Thursday, March 15, 2007

Is ebaY Holding the Smoking Gun?

The Preponderence of the Facts Show That ebaY is Holding The Smoking Gun
14 March 2007

It must be pretty obvious to our readers that TAG has been convinced for quite a while that ebaY is lying when they say Vladuz - and by extrapolation the Chinese hijacker/counterfeiters - has no access to ebaY other than through the phishing that takes place off ebaY. Only ebaY knows the whole truth, and all TAG, being on the outside can do, is use our 10 year intimate knowledge of ebaY and theorize on what we can observe. ebaY says that their site is secure and that no one has accessed their back end, as TAG has theorized. They told TAG that it is a FACT that no one has direct access to ebaY,

" We can hopefully address your 'concerns about the Vladuz problem' with the facts below."

" There is no way of gaining access to our internal networks without a securid token issued by IT."

"At no point did he have access to our corporate networks, tools, financial databases, or desktops, and at no point was any user information exposed."

"No one can access a user account without a password"

We already know, for a FACT (a real one not an ebaY corprobabblespeak one) that the following fact is a lie,

" Some messages were published on a community board on the eBay.de (Germany) web site by a person who gained access to a small number of employee email accounts."

since Vladuz posted on the boards today, using ebaY employee accounts, for the fourth time since he was shut out of that "small number of employee email accounts." Can there be so many gullible ebaY employees falling for phishing scams, and doing so whilst this massive attack against the ebaY site is going on?

What is most interesting about today's postings however, is that the account hijacks appear to have finally provided the smoking gun, with ebaY's fingerprints on it. Possibly irrefutable proof that ebaY is lying, that their site has been compromised, and that the back door is wide open.

Today, one of the accounts Vladuz, under the User ID Vladuz-Unleashed, used, is an account for an ebaY employee, kelbel@ebay.com


kelbel@ebay.com has what appears to be a test ebaY shop


Though kelbel@ebay.com has only one (1) feedback from another ebaY employee, kelbel has a power seller logo.



It is fairly obvious that kelbel@ebay.com is not a real person, but an account created by ebaY to run whatever various tests and experiments they feel they need. ebaY has lots of things they test, so this is just another one of them. BUT, if there is no real person named kelbel@ebay.com HOW did that non-existent person fall for a phishing scheme that allowed "his" information to be added to a phishing database? And if the account was hijacked without such access, then ebaY is lying about all of their alleged facts, and about phishing being the road to access to all these hijacked accounts, ebaY's and everyone else's.

At what point does ebaY's lies become criminal activity? At what point do they become liable for what is going on? They might already be violating the California law that requires them to contact California account holders when their ebaY accounts are compromised through access to ebaY's servers. What other laws are they breaking? Customer trust is eroding fast; will stockholder trust be far behind?

Tuesday, March 13, 2007

Whitman Fiddles as ebaY Burns

13 Mar 2007

Whilst Meg Whitman stood and played her fiddle at the Visa Security Summit, confidence in ebaY's security continued to burn to the ground. Adding fuel to the fire is Vladuz, defeating every ebaY effort to keep him from posting as an ebaY employee on ebaY's boards.

Meg Whitman blamed everyone but ebaY for the huge security hole that has made ebaY the plaything of Chinese hijackers, selling their counterfeit merchandise to the markets ebaY attempted, and failed, to deny them. Meg Whitman blamed Microsoft, Yahoo, the victims of the hijacks, Vladuz and probably The Auction Guild, for the flaws that are no doubt the fault of ebaY's bloated, patched, corrupt and insecure coding. She thinks every other company but ebaY, should spend their dollars, hire personnel, fix their security, and build tools for ebaY to use for free, so that ebaY users can't get scammed, and user confidence in ebaY continue to turn to ash. She does not mention, and definitely wont implement, even the most basic things that ebaY could do to assist themselves in curtailing their own problems (more on this later). Meg Whitman does not want to spend a penny, as that might adversely affect ebaY's ability to continually fool potential ebaY stock buyers that ebaY is a good investment, and a safe and fun place to sell and buy merchandise. There should be no misconception. ebaY is not safe and secure, has not been able to secure their own site, and potential investors should not waste their money on ebaY stock, until ebaY demonstrates the ability to secure the site.

ebaY keeps saying that Vladuz had a one time access to an employee account that contained old screenshots, and that ebaY shut his access down. Yet for the third time since he was allegedly shut down, Vladuz again posted to the ebaY Germany and US boards today, with an ebaY employee account.





