In Jul of 2002 prior to the ebaY acquisition of PayPal TAG wrote,
TAG predicts that once ebaY owns PayPal, ebaY will require all sellers who sell on ebaY must offer PayPal's payment services. Since ebaY has a virtual monopoly in the OAI/OTI, we feel this will be a disaster. ebaY will monopolize the auction and trading market and will now monopolize the online payment system. They will be able to increase prices at will (as they have done with their auction and trading services, despite quarter over quarter record breaking profits). Because of their dominance, they will be able to both require use of PayPal and be able to raise PayPal fees unrestrainedly. They could have attempted this with their own payment system, Billpoint, but TAG feels they would not have dared to do so because they would have had PayPal to contend with, as a lawsuit would have surely ensued. If ebaY owns PayPal, who will there be to challenge them?
This scenario is rapidly becoming a reality. In ebaY's bid to Amazonize ebaY, since Amazon is growing and ebaY isn't, ebaY is forcing more and more sellers to offer ebaY owned PayPal as a payment option. In an even more ominous move, ebaY is now planning on prohibiting ebaY Australia sellers from offering any payment option other than PayPal. The plan is that by 21 May 2008 all AU sellers must offer PayPal as an option, and by 17 June 2008 Australian sellers may only accept PayPal as payment.
ebaY of course, couches this as a "safety" issue, but there is no independent proof that PayPal is any safer than any other payment alternative. Of course if ebaY was as safe as they claim to be (one one hundredth of one percent has been their claim of fraud on their site), then the whole safety argument is moot before it even starts. So they are lying about one or the other as both can't be true.
ebaY said in their announcement, "...those using PayPal were almost four times less likely to have a dispute over their purchase than people who paid with bank deposit. Plus, PayPal sellers were almost half as likely to experience an unpaid item as sellers who did not accept PayPal." Of course the comparison to checks, money orders, cash, merchant accounts etc are not even considered. ebaY can claim whatever they like, but without outside independent audits and confirmation on all types of payment systems, all ebaY's claims are invalid.
You can read the entire announcement HERE or (just in case it is changed or disappeared) HERE ebaY has its plans and sellers have theirs. There has been an outcry of outrage amongst ebaY Australia sellers about this policy change (and the same outcry should resound around ALL ebaY sites, as what happens in Australia will be instituted wherever ebaY can get away with it). Sellers are suggesting real and specific ACTION (as opposed to feel good futile petitions and boycotts), asking other users to complain to the Australian Competition and Consumer Commission which can squelch this move (depending on how susceptible they are to ebaY's "lobbying"). Since ebaY has to apply to the ACCC, for approval, ebaY users can post their comments on ebaY's application Application Complaints and Comments Sellers are moving their auctions to other sites such as OZ Auction , their own websites, and also suggesting political action.
Some posts on ebaY's boards, give advice and provide links to act against ebaY AU. Act against ebaY AU
=========================
Changes announced on eBay.com.au
MEMBERS ALL RING 1300302502 (ACCC) TODAY THEY ARE WORKING NOW!!!
sklhvo1758 (0 ) View Listings | Report 14-04-08 02:31 EST
MEMBERS ALL RING 1300302502 (ACCC) TODAY THEY ARE WORKING NOW AND THEY ARE VERY INTERESTED IN THIS MATTER NOW BECAUSE THERE ARE FLOODED WITH CALLS AND EMAILS FROM EBAY MEMBERS TODAY EVEN THIS MINUTE!!
From: lynne8670 (79 ) View Listings | Report
You've got to love Ebay(not) they make an announcement about changes 2mths out and they haven't even applied to the ACCC(which they have to do) so they can make the changes.
By making the announcement I'm sure Ebay thinks that all the complaints and anti Ebay sentiment will be over when they lodge their application with the ACCC and nobody will be bothered to comment on the application when it appears on the ACCC website http://www.accc.gov.au asking for submissions, which forms part of the process by the ACCC for granting Ebay permission to make the changes.
The best way to stop these changes is to complain to the ACCC by phone or email http://www.accc.gov.au/content/index.phtml/itemId/54217 and to watch the ACCC website for Ebays application and leave comments on that application and if the ACCC gets flooded with the same number or greater than have appeared in this forum then there may be a chance Ebay will be refused permission by the ACCC to implement the changes.
I like others will be leaving Ebay if the changes are made. As a buyer I Direct Bank Deposit for purchases in Aus as it is bad enough to have to wait up to 7days for delivery of purchases in Aus without having to wait an additional 5 to 7 days for funds to clear through Paypal, I only use Paypal for those rare occasions when I purchase overseas
FROM: the-bearoness (502 ) View Listings | Report
Here's a complaint already worded for those like myself who cannot think of the appropriate description of this new policy. [except naughty words ,that is ]
I can only give credit for this to an eBayer from Member to member help board that put it up the other day,thanks to you and sorry I've forgotten your user ID.
Okay guys,GO FOR IT!
********************************
I am filing a complaint over Ebay Australia's decision to restrict payment options and in doing so diminishing choices consumers have.
I believe that if Ebay takes the planned action this will constitute breaches of the Trade Practices ACT, PART IV--RESTRICTIVE TRADE PRACTICES , specifically s.45 & s. 4D.
In the whole, Australian buyers have a fear of handing over credit card details and bank details, which is the requirement when using paypal. There are also others that do not possess either and choose to send money orders.
These planned actions will significantly lessen choices consumers have in dealing with vendors on Ebay. Simultaneously it will force any sellers that do not currently accept paypal to do so or to close their operation on Ebay - essentially forcing them to breach s.45 of the TPA.
