can not be true where hundreds of accounts are cherry picked, in alphabetical order, and new accounts are used day after day. ebaY denies that anyone has access to their back end, and refuses to acknowledge or provide a single answer as to how the counterfeiters are using these hundreds of hand picked hijacked accounts to sell millions of counterfeit items, and get paid via PayPal through ebaY. TAG is convinced that if ebaY could fix this open back end problem, they would have already done so. The only logical conclusion is that they can't.

Surely it is time for ebaY to come clean on this, and reassure those who use ebaY that they know about the problems and are working on fixing them. They should set up a special team to monitor their own site to prevent these listings from even indexing on the site. As we said in our final email to that ebaY PR person, " It would be wonderful if ebaY were to turn over a new leaf and develop a relationship with their community that was based on honesty, truth and mutual respect."

Don't worry; we are not holding our breath whilst waiting for this change.

No comments: