March 25, 2002 4:20 PM PST

Hackers find new way to bilk eBay users

Related Stories

Two eBay sellers enter guilty pleas

April 17, 2001
Someone other than Gloria Geary had access to the Washington artist's eBay account last week.

Using Geary's user ID, the person set up an auction for an Intel Pentium computer chip. Not only that, but the person changed Geary's password so she could no longer access her own account--or cancel the bogus auction.

Geary, who discovered the auction Friday, was able to convince eBay to pull down the auction over the weekend, but not before suffering through a stressful day of worrying about how the auction would affect her legitimate listings.

"I felt totally violated. I was shaking," Geary said. "It's appalling the ease at which they totally took over my account."

Geary is only the latest victim of an increasingly popular scam on eBay. Since January, the company has received a growing number of complaints from people such as Geary who say their accounts have been taken over and used to set up fraudulent auctions. The scam artists make a quick buck, then leave the legitimate eBay users to deal with the furor from bilked bidders.

Although the company has thus far seen only a relatively small number of cases--numbering in the "low triple digits"--the new scam is a "concern" for eBay, company spokesman Kevin Pursglove said.

"Even if it happened to just one user, that user had a fairly bad user experience," Pursglove said. "We need to find ways of preventing it."

Security experts say eBay needs to work fast to find a fix, because this combination of hacking and identity theft are the wave of the future.

"We work with the people at eBay. They know they have a real problem," said Lee Curtis, managing director of high-tech investigations at Kroll, which specializes in security. "If they lose the confidence of their customer base, they're out of business."

The percentage of auctions that end in a confirmed case of fraud on eBay is less than one one-hundredth of 1 percent, the San Jose, Calif.-based company said. But the problem has been a persistent thorn in the side of the company and of the online auction industry as a whole.

Last year, consumers reported some 20,000 fraud complaints concerning online auctions to the Federal Trade Commission, second only to complaints about identity theft. Some complaints involved sellers who simply never sent the goods they auctioned.

Other complaints have involved more elaborate schemes, such as the sale of a fake Richard Diebenkorn painting on eBay in 2000.

But the latest attempts to defraud bidders seem to be using more sophisticated methods. Instead of establishing their own accounts on eBay, many scam artists are using a so-called dictionary attack to break into reputable sellers' accounts. A time-tested technique, a dictionary attack involves an automated program, or "bot," that tries to find a password for a known user ID by drawing on a list of common passwords and a dictionary of words.

Once they have access to the seller's account, the scam artists use the legitimate seller's reputation to draw bids on their fraudulent auctions.

Atlantic City, N.J., resident Kevin Jarrett had his account broken into last week. The person who broke into it listed four auctions for digital cameras and changed the password for Jarrett's account on eBay. Jarrett also received an e-mail, ostensibly from eBay, that his user ID had been changed on Billpoint, eBay's proprietary payment service.

Jarrett, who found out about the auctions when he received an e-mail from a bidder on one of the bogus auctions, was able to minimize the damage by getting eBay to shut down the auctions before they ended. He's also canceled a checking account and credit card that were linked to his Billpoint account.

Jarrett said it was likely his status as a trusted eBay seller that attracted hackers to his account. "It never occurred to me that 142 feedback points on eBay is a very valuable item," he said. "It means that you're trusted."

Feedback points allow members to judge the trustworthiness of other members. In addition to providing written comments about members, eBay assigns a feedback rating based on the number of positive comments a member has received minus the number of negative comments.

Password patrol
The usual way of preventing a dictionary attack is for a Web site to lock an account after there have been several incorrect password entries. Typically, Web sites require customers whose accounts are locked to call their customer service departments and verify their right to access the account by giving information such as their social security number or mother's maiden name.

While eBay is exploring the possibility of locking accounts after repeated failed log-in attempts, it doesn't do so currently, Pursglove said. eBay is worried that unscrupulous bidders might try to sabotage their competitors by locking out their accounts or that legitimate users may find themselves unable to log in after an attempted dictionary attack, he said.