This is planned not to provide protection as they claim but to bolster their own bottom line.
There is no valid nor legal reason for Ebay to introduce this change as I currently have the choice to use paypal.
The ACCC has not acted against Ebay's carte blanche attitude in the past which has seen diminished competitiveness for Australians. I implore the ACCC to investigate and take the appropriate action. Signed by
henstoothbooks (4187 ) View Listings | Report 14-04-08 10:24 EST 4 of 15
ACCC is not the only the avenue to complain.
ASIC is also involved as PAYPAL owns an AFSL - This relates mostly to the delay of releasing funds etc however they are also concerned with consumer protection.
Complaints can be made at www.asic.gov.au
gralbow (2399 ) View Listings | Report 14-04-08 10:56 EST 5 of 15
Chris Bowen - Member for Prospect
Assistant Treasurer
Federal Minister for Competition Policy and Consumer Affairs
chris.bowen.mp@aph.gov.au
Parliament House Office
Suite M1 24
Parliament House
CANBERRA ACT 2600
Tel: 02 6277 7360
Fax: 02 6273 4125
Prospect Electoral Office:
115 The Crescent
Fairfield NSW 2165
Tel: (02) 9726 4100
Fax: (02) 9724 6115
Email:
chris.bowen.mp@aph.gov.au
Postal Address:
PO Box 802
Fairfield NSW 1860
=========================
ebaY needs to be pushed to the wall on this action. If they are legally a venue only, they should not be able to dictate to sellers what payment the seller can accept, as long as the payment method or provider is legal, and legitimate. This should be an issue that gets the attention of EVERY ebaY seller and buyer, no matter where the ebaY user is located or what ebaY site the seller or buyer utilizes. What happens on the ebaY AU and UK sites is bound to propagate to the other ebaY sites if ebaY can get away with it. What ebaY users should do NOW is contact consumer protection agencies, anti trust, and competitive governance agencies in their own countries, and pre-emptively ask the question about the legality of a similar move by ebaY in their own countries. In the US, ebaY users should contact their legislative representatives, the Dept of Justice and the Federal Trade Commission, and ask about what protections were put in place when ebaY was allowed to purchase PayPal, or request that some protections be enacted to prevent ebaY from implementing more restrictive trade practices, remove the ones already implemented, and continue to allow users choices in ebaY's virtual monopoly.
Other links of interest on this issue:
Aussies Flock to ebaY Rivals
Petition Against ebaY AU
US Dept Of Justice
Write to - antitrust@usdoj.gov
Federal Trade Commission Bureau of Competition
US House of Representatives - contact your Congressional Rep
US Senate - contact your Senator
Visit the TAG website
Wednesday, April 16, 2008
Saturday, October 27, 2007
A Solution to Get Fraudulent Listings Removed From ebaY FAST
ebaY has always lied about screening their listings to prevent fraud, prior to indexing them to the site. It was a good sounding PR story to cover their asses for their lousy indexing times but obviously false, since anyone outside ebaY can do a simple search of whatever is the scammer key word of the day, and finds hundreds and even thousands of fraud listings.
It is also obvious that ebaY will not now or ever hire the personnel they need to actually monitor their site, unless forced to by the courts or legislation.
Well we have come up with the solution for ebaY. (ebaY - when you read this please note the copyright - We would be glad if you implemented this idea, if you PAY us for it!)
In a nutshell - ebaY should pay their users a bounty for finding fraudulent listings.
To implement it -
1. Set up a live chat category where you have to log in, for reporting fraudulent listings (this is fraud only - not legit listings that might contain a violation of ebaY rules)
2. For every user ID an ebaY user turns in, that has visible fraudulent listing (redirects, overlays, hijacked accounts) ebaY pays the user (we suggest $25. but maybe they should start with $10, then increase as the incidence of fraud diminishes). If ebaY wanted to be really cheap, they could make the money a non expiring coupon only good for use on ebaY via PayPal (to buy items or pay seller fees) - in that way it would be fake money, not really costing ebaY much of anything in real dollars.
3. ebaY would "pay" every user who reports the user ID, and that would be valid until ebaY closes down the fraudulent listings posted by that ID so they were no longer visible on the site. This would motivate ebaY to use trained personnel for this special reporting board, who can recognize fraud when they see it, and close it down ASAP, rather than letting it run for hours, days, weeks, months, like they do now. The user reporting the items can take screenshots time stamped, of their chat and of the ID reported with items showing, to keep track of and prove they made a legit report - just in case ebaY tries to welch out.
4. At the end of the year ebaY could award a real money or stock bonus to the top fraud beaters - those who turned in the most accounts being used for fraud. Great PR.
This benefits ebaY in so many ways it is hard to fathom why they would not do it.
1. They already have the structure for reporting in place.
2. This would get the reports of such items off ebaY's chat/discussion boards, and probably off most of the off ebaY chat boards, as folks would have a reason to report them first BEFORE posting them in the public eye. If ebaY did this correctly, those listings would be gone - both before they could be seen AND before anyone could get taken.
3. Not only would the cost of this be minimal (paying a pittance to users rather than having to actually hire personnel), but they could use it as an actual example of both working with their community and actively combating fraud on their site - rather than just giving lip service to both. ebaY CLAIMS that fraud is less that one hundredth of one percent on their site - so just think how little this would cost them for so many tangible benefits.
