March 8, 2007 11:06 AM PST

eBay CEO: Phishers threaten user trust

WASHINGTON--eBay chief Meg Whitman said on Thursday that phishers pose one of the biggest threats to the customer trust that has sustained the auction giant.

Speaking at the Visa Security Summit here, Whitman said her company has been developing fraud models aimed at detecting unauthorized account access and hires experts around the globe to help law enforcement find criminals. But she said additional safeguards and educational campaigns are necessary to prevent consumers from falling prey to phony requests for their sensitive information--or simply getting annoyed and canceling their eBay accounts.

Meg Whitman Meg Whitman

"We...need to plug the holes in the system and make it next to impossible for fraudsters to reach our users," she said. "We need to make this so hard for the bad guys that ultimately they determine it's not worth their time to reach our customers anymore."

According to security researcher Michael Sutton, eBay and Paypal are the two most common brands targeted by phishers--together accounting for more than half of all phishing activity.

Whitman outlined three major steps that her company is taking to prevent users from succumbing to the phony e-mails and Web sites.

To start, eBay and its alternative payment subsidiary Paypal have worked with Microsoft to develop a blacklist of fake sites that look and feel like those companies' products but are actually used to glean personal information for illicit purposes. Microsoft's Internet Explorer 7 is capable of filtering out those and other phishing sites, Whitman said. She urged other browsers to follow suit.

eBay and Paypal are also currently signing all of their e-mails with "domain key signing," which Whitman described as "the equivalent of putting a signature in the form of encryption on each legitimate e-mail that leaves our system." She said the firms are urging major e-mail and Internet service providers to allow only those e-mails containing that unique signature to pass through their systems.

Finally, Whitman pointed to the recent availability of a Paypal key fob that generates a unique security code, to be used in combination with the user's password, every 30 seconds.

The eBay chief, who took the CEO helm in 1998, began her speech by reflecting on the days when auction buyers still paid for their purchases primarily via check, money order or even cash sent through postal mail.

"Can you imagine running your Internet business today and relying completely on paper money or checks?" she said to the crowd.

When Whitman joined the company, 8 percent of its merchandise consisted of Beanie Baby collectible toys, but it is now selling diamond rings every three minutes, cars every minute, and digital cameras every 30 seconds, she said. By the end of 2006, the site had 222 million registered users.

The success of big-ticket item sales rides on customer trust built through eBay's combination of user feedback tools and cooperation with major credit card issuers, Whitman said.

"We wouldn't have a $6 billion business today if we had not been able to work trust into that system," she said. "I know from my own experience at eBay that building and maintaining trust with customers is much easier than trying to get it back once it's lost."

CNET News.com's Joris Evers contributed to this report.

See more CNET content tagged:
Meg Whitman, PayPal, phishing, eBay Inc., CEO

21 comments

Join the conversation!
Add your comment
Other concerns
See readers' discussion on <a class="jive-link-external" href="http://redtape.msnbc.com/2007/03/how_far_has_vla.html" target="_newWindow">http://redtape.msnbc.com/2007/03/how_far_has_vla.html</a> about what appears to be bigger problem of ebay.
Posted by alegr (1590 comments )
Reply Link Flag
Other concerns
See readers' discussion on <a class="jive-link-external" href="http://redtape.msnbc.com/2007/03/how_far_has_vla.html" target="_newWindow">http://redtape.msnbc.com/2007/03/how_far_has_vla.html</a> about what appears to be bigger problem of ebay.
Posted by alegr (1590 comments )
Reply Link Flag
Use common sense
All people have to do it read ebays and paypal scam faqs and they will easily find out that all they have to do is forward a copy of the email to either company.

Both ebay and Paypal will never tell you that they are going to close you account unless you use it. I have left my ebay account inactive for months(almost a year) at a time, thus same for my paypal account.

Just remember to use common logic when reading emails, and usually if its in the junk folder it is there for a reason.
Posted by rsawyer_01 (2 comments )
Reply Link Flag
Use common sense
All people have to do it read ebays and paypal scam faqs and they will easily find out that all they have to do is forward a copy of the email to either company.

Both ebay and Paypal will never tell you that they are going to close you account unless you use it. I have left my ebay account inactive for months(almost a year) at a time, thus same for my paypal account.