"It's one of the proposals that we're considering," he said. "We're trying to figure out a way that we can adopt it without disclosing how the process works."

In the meantime, the company is recommending that customers check their accounts frequently and change their passwords to ones that are more difficult to guess. The company is also recommending that bidders check sellers' selling history to look for anything anomalous such as a sudden upswing in listings.

Jarrett, an information technology consultant, said he was probably too lax about his passwords, using ones that were too easy to guess. But he said that eBay needs to do a better job of protecting accounts.

"I find this vulnerability to be unacceptable," he said. "As a paying customer, I have the expectation that my information will be held securely."

eBay's reluctance to put in place a lockout system may have more to do with it wanting to save money on customer service than anything else, said Rosalinda Baldwin, editor of The Auction Guild, a newsletter covering the online auction industry. If the company put in place a lockout system, it would have to provide people with instant customer support over the telephone so they could unlock their accounts. Currently, eBay doesn't list a customer support phone number on its site, instead directing all inquiries to e-mail or to lists of frequently asked questions.

Locking out accounts "would make sense," Baldwin said. "But they would have to hire some people to man a phone 24-7. That's not what they want to use our dollars for."

That eBay is not taking a more active role in protecting customer accounts by implementing a lockout system indicates that the company is putting business concerns ahead of security concerns, said Richard Power, editorial director of the Computer Security Institute. The problem is that e-commerce has never fully dealt with security issues, and those issues are likely to become more acute in the near future, Power said. Criminal gangs and organized crime, for instance, are only now getting up to speed on the Internet and could prove a tough challenge to vulnerable e-commerce sites, he said.

"I think eBay's foolish," Power said. "The thing that holds back people from buying on the Internet more than anything is insecurity."


Join the conversation!
Add your comment
Hacking in Ebay
I recently experienced someone hacking into my ebay account. It appears they were just messing around, but I worry that I may be in for a surprise later. I frequently list mutliple items for sale. I check my item every day for bids. Last week, 3 days into a 5 day auction, I noticed pictures running at the bottom of one listing saying "more items from this seller" or something along those lines, and it had pictures of 3 more of my current listings.

I thought ebay must be giving freebies hoping that people would utilize this sales promtion method. This is not cheap. $19.95. Why would I ever ever check the featured item box and pay that much to list an item I would get $10 out of at the most.

It was when I went to relist and looked at the charges I saw the box had been checkec. Now, as I said, the message and the items did not appear at the bottom of my listing until 3 days in.

Has anyone heard of this happening to anyone else? I am hoping ebay will credit my account, but I'll tell you, this has really spooked me. I am thinking of changing my log in and password..just hosing that account and getting a new one.

Any insight or info would be appreciated.

Katherine Abboushi

It seems to me that this was a practice run, if you know what I mean
Posted by (1 comment )
Reply Link Flag
hacked off!
My eBay account was just hacked into tonight. It took them no time to completely block me out of my own account.
In a matter of about 15 minutes they posted 8 digital cameras and changed my password. I only knew because I happened to be online when I received the confirmation emails.
I was shocked when I read this story, nearly 2 1/2 years later and absolutely NO improvement in security. I was an avid eBayer (not a power seller by any means) but this is my last eBay experience. Once I get this mess straightened out I am cancelling my account.
Posted by Satchs (1 comment )
Link Flag
Three weeks ago I bid on and won what I thought was an authentic Burberry scarf on Ebay. I received a notification that I had won the auction and also an invoice which was identical to the ones that Ebay sends. I paid via Paypal and a day later was notified by Ebay that the listing had been removed. As far as I was concerned it was water under the bridge. Two weeks later I did receive the scarf I won, a fake Burberry which apparently had come from China with no indication of a return address. I was out over $55.00.
For the last week I have gone back to the Burberry scarf listing on Ebay and found literally hundreds of fradulent listings for these scarves. I have notified Ebay over and over again and asked them to pull these listings. I've provided them with the users names and the number of these items listed on the sites. Ebay advises they "will investigate." Naturally their investigations take time and these listing for "Buy It Now" expire in 24 hours or less. I have also taken the time to notify the true users of these sites and advise them to check their accounts for fraudulent ads. Some have received the messages, other have not. Unfortunately, I can no longer inform these people as Ebay has informed me that I have hit my limit of messages for the month. Ebay is a huge organization and I have to question why they cannot do something to stop these practices. How many people have to be taken before something is done?
Posted by felinedogs (1 comment )
Reply Link Flag
Hackers on Ebay
I also got 'hacked'. One morning i discovered i was selling ; and had sold; Chloe and Burberry handbags. the scam was the paypal account amended to the scammers account.

