November 22, 2002 1:33 PM PST
Identity thieves strike eBay
- Related Stories
Anti-scam tech takes on thievesOctober 4, 2002
Identity theft: Fact and fictionSeptember 18, 2002
Identity theft: Get used to itAugust 27, 2002
Fraud lingers despite eBay effortsJune 28, 2002
Why hackers are a step ahead of the lawMay 14, 2002
eBay security draws scrutinyMarch 28, 2002
Hackers find new way to bilk eBay usersMarch 25, 2002
Net auction fraud gets lawmakers' attentionJune 26, 2001
Read more about identity theft
"Somebody fraudulently used my credit card (Thursday) to buy the domain name that ended in 'ebay,'" said Fraser, a pharmacy technician in Lockport, N.Y., who until midday Thursday was listed as the registrant and administrative contact for the domain. "It's very upsetting to think that someone had my credit card. I don't know if I'm ever going to go on eBay again, because I don't know if it had anything to do with purchasing something there, or what."
While Fraser's credit card number could have been filched anywhere, the fact remains that con artists are using stolen numbers to set up a growing number of increasingly convincing scams intended to part eBay buyers and sellers from their usernames and passwords.
Once a con artist has commandeered an account, the process of defrauding buyers out of potentially tens of thousands of dollars while evading detection becomes that much easier.
While many of the eBay spoof sites are intended just to take over an eBay identity, others appear designed to grab the whole identity kit and caboodle.
One site attempts to glean not only the eBay user's name and password, but the visitor's complete credit card information, billing address, phone numbers, bank account routing number, checking account number, social security number, debit card PIN, mother's maiden name, date of birth, and driver's license number.
One expert in the area of identity theft said that the eBay scams fit a classic mold of identity theft schemes. Other organizations that have dealt with the problem include PayPal, the IRS, America Online, and other Internet service providers, said Linda Foley, executive director of the Identity Theft Resource Center in San Diego.
"It's not just eBay," Foley said. "Nor are people in danger of just having their credit card account taken over. The moment you release your social security number (SSN), you have put yourself in danger of identity theft. The SSN is the golden key."
Con artists often send out scam e-mails that tell recipients someone has tampered with their account or that some unspecified fraud is suspected. The e-mail then tells the recipient to click on a link leading to a site where visitors can enter or change their username and password.
Vexing the issue further is the fact that eBay is sending out its own share of legitimate appeals, urging some people whose accounts have been tampered with to change their passwords. Even savvy users have a hard time telling the difference between scam spam and the real deal.
"They are really getting sophisticated out there," said Ina Steiner, publisher of AuctionBytes.com, a Web site with a pair of auction-focused newsletters. "People that I talk to are experienced Internet and eBay users, and they got fooled."
eBay and other Web auction sites have long been happy hunting grounds for con artists of all types. Some Web auction fraud mirrors the techniques of traditional auction cons, such as the "shill bidding" method by which an auctioneer bids on his or her own auction to inflate the price.
Other Web auction fraud is more specific to the medium, such as the ability of sellers to vanish into the ether once payment is received.
Since February, eBay has seen the identify theft variety flare.
Attacking the problem
Some of these bogus Web sites are easier to discern from others. Thousands of domain names with the word "ebay" have been registered, and Web-savvy scam artists can dress up a Web address to look like it resolves to "ebay.com."
Many of these bogus sites follow the "change-ebay.com" pattern, springing up for a matter of hours or days after being registered with a stolen credit card--just for the purpose of snaring a few unsuspecting users' passwords before shutting down or getting unplugged by a domain name registrar or ISP, eBay representatives say.
Chinks in eBay's armor
Fraud is just one of several major challenges
facing the online auctioneer, Forrester says.
eBay is hardly alone in grappling with username and password theft online. AOL for years has warned its users prominently that company representatives will never ask for an account password.
eBay said it was tackling the problem in a similar way, educating people about what to look for in a potentially fraudulent eBay Web address and urging caution before parting with sensitive data.
"To protect yourself, remember that eBay will never ask you for your private information, such as credit card information or your account password, in an e-mail," eBay warned customers in a recent e-mail alert. "eBay will never send you any request or solicitation from a non-eBay e-mail account or provide a link outside of eBay for entering credit card or other private information."
eBay said that when it discovers a spoofed site, it invokes the Digital Millennium Copyright Act (DMCA) in requesting that the ISP hosting the site take it down.
From there, eBay is less sure of its enforcement strategy.
"To date we have identified three individuals who have admitted creating spoof sites," said eBay spokesman Kevin Pursglove. "We are reviewing our options with regards to the next steps in these cases."
But critics say eBay needs to go further in its fraud prevention efforts, not only by cracking down on criminals and increasing education efforts, but by changing the way it communicates its legitimate alerts.
"I was surprised that eBay linked to a Web site where people can update their information," said AuctionByte.com's Steiner. "I don't think they should do that--they should tell people to go to the site on their own and log in. People really need to know that they should never click on a URL in an e-mail from any vendor, that they should go to the site the way they always do and log on."
Scam artists are taking advantage of eBay's deadline-heavy pace in their schemes, knowing that an eBay user facing a ticking clock is less likely to think twice before handing over a username and password.
"One person was out of town and panicked when he got home and saw e-mail saying his auctions wouldn't be kept live unless he made these changes," Steiner said. "So he went in and gave them all this personal information. If they catch you at the right time, you can be fooled."
Because eBay for the most part obscures its members' e-mail address, questions have arisen about the methods scammers are using to target eBay users.
Some eBay critics blame the recent rash of scams in part on the auction site for inadvertently displaying the e-mail addresses of its users next to their high bids. But the company said the exposure, which happened Nov. 13, probably played a minor part in the crime wave, which began in February.
Though eBay prohibited the use of an e-mail address as a username 18 months ago, "a good number" of people who had such a username prior to that policy change were grandfathered in with the name. Another way the scammers target eBay users, according to the company, is by the sheer volume of easily available spam e-mail lists.
"It's not impossible that some of the people who received these e-mails had their e-mail addresses exposed on the site," Pursglove said. "But to suggest that it opened the floodgates is a bit of a reach."
Victims of fraud on eBay have limited recourse. The company's insurance program will reimburse victims for items worth up to $200, with a $25 deductible. Many credit card companies offer fraud protection for higher amounts, but Pursglove pointed out that most con artists accept only money orders or wire transfers.
When asked why eBay identity theft has become such a vogue this year, Pursglove speculated that the success of the company's general antifraud efforts were driving demand for the comparative safety of a stolen eBay identity.
But Pursglove acknowledged another, less cheerful explanation. Like winter colds and successful software marketing, the identity thievery may be viral.
"Perhaps the word's spreading around to the Internet's darker corners," Pursglove said. "We've had a lot more of it the past four or five months than at the beginning of the year. The scam is out there."
4 commentsJoin the conversation! Add your comment