4. This would clean up such fraudulent listings FAST. Currently ebaY tends to punish (threaten and suspend) users who report too much fraud, especially those who post about it on the ebaY chat boards. This generates lots of hostility, and is self defeating for ebaY, generating plenty of bad press. This idea eliminates all those negative factors.
ebaY - get moving! You know TAG's phone number, call and we can negotiate a price for this idea!
It is also obvious that ebaY will not now or ever hire the personnel they need to actually monitor their site, unless forced to by the courts or legislation.
Well we have come up with the solution for ebaY. (ebaY - when you read this please note the copyright - We would be glad if you implemented this idea, if you PAY us for it!)
In a nutshell - ebaY should pay their users a bounty for finding fraudulent listings.
To implement it -
1. Set up a live chat category where you have to log in, for reporting fraudulent listings (this is fraud only - not legit listings that might contain a violation of ebaY rules)
2. For every user ID an ebaY user turns in, that has visible fraudulent listing (redirects, overlays, hijacked accounts) ebaY pays the user (we suggest $25. but maybe they should start with $10, then increase as the incidence of fraud diminishes). If ebaY wanted to be really cheap, they could make the money a non expiring coupon only good for use on ebaY via PayPal (to buy items or pay seller fees) - in that way it would be fake money, not really costing ebaY much of anything in real dollars.
3. ebaY would "pay" every user who reports the user ID, and that would be valid until ebaY closes down the fraudulent listings posted by that ID so they were no longer visible on the site. This would motivate ebaY to use trained personnel for this special reporting board, who can recognize fraud when they see it, and close it down ASAP, rather than letting it run for hours, days, weeks, months, like they do now. The user reporting the items can take screenshots time stamped, of their chat and of the ID reported with items showing, to keep track of and prove they made a legit report - just in case ebaY tries to welch out.
4. At the end of the year ebaY could award a real money or stock bonus to the top fraud beaters - those who turned in the most accounts being used for fraud. Great PR.
This benefits ebaY in so many ways it is hard to fathom why they would not do it.
1. They already have the structure for reporting in place.
2. This would get the reports of such items off ebaY's chat/discussion boards, and probably off most of the off ebaY chat boards, as folks would have a reason to report them first BEFORE posting them in the public eye. If ebaY did this correctly, those listings would be gone - both before they could be seen AND before anyone could get taken.
3. Not only would the cost of this be minimal (paying a pittance to users rather than having to actually hire personnel), but they could use it as an actual example of both working with their community and actively combating fraud on their site - rather than just giving lip service to both. ebaY CLAIMS that fraud is less that one hundredth of one percent on their site - so just think how little this would cost them for so many tangible benefits.
4. This would clean up such fraudulent listings FAST. Currently ebaY tends to punish (threaten and suspend) users who report too much fraud, especially those who post about it on the ebaY chat boards. This generates lots of hostility, and is self defeating for ebaY, generating plenty of bad press. This idea eliminates all those negative factors.
ebaY - get moving! You know TAG's phone number, call and we can negotiate a price for this idea!
Wednesday, October 17, 2007
Looks as if ebaY is testing a customer service phone number being made available to "regular" users. The message shows up in My ebaY - The person who received this message it is a casual user of ebaY, buys and sells once in a while.
-------------------
Dear users name (user ID):
As one of our most loyal and active members, your membership status entitles you to a toll-free telephone number to contact eBay's customer service directly.
We're here to help if you need us, so the next time you need assistance from eBay, you can give us a call:
800-717-EBAY (800-717-3229)
This phone number is only for members like you who have been invited to
participate, so please be ready to provide your member ID when you call.
We appreciate your choice to use eBay and look forward to helping you make the most of your shopping experience. Please call us if you ever need a hand.
Sincerely,
eBay Customer Support
P.S. From time to time, if we notice you are having an issue with a transaction or a problem with your account, we may proactively try to reach you. Please help us provide the best possible service--make sure we have your correct contact phone number: www.ebay.com/UpdateContact
------------------
If you are not on their "list" they hang up on you.
Of course under the "will ebaY never learn" category, ebaY has a clickable link in the message that takes you to a redirected ebaY log in page. Is this an early holiday gift for the scammer set, who are sure to mimic the message for phishing? ebaY NEVER seems to learn from their prior mistakes. TAG guesses that ebaY feels their My ebaY and My Message system is secure, though those of us who follow ebaY know that NOTHING is secure on ebaY. ebaY opening another door for the scammers to exploit by putting a clickable link in what we are assuming (a dangerous thing to do) is a legitimate message, just facilitates the scammers.
-------------------
Dear users name (user ID):
As one of our most loyal and active members, your membership status entitles you to a toll-free telephone number to contact eBay's customer service directly.
We're here to help if you need us, so the next time you need assistance from eBay, you can give us a call:
800-717-EBAY (800-717-3229)
This phone number is only for members like you who have been invited to
participate, so please be ready to provide your member ID when you call.
We appreciate your choice to use eBay and look forward to helping you make the most of your shopping experience. Please call us if you ever need a hand.
Sincerely,
eBay Customer Support
P.S. From time to time, if we notice you are having an issue with a transaction or a problem with your account, we may proactively try to reach you. Please help us provide the best possible service--make sure we have your correct contact phone number: www.ebay.com/UpdateContact
------------------
If you are not on their "list" they hang up on you.
Of course under the "will ebaY never learn" category, ebaY has a clickable link in the message that takes you to a redirected ebaY log in page. Is this an early holiday gift for the scammer set, who are sure to mimic the message for phishing? ebaY NEVER seems to learn from their prior mistakes. TAG guesses that ebaY feels their My ebaY and My Message system is secure, though those of us who follow ebaY know that NOTHING is secure on ebaY. ebaY opening another door for the scammers to exploit by putting a clickable link in what we are assuming (a dangerous thing to do) is a legitimate message, just facilitates the scammers.