I managed to get telephone the buyer and warn her to cancel her payment ASAP- this she did so luckiliy the scammers got no money.

It was hard to get hold of ebay support. Emails went unanswered - but i managed to locate a chat site link on ebay that got a response. This link is however only open during working hours. Ebay removed the listings; i changed my password - and the next morning more items for sale. Now I find my credit card number being used too - the number i registered my account with !.

Ebay could not explain what had occurred - especially after i changed my password. The did admit that ANY listing could be a fraudulent one - just like me selling handbags.

Result is i have now closed my account and will never go near ebay again. Zero security; Zero customer support. New Credit Cards also issued.

So my advice - until Ebay provide proper security and immediate customer service - stay clear !
Posted by sapbloke (1 comment )
Link Flag
Tool to find negative, neutral, and withdrawn eBay feedback
You can use this free tool to find negative, neutral, and withdrawn eBay feedback:

<a class="jive-link-external" href="" target="_newWindow"></a>
Posted by geeeoff (1 comment )
Reply Link Flag
I WAS an ebay member until last week. I bid on an item that was listed on ebay and clicked BUY IT NOW and won the auction. The seller wanted money sent via Western Union in the UK hence the "Western Union Scam" as one of the ebay live help reps called it. Pretty dumb I know, but all information had ebay all over it and it really looked and sounded authenic. So then I find out that this guy stole someone's account. This item cost $4000. As soon as I brought it to ebay's attention they pulled it and when I asked them what they were going to do in the way of reimbursement they told me the sale was made outside of ebay, so I get nothing from them! So if you are a buyer don't automatically think that just because an item is listed on ebay that you have any protection if a seller is fraudulent... Of course this has been reported to the Federal Trade Commission, the F.B.I and the Attorney General as well as the local police...but the money is gone. I am doing research on this guy who remarkedly is listed in the UK white pages with the same address as was given at Western Union..Wish me luck...It is going well at this point
Posted by don weaver (1 comment )
Reply Link Flag
Hi there...I was also scammed by someone in UK asking for Western Union. I only sent $500, but even that was alot for me. I have his name and we have the same guy?
Posted by ardothree (2 comments )
Link Flag
eBay Fraud
This week I had three of my auctions fraudulently ended by hackers using false or hack ID's and passwords.
eBay, has not cured this problem although they have had problems in numerous quantities since January (I have read online).
When will eBay wake up that just a few people have the power to take down a major Company by turning people off who want to sell items on their site.
I am disgusted to find out how long this has been going on without remediation.
thank you.
Posted by ricro1 (3 comments )
Reply Link Flag
Hijacked Ebay account
Last weekend my Ebay acct. was "hijacked". Registration moved to Geat Britian, Password changed, Camera bought (cnx by seller). They Also Hijacked my Yahoo email (used on ebay) so I cannot access it as well.
I discovered all this Monday 11/26. Sent Ebay 4 messages--I STILL HAVE NOT HEARD A THING. Even set up new acct and the reported "another acct stolen.
Don't know what else to do--cannot find a phone #.
Any suggestions would be appreciated.
Thank you,
Carl Straub
Posted by carlstraub (1 comment )
Link Flag
I think we should list the names of the person that have robbed us. It puts their business out there!!
Posted by ardothree (2 comments )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.