March 25, 2002 4:20 PM PST
Hackers find new way to bilk eBay users
- Related Stories
Two eBay sellers enter guilty pleasApril 17, 2001
Using Geary's user ID, the person set up an auction for an Intel Pentium computer chip. Not only that, but the person changed Geary's password so she could no longer access her own account--or cancel the bogus auction.
Geary, who discovered the auction Friday, was able to convince eBay to pull down the auction over the weekend, but not before suffering through a stressful day of worrying about how the auction would affect her legitimate listings.
"I felt totally violated. I was shaking," Geary said. "It's appalling the ease at which they totally took over my account."
Geary is only the latest victim of an increasingly popular scam on eBay. Since January, the company has received a growing number of complaints from people such as Geary who say their accounts have been taken over and used to set up fraudulent auctions. The scam artists make a quick buck, then leave the legitimate eBay users to deal with the furor from bilked bidders.
Although the company has thus far seen only a relatively small number of cases--numbering in the "low triple digits"--the new scam is a "concern" for eBay, company spokesman Kevin Pursglove said.
"Even if it happened to just one user, that user had a fairly bad user experience," Pursglove said. "We need to find ways of preventing it."
Security experts say eBay needs to work fast to find a fix, because this combination of hacking and identity theft are the wave of the future.
"We work with the people at eBay. They know they have a real problem," said Lee Curtis, managing director of high-tech investigations at Kroll, which specializes in security. "If they lose the confidence of their customer base, they're out of business."
The percentage of auctions that end in a confirmed case of fraud on eBay is less than one one-hundredth of 1 percent, the San Jose, Calif.-based company said. But the problem has been a persistent thorn in the side of the company and of the online auction industry as a whole.
Last year, consumers reported some 20,000 fraud complaints concerning online auctions to the Federal Trade Commission, second only to complaints about identity theft. Some complaints involved sellers who simply never sent the goods they auctioned.
Other complaints have involved more elaborate schemes, such as the sale of a fake Richard Diebenkorn painting on eBay in 2000.
But the latest attempts to defraud bidders seem to be using more sophisticated methods. Instead of establishing their own accounts on eBay, many scam artists are using a so-called dictionary attack to break into reputable sellers' accounts. A time-tested technique, a dictionary attack involves an automated program, or "bot," that tries to find a password for a known user ID by drawing on a list of common passwords and a dictionary of words.
Once they have access to the seller's account, the scam artists use the legitimate seller's reputation to draw bids on their fraudulent auctions.
Atlantic City, N.J., resident Kevin Jarrett had his account broken into last week. The person who broke into it listed four auctions for digital cameras and changed the password for Jarrett's account on eBay. Jarrett also received an e-mail, ostensibly from eBay, that his user ID had been changed on Billpoint, eBay's proprietary payment service.
Jarrett, who found out about the auctions when he received an e-mail from a bidder on one of the bogus auctions, was able to minimize the damage by getting eBay to shut down the auctions before they ended. He's also canceled a checking account and credit card that were linked to his Billpoint account.
Jarrett said it was likely his status as a trusted eBay seller that attracted hackers to his account. "It never occurred to me that 142 feedback points on eBay is a very valuable item," he said. "It means that you're trusted."
Feedback points allow members to judge the trustworthiness of other members. In addition to providing written comments about members, eBay assigns a feedback rating based on the number of positive comments a member has received minus the number of negative comments.
The usual way of preventing a dictionary attack is for a Web site to lock an account after there have been several incorrect password entries. Typically, Web sites require customers whose accounts are locked to call their customer service departments and verify their right to access the account by giving information such as their social security number or mother's maiden name.
While eBay is exploring the possibility of locking accounts after repeated failed log-in attempts, it doesn't do so currently, Pursglove said. eBay is worried that unscrupulous bidders might try to sabotage their competitors by locking out their accounts or that legitimate users may find themselves unable to log in after an attempted dictionary attack, he said.
"It's one of the proposals that we're considering," he said. "We're trying to figure out a way that we can adopt it without disclosing how the process works."
In the meantime, the company is recommending that customers check their accounts frequently and change their passwords to ones that are more difficult to guess. The company is also recommending that bidders check sellers' selling history to look for anything anomalous such as a sudden upswing in listings.
Jarrett, an information technology consultant, said he was probably too lax about his passwords, using ones that were too easy to guess. But he said that eBay needs to do a better job of protecting accounts.
"I find this vulnerability to be unacceptable," he said. "As a paying customer, I have the expectation that my information will be held securely."
eBay's reluctance to put in place a lockout system may have more to do with it wanting to save money on customer service than anything else, said Rosalinda Baldwin, editor of The Auction Guild, a newsletter covering the online auction industry. If the company put in place a lockout system, it would have to provide people with instant customer support over the telephone so they could unlock their accounts. Currently, eBay doesn't list a customer support phone number on its site, instead directing all inquiries to e-mail or to lists of frequently asked questions.
Locking out accounts "would make sense," Baldwin said. "But they would have to hire some people to man a phone 24-7. That's not what they want to use our dollars for."
That eBay is not taking a more active role in protecting customer accounts by implementing a lockout system indicates that the company is putting business concerns ahead of security concerns, said Richard Power, editorial director of the Computer Security Institute. The problem is that e-commerce has never fully dealt with security issues, and those issues are likely to become more acute in the near future, Power said. Criminal gangs and organized crime, for instance, are only now getting up to speed on the Internet and could prove a tough challenge to vulnerable e-commerce sites, he said.
"I think eBay's foolish," Power said. "The thing that holds back people from buying on the Internet more than anything is insecurity."
10 commentsJoin the conversation! Add your comment