Wednesday, September 26, 2007
Has YOUR ebaY Account Been Compromised?
On Tuesday 25 Sep 2007 at 5:42 AM ebaY time, a hacker posted 29 to 50 pages of ebaY user information on the ebaY Trust and Safety discussion board (at approx 40 threads per page that is between 1100 and 2000 user IDs). The information was posted by using the user ID and account of the user whose information was posted, and included the ebaY user ID, email address, phone, name, street, city, state, zip, country, feedback info, what site they registered on, user status, powerseller status, payment method they used to pay ebaY, credit card number (with expiration date), credit card CVV2 code (the three digit security code on the back of the card), whether they are id verified, if they have an ebaY store and which site that is registered on, and if they are PayPal verified or not verified. The threads that contained the info also had a signature at the bottom of the post - SGI Inc. - emocnI gnitareneG rof snoituloS (Solutions for Generating Income spelled backwards) SGI Inc. is the company name used by Vladuz, a hacker who has demonstrated that he has the ability to access ebaY databases.
This first image shows the ebaY Trust and Safety discussion board thread list, with a detail of the thread listings.
The next image is the actual thread page you saw when clicking on the thread link from the previous image. We have masked parts of the info to protect the innocent.
Note the Vladuz signature on the bottom line
For more screen shots of the pages, please go to
TAG CHAT
After around 90 minutes of exposure, ebaY shut down the Trust and Safety board, occurring at around 7:15 AM, after trying to remove the thread posts at a time (the hacker was faster at posting than ebaY was at removing). One poster on the board discussing this incident, who saw the information, ran one of the credit card numbers posted through his merchant account verification, and it came back correct. Other posters said the CC info was not correct. Board posters got screenshots and compiled a list of user IDs so folks could check to see if their user ID was posted. When one board poster put the list on her ebaY Me page, ebaY removed the page and gave her a pink slap (an official violation notice with the threat of suspension).
We have a list of the IDs we have compiled from some of the screen shots we had access to and those lists posted by other folks on various boards (including ebaY's) around the net. You can view the list we compiled at this link. This list is NOT complete as it is believed there were over 1500 user IDs posted.
Compromised ID List
The first ebaY responses were posted on their discussion boards, and then removed, and were an obvious effort to cover themselves . Xavier's posts were removed soon after they were posted.
xman@ebay.com View Listings | Report 26-09-07 00:31 EST 58 of 61
Hi all, we're looking into why this happened however I've confirmed with the US teams that the credit card information was indeed false for all the accounts.
Looks like it only affected that 1 US Board but the engineers are diligently working to ensure this won't ever happen again.
Xavier
The eBay Team
-------------------
xman@ebay.com View Listings | Report 26-09-07 00:47 EST 82 of 88
The site wasn't actually hacked... it was a server issue where the system displayed the poster's information rather than the post itself. Being that the credit card information was on a different server, that info came up incorrect. It was not some hacker sitting there entering in someone's information and using a card generator.
Xavier
The eBay Team
---------------
Trust & Safety forums issue this morning
Posted by eBay Chatter on September 25, 2007 at 02:15 PM in General | Permalink
Some of our readers may have learned of an issue that occurred early this morning on one of our discussion forums. I've been talking with our Account Security and Legal teams, and I'd like to share some more details about this incident.
Very early this morning, a malicious fraudster posted on the Trust & Safety forum on eBay.com posing as approximately 1,200 eBay users. The fraudster made these posts in a way that was intended to appear as though he logged in with their accounts. The posts contained name and contact information, which appears to be valid, and could have been secured as part of an account take over.
The posts ALSO appeared to contain credit card information -- however, these credit cards are not associated with financial information on file for these users at eBay or PayPal. We're in the process of reaching out by phone to these members to, so that if the information is valid somehow -- regardless how this fraudster acquired the information -- these members can take the steps they need to take to protect themselves.
eBay and our forums vendor, LiveWorld, began taking steps to remedy the situation within an hour after it started. As things evolved behind the scenes, a decision was made to make the the Trust & Safety forum unavailable to our Community. It's still temporarily inaccessible, as the teams work on this issue.
I'll update this story later as we have more to share.
----------------
Various ebaY spokespersons also made statements to various press inquiries and calls to them by power sellers etc, that this was a hoax, that the information had been posted by a disgruntled user with access to the API, that the information was not valid, that the credit card numbers were not real and if they were real, they did not come from ebaY's database and were unrelated to info on ebaY. ebaY also said the information was real but had been phished from users off ebaY (this is ebaY's favorite excuse for security breaches even though it has been proven to be false on many occasions). What ebaY did not do (and still has not done) was post anything on the announcement board, informing users of the problem and warning them to watch their accounts and charge cards for possible breaches. Users have reported that ebaY has been making calls to those whose information was posted, to inform them of the breech. This is required by California law, whenever a breach of user information occurs.
With all the rumor, hearsay and damage control going on, there are still some hard facts that need to be looked at:
Fact 1 - Someone had the ability to post on ebaY's boards with the user ID and account of another person. This takes having an ebaY password for the account, or the ability to access and use accounts without passwords. This person was able to post threads at a rate of speed faster than ebaY's ability to remove the threads, leading them to have to shut down the Trust and Safety board completely.
Fact 2 - TAG had access to a small arbitrary sampling of the user account pages posted and checked what information we could against what is available to ebaY and PayPal users, and to those using the internet. Here is what we found:
*The User ID, email address, date registered, if they had a store or not, and feedback numbers registered/shown on ebaY matched 100% of the time
*The PayPal information as to the user having a verified account or not, was correct 83% of the users
*The ebaY ID verified information was correct 83% of the users
* When a reverse lookup online was used on the phone numbers to check name/addresses listed, 33% did not match the name or address, 50% were unlisted so were unavailable to check, and 17% were correct for the info shown
* When an address check was run using the white pages online with the name given, 66% of the information did not match, 17% were correct and 17% were listed as unavailable
We could not check the credit card numbers, and decided these people had probably been harassed enough about this, so we would not call them directly to ask them to verify. But, if you are one of the people whose accounts were posted and your credit card info does match that shown on the ebaY T&S board, and particularly if that information is the information used on ebaY's site, please feel free to contact us and let us know and we will update this information here.
Fact 3 - ebaY always chooses to lie, cover their back and waffle rather than coming out and telling the truth, whether that truth is that they just don't know what happened or how, or that their system had been compromised in some way (which it evidentially had been in at least some manner - see fact 1). They lie so readily and frequently that it is impossible to believe anything they say.
Fact 4 - evidence of problems with ebaY's system can be seen via the hundreds and thousands of scam listings posted on ebaY every day. Though the furor of reporting about this has fizzled out since the mass of Vladuz reporting earlier this year, the incidence of these listings is an every day occurrence on ebaY.
Since ebaY obviously does not know how deep this problem goes, it is possible that ALL user information on the ebaY site has been breached, so if you have ever used ebaY, and have any sensitive information recorded on the site - such as a credit card or bank account information - you need to monitor your accounts for possible problems. Unfortunately, ebaY is not the only site vulnerable, online or off, so regular checks of your credit card bills and bank accounts should now be a way of life, individuals MUST make this part of their usual routines. The other thing that is abundantly clear in all this, is that ebaY is NOT secure, even if we just consider the user ID email address factor that ebaY is so adamant about in their hiding user IDs from users, but obviously not from scammers, but then ebaY's lack of secure systems has been obvious since we first reported on the activities of Vladuz and the Chinese hackers, 11 months ago.
Assistance with this article needs to be credited to
Doc at EBAY MOTORS SUCKS - this is a good board to check for the day to day hacker listings on ebaY and especially for anything going on at ebaY Motors
The posters on the ebaY Seller Central Discussion Board
The posters on the ebaY AU Discussion Boards
And several ebaY users with the guts to posts User ID lists on and off ebaY, so they were available to all ebaY users despite ebaY's efforts to hide as much information as possible.
Want to assist TAG in continuing its work? Sign up for a voluntary subscription to TAGnotes, and provide support that will keep information coming to your email boxes and the lights on at our websites. To purchase a voluntary subscription, click on the button that follows.
This first image shows the ebaY Trust and Safety discussion board thread list, with a detail of the thread listings.
The next image is the actual thread page you saw when clicking on the thread link from the previous image. We have masked parts of the info to protect the innocent.
Note the Vladuz signature on the bottom line
For more screen shots of the pages, please go to
TAG CHAT
After around 90 minutes of exposure, ebaY shut down the Trust and Safety board, occurring at around 7:15 AM, after trying to remove the thread posts at a time (the hacker was faster at posting than ebaY was at removing). One poster on the board discussing this incident, who saw the information, ran one of the credit card numbers posted through his merchant account verification, and it came back correct. Other posters said the CC info was not correct. Board posters got screenshots and compiled a list of user IDs so folks could check to see if their user ID was posted. When one board poster put the list on her ebaY Me page, ebaY removed the page and gave her a pink slap (an official violation notice with the threat of suspension).
We have a list of the IDs we have compiled from some of the screen shots we had access to and those lists posted by other folks on various boards (including ebaY's) around the net. You can view the list we compiled at this link. This list is NOT complete as it is believed there were over 1500 user IDs posted.
Compromised ID List
The first ebaY responses were posted on their discussion boards, and then removed, and were an obvious effort to cover themselves . Xavier's posts were removed soon after they were posted.
xman@ebay.com View Listings | Report 26-09-07 00:31 EST 58 of 61
Hi all, we're looking into why this happened however I've confirmed with the US teams that the credit card information was indeed false for all the accounts.
Looks like it only affected that 1 US Board but the engineers are diligently working to ensure this won't ever happen again.
Xavier
The eBay Team
-------------------
xman@ebay.com View Listings | Report 26-09-07 00:47 EST 82 of 88
The site wasn't actually hacked... it was a server issue where the system displayed the poster's information rather than the post itself. Being that the credit card information was on a different server, that info came up incorrect. It was not some hacker sitting there entering in someone's information and using a card generator.
Xavier
The eBay Team
---------------
Trust & Safety forums issue this morning
Posted by eBay Chatter on September 25, 2007 at 02:15 PM in General | Permalink
Some of our readers may have learned of an issue that occurred early this morning on one of our discussion forums. I've been talking with our Account Security and Legal teams, and I'd like to share some more details about this incident.
Very early this morning, a malicious fraudster posted on the Trust & Safety forum on eBay.com posing as approximately 1,200 eBay users. The fraudster made these posts in a way that was intended to appear as though he logged in with their accounts. The posts contained name and contact information, which appears to be valid, and could have been secured as part of an account take over.