Just remember to use common logic when reading emails, and usually if its in the junk folder it is there for a reason.
Posted by rsawyer_01 (2 comments )
Reply Link Flag
Interesting attempt at Phishing
I recently received an email purportly from PayPal that appeared to be an invoice for a transaction I never made. It was an excellent copy of the type of email you get from PayPal when you make a purchase through them. Of course, it provided a link to click to dispute the charge because surely this must be some kind of "mistake". If I had followed that link, I would undoubtedly have had to submit my password to "log in" to my account. I forwarded it to PayPal instead who confirmed it was a phish. It was very plausible and I imagine someone could be easily fooled.
Posted by skh1 (2 comments )
Reply Link Flag
Check the properties on the link
If you have any suspicions about an email, right click on any links and view the properties. Phishing attacks will generally have a convincing sounding link, but the underlying url won't match (it usually would point to a yahoo or other free account). This is always a dead giveaway. Sometimes they get smart and will mix in real urls with fake so if you only check one you get a false sense of security. I advise checking the actual address of any link before clicking into it.
Posted by pmarshall (43 comments )
Link Flag
Interesting attempt at Phishing
I recently received an email purportly from PayPal that appeared to be an invoice for a transaction I never made. It was an excellent copy of the type of email you get from PayPal when you make a purchase through them. Of course, it provided a link to click to dispute the charge because surely this must be some kind of "mistake". If I had followed that link, I would undoubtedly have had to submit my password to "log in" to my account. I forwarded it to PayPal instead who confirmed it was a phish. It was very plausible and I imagine someone could be easily fooled.
Posted by skh1 (2 comments )
Reply Link Flag
Check the properties on the link
If you have any suspicions about an email, right click on any links and view the properties. Phishing attacks will generally have a convincing sounding link, but the underlying url won't match (it usually would point to a yahoo or other free account). This is always a dead giveaway. Sometimes they get smart and will mix in real urls with fake so if you only check one you get a false sense of security. I advise checking the actual address of any link before clicking into it.
Posted by pmarshall (43 comments )
Link Flag
I think not
Ebay dont really give a toss about security and user safety as long as it isnt affecting their profits.

They cant even stop spam being sent over their own system for christ's sake, the excuses I have had from them are completely pitiful.

The easiest way to stop all the conning that goes on on that pathetic auction site is for them to check every listing, as it is listed.

Even if you ask them to remove items because they violate their terms they take days to remove them.

Ebay need to learn, and fast.
Posted by hunkyboi69 (47 comments )
Reply Link Flag
I think not
Ebay dont really give a toss about security and user safety as long as it isnt affecting their profits.

They cant even stop spam being sent over their own system for christ's sake, the excuses I have had from them are completely pitiful.

The easiest way to stop all the conning that goes on on that pathetic auction site is for them to check every listing, as it is listed.

Even if you ask them to remove items because they violate their terms they take days to remove them.

Ebay need to learn, and fast.
Posted by hunkyboi69 (47 comments )
Reply Link Flag
eBay is the Worst site on the Internet at stopping Phishers!
Ebay and PayPal are the worst at stopping Phishers. The phisher email I get from these site's is scary. The information that they have and the timely nature of the emails is very sophisticated. Just 2 weeks ago I order tickets on Ebay. My first Ebay transaction is over 6 months. Two days latter the phishers started again! They new my transaction date!
This article should be: this is the most unsuccessful implementation of anti-phishing on the internet. It's only attempt is to counter a class action lawsuit by showing a small effort on there part.
Posted by 99BlueGT (2 comments )
Reply Link Flag
eBay is the Worst site on the Internet at stopping Phishers!
Ebay and PayPal are the worst at stopping Phishers. The phisher email I get from these site's is scary. The information that they have and the timely nature of the emails is very sophisticated. Just 2 weeks ago I order tickets on Ebay. My first Ebay transaction is over 6 months. Two days latter the phishers started again! They new my transaction date!
This article should be: this is the most unsuccessful implementation of anti-phishing on the internet. It's only attempt is to counter a class action lawsuit by showing a small effort on there part.
Posted by 99BlueGT (2 comments )
Reply Link Flag
The assault continues on Ebay
Check out these links. After you view them you will never do business on ebay, unless you like being scammed.

<a class="jive-link-external" href="http://www.ebaymotorssucks.com/index1.htm" target="_newWindow">http://www.ebaymotorssucks.com/index1.htm</a>

<a class="jive-link-external" href="http://www.medved.net/cgi-bin/cal.exe?EIND" target="_newWindow">http://www.medved.net/cgi-bin/cal.exe?EIND</a>
Posted by lonewolf1234 (4 comments )
Reply Link Flag
The assault continues on Ebay
Check out these links. After you view them you will never do business on ebay, unless you like being scammed.

<a class="jive-link-external" href="http://www.ebaymotorssucks.com/index1.htm" target="_newWindow">http://www.ebaymotorssucks.com/index1.htm</a>

<a class="jive-link-external" href="http://www.medved.net/cgi-bin/cal.exe?EIND" target="_newWindow">http://www.medved.net/cgi-bin/cal.exe?EIND</a>
Posted by lonewolf1234 (4 comments )
Reply Link Flag
Focus on Real, forget about fake
I see a lot of user complaints about Ebay here, but not much indication that those complaining are taking precautions to protect themselves. After all, it's only their money. If users would bookmark (add to favorites) the REAL sites where they conduct financial transactions, and ONLY used the bookmark (favorite) to access those web sites, they wouldn't have to worry about going to a fake web site and would not get phished. Users should never access a site where their money is at risk by clicking on anything but the bookmark (favorite). Stop clicking links in email, on unknown web sites and in instant messengers to access your bank, Ebay or Paypal. Use the bookmark and navigate within the site to do your business. If you don't know the real URL for Ebay get a verification (anti-phishing) tool like the one from SiteAdvisor.com, and do some homework to be sure you have the real site, then bookmark it. Pick up the phone and call if necessary. Then bookmark the site. And don't forget to change the default password on your router so you don't get pharmed.
If you go to the legitimate site you won't get phished. Ebay and the banks should be giving this advice to their customers, and tell their users to focus on REAL, not worry about Fake.
Posted by howiem (16 comments )
Reply Link Flag
Focus on Real, forget about fake
I see a lot of user complaints about Ebay here, but not much indication that those complaining are taking precautions to protect themselves. After all, it's only their money. If users would bookmark (add to favorites) the REAL sites where they conduct financial transactions, and ONLY used the bookmark (favorite) to access those web sites, they wouldn't have to worry about going to a fake web site and would not get phished. Users should never access a site where their money is at risk by clicking on anything but the bookmark (favorite). Stop clicking links in email, on unknown web sites and in instant messengers to access your bank, Ebay or Paypal. Use the bookmark and navigate within the site to do your business. If you don't know the real URL for Ebay get a verification (anti-phishing) tool like the one from SiteAdvisor.com, and do some homework to be sure you have the real site, then bookmark it. Pick up the phone and call if necessary. Then bookmark the site. And don't forget to change the default password on your router so you don't get pharmed.
If you go to the legitimate site you won't get phished. Ebay and the banks should be giving this advice to their customers, and tell their users to focus on REAL, not worry about Fake.
Posted by howiem (16 comments )
Reply Link Flag
Duhhh... another lame excuse for an article...
Tell the public something they don't know... reporting the known isn's news!!!

FWIW
Posted by wbenton (522 comments )
Reply Link Flag
Duhhh... another lame excuse for an article...
Tell the public something they don't know... reporting the known isn's news!!!

FWIW
Posted by wbenton (522 comments )
Reply Link Flag
Ebay Has Become A Swamp of Scammers
If you try to sell a high-ticket item, you will have to negotiate a swamp of phishers, scammers and assorted lowlife. I've been a member for years and it has gotten ridiculous. There is nothing you can do to prevent a scammer from winning your auction using a stolen identity. Do not send any merchandise until payment is received by your bank.
Posted by jwall (2 comments )
Reply Link Flag
Ebay Has Become A Swamp of Scammers
If you try to sell a high-ticket item, you will have to negotiate a swamp of phishers, scammers and assorted lowlife. I've been a member for years and it has gotten ridiculous. There is nothing you can do to prevent a scammer from winning your auction using a stolen identity. Do not send any merchandise until payment is received by your bank.
Posted by jwall (2 comments )
Reply Link Flag
has anyone tried to get in touch ,with the ***** at ebay and paypal? fair enoghe there nice as apple pie when you get thru, but i,ve found a lot of crooks liars and ass es on ebay,eg.,i bid on 2 items the first said 2 quid post the 2nd said see details,just 2 coins only small,i won bid ,6 quid ,i asked crook to combine post ,no he /she said i said how much is postage $8 i said get stuffed ,7 days later after i,de bought simalar items,he reduced post costs and said you can buy them now?get stuffed i said and i quite rightly refused to buy them,i think i,m right ,its a buyers market, i also think a judge would agree,so my next place of call is the small claims court ,to lodge a claim for defamation of character ? this is anyones choice, anyones choice?armed and telling ebay,now their reconsidering my choice not to pay,ebay have reveiwed ,this and said that they will remove the strikes in about 24 hours,lets hope they keep their promises,if you,ve a bad experience contact me at lezlow.ubuntu@hushmail.com or lezlow@hackersclub.net,thanks for listening
Posted by lezlow (9 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.