A search of the ID yielded the following screenshots, showing the poster's profile and user ID history.




In and of itself, access to ebaY employee accounts is possibly not important. But the fact that ebaY can't secure even their own employee accounts is definitely indicative of more serious security flaws. These other security flaws are being demonstrated by Chinese counterfeiters listing upwards of 3 million items each and every day on ebaY, using fresh cherry picked accounts each time. The counterfeiters are also receiving payment through PayPal, and TAG wonders if ebaY continues to allow this, since this is the only money ebaY is earning on the transactions. Since the listings are on hijacked accounts, ebaY is not making anything in listing or final value fees, but PayPal takes its cut before the money is sent to the account holder.

Other indications of security flaws are the ability to override ebaY's listing parameters. Scammers and counterfeiters have been able to list items with titles longer than ebaY allows, add information to running legitimate listings, list items on NARU (no longer a registered user - closed or suspended accounts), list items on accounts that are only set up for buying, (buyer and seller accounts require different financial information) access accounts without having the password, and the ability to sell hundreds of items on accounts that don't meet the criteria for use of certain functions such as Buy It Now. In addition the listings appear to index in search immediately, and long before normal listings do. All these are indicators that the scammers and counterfeiters have a level of access and the ability to manipulate the ebaY system far beyond what they would have if they had only hijacked a regular users account via a stolen password using phishing. ebaY needs to explain how these things are happening, if all the blame is to fall on ebaY users.

This is a screenshot of an active listing on a NARU account. Unfortunately we did not get a screenshot of the sellers list of 205 items on this NARU account.


There are things ebaY could do right now to cut way back on these problems, without actually fixing their bloated, patched, corrupt and insecure kludge coding. These would only be stopgap measures until real fixes were put in place. Of course to do this, they would have to hire personnel and spend money, which at ebaY appears to be a crime of the first order, and a thing they wont do until their hand is forced.

1. Delete all accounts that have been inactive for a year. That is DELETE, as in remove totally from the database, not put into some accessible hole that the scammers can access. If they don't want to just delete inactive accounts, then send an email to the account holder asking the holder to go through their normal links to confirm they still want the account. Account holders should have to confirm unused accounts annually.

2. Require every account to be funded, either by cash, check or credit card. Even a minimal deposit of five or ten dollars for each account registered would cut down on the millions of superfluous accounts that are just sitting around waiting for the scammers to use them. Delete every account not funded (see1. for what delete means) This would also help cut down on some other problems, such as accounts registered for deadbeat bidders to use to wreak havoc on sellers they don't like or just or the fun of it.

3. Require a secure password consisting of letters, numbers and characters. This is such a basic security feature it amazes TAG that ebaY does not require it.

4. Require that sellers of items that are normally counterfeited be bonded. This is probably a good idea for all sellers who habitually sell high ticket items, including ebaY Motors. Reasonable limits could be set, so that anyone selling over X dollars a month of these items must be bonded.

5. Eliminate 1 day listing, and possibly 3 day listings. There is no reason for these to exist, and though Buy It Now and store listings amount to the same thing, they at least have some restrictions in place. Of course it appears the scammers have the ability to subvert all restrictions, but getting rid of all 1 day listings might filter some of the garbage out.

It would behoove Meg Whitman to implement these stop gap measure, expending her employee's energy on these measures as opposed to deleting postings and threads about the problems, suspending users who talk about the problems, lying about the extent of the security hole, and adding sites that publicize these issue, such as The Auction Guild and Falle-Internet.de, to the blacklists on sites such as AOL, Yahoo and the phishreport.net organization. And if ebaY actually plans to continue to be a marketplace, they need to hire some programmers and rebuild the entire program infrastructure from scratch, so that holes such as that exploited by the Vladuz's of the world are closed.

If you want to read more about these issues, and get the latest as it happens, keep your eye on these sites:
ebaY Motors Sucks
FireMeg
Falle-Internet

Articles at -
http://redtape.msnbc.com/2007/03/how_far_has_vla.html
http://www.eweek.com/article2/0,1895,2100808,00.asp
http://www.eweek.com/slideshow/0,1206,a=202474,00.asp

Information for this article came from -
http://news.zdnet.com/2100-1009_22-6165628.html?tag=nl.e550
And from several TAGnotes subscribers and information providers who choose to remain anonymous, but whose efforts we appreciate immensely