The posts ALSO appeared to contain credit card information -- however, these credit cards are not associated with financial information on file for these users at eBay or PayPal. We're in the process of reaching out by phone to these members to, so that if the information is valid somehow -- regardless how this fraudster acquired the information -- these members can take the steps they need to take to protect themselves.
eBay and our forums vendor, LiveWorld, began taking steps to remedy the situation within an hour after it started. As things evolved behind the scenes, a decision was made to make the the Trust & Safety forum unavailable to our Community. It's still temporarily inaccessible, as the teams work on this issue.
I'll update this story later as we have more to share.
----------------
Various ebaY spokespersons also made statements to various press inquiries and calls to them by power sellers etc, that this was a hoax, that the information had been posted by a disgruntled user with access to the API, that the information was not valid, that the credit card numbers were not real and if they were real, they did not come from ebaY's database and were unrelated to info on ebaY. ebaY also said the information was real but had been phished from users off ebaY (this is ebaY's favorite excuse for security breaches even though it has been proven to be false on many occasions). What ebaY did not do (and still has not done) was post anything on the announcement board, informing users of the problem and warning them to watch their accounts and charge cards for possible breaches. Users have reported that ebaY has been making calls to those whose information was posted, to inform them of the breech. This is required by California law, whenever a breach of user information occurs.
With all the rumor, hearsay and damage control going on, there are still some hard facts that need to be looked at:
Fact 1 - Someone had the ability to post on ebaY's boards with the user ID and account of another person. This takes having an ebaY password for the account, or the ability to access and use accounts without passwords. This person was able to post threads at a rate of speed faster than ebaY's ability to remove the threads, leading them to have to shut down the Trust and Safety board completely.
Fact 2 - TAG had access to a small arbitrary sampling of the user account pages posted and checked what information we could against what is available to ebaY and PayPal users, and to those using the internet. Here is what we found:
*The User ID, email address, date registered, if they had a store or not, and feedback numbers registered/shown on ebaY matched 100% of the time
*The PayPal information as to the user having a verified account or not, was correct 83% of the users
*The ebaY ID verified information was correct 83% of the users
* When a reverse lookup online was used on the phone numbers to check name/addresses listed, 33% did not match the name or address, 50% were unlisted so were unavailable to check, and 17% were correct for the info shown
* When an address check was run using the white pages online with the name given, 66% of the information did not match, 17% were correct and 17% were listed as unavailable
We could not check the credit card numbers, and decided these people had probably been harassed enough about this, so we would not call them directly to ask them to verify. But, if you are one of the people whose accounts were posted and your credit card info does match that shown on the ebaY T&S board, and particularly if that information is the information used on ebaY's site, please feel free to contact us and let us know and we will update this information here.
Fact 3 - ebaY always chooses to lie, cover their back and waffle rather than coming out and telling the truth, whether that truth is that they just don't know what happened or how, or that their system had been compromised in some way (which it evidentially had been in at least some manner - see fact 1). They lie so readily and frequently that it is impossible to believe anything they say.
Fact 4 - evidence of problems with ebaY's system can be seen via the hundreds and thousands of scam listings posted on ebaY every day. Though the furor of reporting about this has fizzled out since the mass of Vladuz reporting earlier this year, the incidence of these listings is an every day occurrence on ebaY.
Since ebaY obviously does not know how deep this problem goes, it is possible that ALL user information on the ebaY site has been breached, so if you have ever used ebaY, and have any sensitive information recorded on the site - such as a credit card or bank account information - you need to monitor your accounts for possible problems. Unfortunately, ebaY is not the only site vulnerable, online or off, so regular checks of your credit card bills and bank accounts should now be a way of life, individuals MUST make this part of their usual routines. The other thing that is abundantly clear in all this, is that ebaY is NOT secure, even if we just consider the user ID email address factor that ebaY is so adamant about in their hiding user IDs from users, but obviously not from scammers, but then ebaY's lack of secure systems has been obvious since we first reported on the activities of Vladuz and the Chinese hackers, 11 months ago.
Assistance with this article needs to be credited to
Doc at EBAY MOTORS SUCKS - this is a good board to check for the day to day hacker listings on ebaY and especially for anything going on at ebaY Motors
The posters on the ebaY Seller Central Discussion Board
The posters on the ebaY AU Discussion Boards
And several ebaY users with the guts to posts User ID lists on and off ebaY, so they were available to all ebaY users despite ebaY's efforts to hide as much information as possible.
Want to assist TAG in continuing its work? Sign up for a voluntary subscription to TAGnotes, and provide support that will keep information coming to your email boxes and the lights on at our websites. To purchase a voluntary subscription, click on the button that follows.
Tuesday, July 03, 2007
Consumer Reports Aug 07 on ebaY
CR did a report on ebaY for their August Issue. Though it obviously did not have all the right questions to ask, it did have some interesting results.
Read ebaY Report
HALF (yes that is 50%) of buyers, said they had been "deceived" by the seller in some way, from not as described to outright fraud.
40% (which gives ebaY a positive feedback rating of 60 out of 100%) said ebaY's customer service in providing help was fair (neutral) or poor (negative). Well that DEFINITELY puts ebaY in the suspended category according to their own system - much lower than the lowest 5% on their site! And that was just from buyers - can you imagine what it would have been from sellers?
Read ebaY Report
HALF (yes that is 50%) of buyers, said they had been "deceived" by the seller in some way, from not as described to outright fraud.
40% (which gives ebaY a positive feedback rating of 60 out of 100%) said ebaY's customer service in providing help was fair (neutral) or poor (negative). Well that DEFINITELY puts ebaY in the suspended category according to their own system - much lower than the lowest 5% on their site! And that was just from buyers - can you imagine what it would have been from sellers?
Wednesday, June 27, 2007
New Online Auction & Trading Industry Discussion Board
Join up to freely discuss the industry on our chat/discussion board at www.tagchat-oai.com
ebaY Hypocrisy Reaches New High
In the aftermath of ebaY Live in Boston, ebaY has implemented a plan they feel will improve the "buyer experience" on ebaY. Whilst the general idea behind this plan may not be too faulty - though it IS in contradiction to ebaY's venue only policy in their user agreement - as always, ebaY's implementation is obscene.
What ebaY is doing is suspending some sellers who have complaints from buyers. ebaY is not looking at the complaints to see if they are legitimate, just giving the seller a 7 to 14 day suspension with the threat of permanent suspension if the seller does not go back and fix the problems, and refrain from having further problems. So, if the complaint is from a deadbeat buyer, who did not receive the item because they did not pay for it, this counts against the seller. If the complaint is from a thief who refuses to return the item but still wants a full refund, this counts against the seller. If the complaint is about a flaw in an item, even if the flaw was stated in the description, the complaint still counts against the seller. If the complaint is from a buyer, who tries to use the rating or complaint system to blackmail the seller into selling them something at a ridiculously low price, the complaint still counts against the seller. If the complaint is from a buyer, who wants the seller to do something illegal, such as falsify customs forms, the complaint counts against the seller. This is obscene, and should definitely be investigated as grounds for a class action lawsuit against ebaY, or at the least an investigation from State Attorney Generals.
ebaY says "eBay will consider the circumstances of an alleged policy violation and the user's trading record before taking action." and "If a complaint can't be proven with certainty, eBay may take no action." Both statements are lies, as ebaY does no investigating and ignores emails from sellers trying to explain the situation. ebaY also says, "Further, sellers are expected to perform in a manner that results in a consistently high level of buyer satisfaction. If a seller's interactions with the eBay Community create unacceptable levels of buyer dissatisfaction, that seller has violated this policy." As with many ebaY policies (written and unwritten) what is considered an acceptable level is kept a double super secret, because the knowledge might lead to seller abuse of the system (huh?). In truth the reason ebaY keeps such information secret is so that there is no one standard everyone has to follow, but ebaY can assign an arbitrary figure to suit their needs. As always, there is noone at ebaY the seller can contact to get such issues resolved. ebaY ignores emails, sends canned automated answers, and as usual, slams the door in the seller's face, even if ebaY is completely wrong in their action.
There are many many large sellers, whose accounts far exceed these arbitrary negative ratings, yet those accounts remain active and untouched by ebaY. The sellers we have been hearing from report that they are told they are in the "lowest 2% of buyer satisfaction" or have a 5% negative rating in the last X number of days (with X also varying to fit ebaY's needs).
Of course the ultimate hypocrisy lies in ebaY's satisfaction rating from their customers, the sellers. TAG wagers that ebaY's rating would be lucky to exceed 50% satisfaction, and definitely would not be close to 95% satisfactory. ebaY should shut itself down, based on its own standard, but then hypocrisy and lies are what ebaY, the company, is all about.
What ebaY is doing is suspending some sellers who have complaints from buyers. ebaY is not looking at the complaints to see if they are legitimate, just giving the seller a 7 to 14 day suspension with the threat of permanent suspension if the seller does not go back and fix the problems, and refrain from having further problems. So, if the complaint is from a deadbeat buyer, who did not receive the item because they did not pay for it, this counts against the seller. If the complaint is from a thief who refuses to return the item but still wants a full refund, this counts against the seller. If the complaint is about a flaw in an item, even if the flaw was stated in the description, the complaint still counts against the seller. If the complaint is from a buyer, who tries to use the rating or complaint system to blackmail the seller into selling them something at a ridiculously low price, the complaint still counts against the seller. If the complaint is from a buyer, who wants the seller to do something illegal, such as falsify customs forms, the complaint counts against the seller. This is obscene, and should definitely be investigated as grounds for a class action lawsuit against ebaY, or at the least an investigation from State Attorney Generals.
ebaY says "eBay will consider the circumstances of an alleged policy violation and the user's trading record before taking action." and "If a complaint can't be proven with certainty, eBay may take no action." Both statements are lies, as ebaY does no investigating and ignores emails from sellers trying to explain the situation. ebaY also says, "Further, sellers are expected to perform in a manner that results in a consistently high level of buyer satisfaction. If a seller's interactions with the eBay Community create unacceptable levels of buyer dissatisfaction, that seller has violated this policy." As with many ebaY policies (written and unwritten) what is considered an acceptable level is kept a double super secret, because the knowledge might lead to seller abuse of the system (huh?). In truth the reason ebaY keeps such information secret is so that there is no one standard everyone has to follow, but ebaY can assign an arbitrary figure to suit their needs. As always, there is noone at ebaY the seller can contact to get such issues resolved. ebaY ignores emails, sends canned automated answers, and as usual, slams the door in the seller's face, even if ebaY is completely wrong in their action.
There are many many large sellers, whose accounts far exceed these arbitrary negative ratings, yet those accounts remain active and untouched by ebaY. The sellers we have been hearing from report that they are told they are in the "lowest 2% of buyer satisfaction" or have a 5% negative rating in the last X number of days (with X also varying to fit ebaY's needs).
Of course the ultimate hypocrisy lies in ebaY's satisfaction rating from their customers, the sellers. TAG wagers that ebaY's rating would be lucky to exceed 50% satisfaction, and definitely would not be close to 95% satisfactory. ebaY should shut itself down, based on its own standard, but then hypocrisy and lies are what ebaY, the company, is all about.
Thursday, March 15, 2007
Is ebaY Holding the Smoking Gun?
The Preponderence of the Facts Show That ebaY is Holding The Smoking Gun
14 March 2007
It must be pretty obvious to our readers that TAG has been convinced for quite a while that ebaY is lying when they say Vladuz - and by extrapolation the Chinese hijacker/counterfeiters - has no access to ebaY other than through the phishing that takes place off ebaY. Only ebaY knows the whole truth, and all TAG, being on the outside can do, is use our 10 year intimate knowledge of ebaY and theorize on what we can observe. ebaY says that their site is secure and that no one has accessed their back end, as TAG has theorized. They told TAG that it is a FACT that no one has direct access to ebaY,
" We can hopefully address your 'concerns about the Vladuz problem' with the facts below."
" There is no way of gaining access to our internal networks without a securid token issued by IT."
"At no point did he have access to our corporate networks, tools, financial databases, or desktops, and at no point was any user information exposed."
"No one can access a user account without a password"
We already know, for a FACT (a real one not an ebaY corprobabblespeak one) that the following fact is a lie,
" Some messages were published on a community board on the eBay.de (Germany) web site by a person who gained access to a small number of employee email accounts."
since Vladuz posted on the boards today, using ebaY employee accounts, for the fourth time since he was shut out of that "small number of employee email accounts." Can there be so many gullible ebaY employees falling for phishing scams, and doing so whilst this massive attack against the ebaY site is going on?
What is most interesting about today's postings however, is that the account hijacks appear to have finally provided the smoking gun, with ebaY's fingerprints on it. Possibly irrefutable proof that ebaY is lying, that their site has been compromised, and that the back door is wide open.
Today, one of the accounts Vladuz, under the User ID Vladuz-Unleashed, used, is an account for an ebaY employee, kelbel@ebay.com
kelbel@ebay.com has what appears to be a test ebaY shop
Though kelbel@ebay.com has only one (1) feedback from another ebaY employee, kelbel has a power seller logo.
It is fairly obvious that kelbel@ebay.com is not a real person, but an account created by ebaY to run whatever various tests and experiments they feel they need. ebaY has lots of things they test, so this is just another one of them. BUT, if there is no real person named kelbel@ebay.com HOW did that non-existent person fall for a phishing scheme that allowed "his" information to be added to a phishing database? And if the account was hijacked without such access, then ebaY is lying about all of their alleged facts, and about phishing being the road to access to all these hijacked accounts, ebaY's and everyone else's.
At what point does ebaY's lies become criminal activity? At what point do they become liable for what is going on? They might already be violating the California law that requires them to contact California account holders when their ebaY accounts are compromised through access to ebaY's servers. What other laws are they breaking? Customer trust is eroding fast; will stockholder trust be far behind?
14 March 2007
It must be pretty obvious to our readers that TAG has been convinced for quite a while that ebaY is lying when they say Vladuz - and by extrapolation the Chinese hijacker/counterfeiters - has no access to ebaY other than through the phishing that takes place off ebaY. Only ebaY knows the whole truth, and all TAG, being on the outside can do, is use our 10 year intimate knowledge of ebaY and theorize on what we can observe. ebaY says that their site is secure and that no one has accessed their back end, as TAG has theorized. They told TAG that it is a FACT that no one has direct access to ebaY,
" We can hopefully address your 'concerns about the Vladuz problem' with the facts below."
" There is no way of gaining access to our internal networks without a securid token issued by IT."
"At no point did he have access to our corporate networks, tools, financial databases, or desktops, and at no point was any user information exposed."
"No one can access a user account without a password"
We already know, for a FACT (a real one not an ebaY corprobabblespeak one) that the following fact is a lie,
" Some messages were published on a community board on the eBay.de (Germany) web site by a person who gained access to a small number of employee email accounts."
since Vladuz posted on the boards today, using ebaY employee accounts, for the fourth time since he was shut out of that "small number of employee email accounts." Can there be so many gullible ebaY employees falling for phishing scams, and doing so whilst this massive attack against the ebaY site is going on?
What is most interesting about today's postings however, is that the account hijacks appear to have finally provided the smoking gun, with ebaY's fingerprints on it. Possibly irrefutable proof that ebaY is lying, that their site has been compromised, and that the back door is wide open.
Today, one of the accounts Vladuz, under the User ID Vladuz-Unleashed, used, is an account for an ebaY employee, kelbel@ebay.com
kelbel@ebay.com has what appears to be a test ebaY shop
Though kelbel@ebay.com has only one (1) feedback from another ebaY employee, kelbel has a power seller logo.
It is fairly obvious that kelbel@ebay.com is not a real person, but an account created by ebaY to run whatever various tests and experiments they feel they need. ebaY has lots of things they test, so this is just another one of them. BUT, if there is no real person named kelbel@ebay.com HOW did that non-existent person fall for a phishing scheme that allowed "his" information to be added to a phishing database? And if the account was hijacked without such access, then ebaY is lying about all of their alleged facts, and about phishing being the road to access to all these hijacked accounts, ebaY's and everyone else's.
At what point does ebaY's lies become criminal activity? At what point do they become liable for what is going on? They might already be violating the California law that requires them to contact California account holders when their ebaY accounts are compromised through access to ebaY's servers. What other laws are they breaking? Customer trust is eroding fast; will stockholder trust be far behind?
Subscribe to:
Posts (Atom)
