Tuesday, March 13, 2007

Whitman Fiddles as ebaY Burns

13 Mar 2007

Whilst Meg Whitman stood and played her fiddle at the Visa Security Summit, confidence in ebaY's security continued to burn to the ground. Adding fuel to the fire is Vladuz, defeating every ebaY effort to keep him from posting as an ebaY employee on ebaY's boards.

Meg Whitman blamed everyone but ebaY for the huge security hole that has made ebaY the plaything of Chinese hijackers, selling their counterfeit merchandise to the markets ebaY attempted, and failed, to deny them. Meg Whitman blamed Microsoft, Yahoo, the victims of the hijacks, Vladuz and probably The Auction Guild, for the flaws that are no doubt the fault of ebaY's bloated, patched, corrupt and insecure coding. She thinks every other company but ebaY, should spend their dollars, hire personnel, fix their security, and build tools for ebaY to use for free, so that ebaY users can't get scammed, and user confidence in ebaY continue to turn to ash. She does not mention, and definitely wont implement, even the most basic things that ebaY could do to assist themselves in curtailing their own problems (more on this later). Meg Whitman does not want to spend a penny, as that might adversely affect ebaY's ability to continually fool potential ebaY stock buyers that ebaY is a good investment, and a safe and fun place to sell and buy merchandise. There should be no misconception. ebaY is not safe and secure, has not been able to secure their own site, and potential investors should not waste their money on ebaY stock, until ebaY demonstrates the ability to secure the site.

ebaY keeps saying that Vladuz had a one time access to an employee account that contained old screenshots, and that ebaY shut his access down. Yet for the third time since he was allegedly shut down, Vladuz again posted to the ebaY Germany and US boards today, with an ebaY employee account.

A search of the ID yielded the following screenshots, showing the poster's profile and user ID history.

In and of itself, access to ebaY employee accounts is possibly not important. But the fact that ebaY can't secure even their own employee accounts is definitely indicative of more serious security flaws. These other security flaws are being demonstrated by Chinese counterfeiters listing upwards of 3 million items each and every day on ebaY, using fresh cherry picked accounts each time. The counterfeiters are also receiving payment through PayPal, and TAG wonders if ebaY continues to allow this, since this is the only money ebaY is earning on the transactions. Since the listings are on hijacked accounts, ebaY is not making anything in listing or final value fees, but PayPal takes its cut before the money is sent to the account holder.

Other indications of security flaws are the ability to override ebaY's listing parameters. Scammers and counterfeiters have been able to list items with titles longer than ebaY allows, add information to running legitimate listings, list items on NARU (no longer a registered user - closed or suspended accounts), list items on accounts that are only set up for buying, (buyer and seller accounts require different financial information) access accounts without having the password, and the ability to sell hundreds of items on accounts that don't meet the criteria for use of certain functions such as Buy It Now. In addition the listings appear to index in search immediately, and long before normal listings do. All these are indicators that the scammers and counterfeiters have a level of access and the ability to manipulate the ebaY system far beyond what they would have if they had only hijacked a regular users account via a stolen password using phishing. ebaY needs to explain how these things are happening, if all the blame is to fall on ebaY users.

This is a screenshot of an active listing on a NARU account. Unfortunately we did not get a screenshot of the sellers list of 205 items on this NARU account.

There are things ebaY could do right now to cut way back on these problems, without actually fixing their bloated, patched, corrupt and insecure kludge coding. These would only be stopgap measures until real fixes were put in place. Of course to do this, they would have to hire personnel and spend money, which at ebaY appears to be a crime of the first order, and a thing they wont do until their hand is forced.

1. Delete all accounts that have been inactive for a year. That is DELETE, as in remove totally from the database, not put into some accessible hole that the scammers can access. If they don't want to just delete inactive accounts, then send an email to the account holder asking the holder to go through their normal links to confirm they still want the account. Account holders should have to confirm unused accounts annually.

2. Require every account to be funded, either by cash, check or credit card. Even a minimal deposit of five or ten dollars for each account registered would cut down on the millions of superfluous accounts that are just sitting around waiting for the scammers to use them. Delete every account not funded (see1. for what delete means) This would also help cut down on some other problems, such as accounts registered for deadbeat bidders to use to wreak havoc on sellers they don't like or just or the fun of it.

3. Require a secure password consisting of letters, numbers and characters. This is such a basic security feature it amazes TAG that ebaY does not require it.

4. Require that sellers of items that are normally counterfeited be bonded. This is probably a good idea for all sellers who habitually sell high ticket items, including ebaY Motors. Reasonable limits could be set, so that anyone selling over X dollars a month of these items must be bonded.

5. Eliminate 1 day listing, and possibly 3 day listings. There is no reason for these to exist, and though Buy It Now and store listings amount to the same thing, they at least have some restrictions in place. Of course it appears the scammers have the ability to subvert all restrictions, but getting rid of all 1 day listings might filter some of the garbage out.

It would behoove Meg Whitman to implement these stop gap measure, expending her employee's energy on these measures as opposed to deleting postings and threads about the problems, suspending users who talk about the problems, lying about the extent of the security hole, and adding sites that publicize these issue, such as The Auction Guild and Falle-Internet.de, to the blacklists on sites such as AOL, Yahoo and the phishreport.net organization. And if ebaY actually plans to continue to be a marketplace, they need to hire some programmers and rebuild the entire program infrastructure from scratch, so that holes such as that exploited by the Vladuz's of the world are closed.

If you want to read more about these issues, and get the latest as it happens, keep your eye on these sites:
ebaY Motors Sucks

Articles at -

Information for this article came from -
And from several TAGnotes subscribers and information providers who choose to remain anonymous, but whose efforts we appreciate immensely

No comments: