An Ebay Question? (1 Viewer)

[alan halvorson]

Tonight one of our local tv stations ran a short segment that claimed that Ebay may not be as safe as you would hope. Apparently, they found some guy whose account was hijacked and had over thirty auctions running under his id that weren't his (he said he had none currently). Somehow - not explained how - this guys password was stolen.

I have heard of Ebay accounts being hijacked because a security hole in Ebay's implementation allowed it. How is this done? Can it be prevented? Until recently, Ebay allowed a user to log into his account using either the accounts e-mail address or Ebay id, but now only the Ebay id may be used. An e-mail I received said this change was made to make Ebay more secure. Could this change have been instituted to help prevent account hijacking?

I have never had any problems. For my part, I never use a link within an e-mail to log onto any site - I'm guessing this guy did just that, and it led him to a bogus site where they harvested his password, all without him realizing it.

Comments?

 

[Chris Lockwood]

> For my part, I never use a link within an e-mail to log onto any site - I'm guessing this guy did just that, and it led him to a bogus site where they harvested his password, all without him realizing it.

Yeah, or maybe people used easily-guessed passwords, or somebody hacked in to where the passwords were stored.

 

[Devin U]

One of he ways people are doing it is a fake email. You get a offical looking email from ebay asking you to confirm your username and password. They then change the password and email address to theirs. If you get this kind of email, report it to ebay.

 

[DaveGTP]

I got one of the faked emails from Paypal just 2 weeks ago (they bid on one of my auctions). I promptly reported it to Paypal and the userID to Ebay. The email faked a 'you got cash' email. The 'click here to see details of this transaction' link was actually a link to reset the sender's Paypal account - it would just say "Enter password to proceed" and then would ask for your email address to send your password to. The scam was easily caught by me, but I was afraid he would get someone else. I called Paypal to report, but they just tried to walk me through the webform to file a complaint. I also dug up Ebay's phone # and called to alert them to the scam, but they just asked me to file a fraud form. From the mix of positives and negatives in his feedback, (like 7+ and 15-), he probably succeeded at least in getting merchandise from some people.

All I got from paypal was something to the effect of 'That indeed was a fake email. If you put in information, immediately login and change your password. We will look into it". I haven't heard back from either Ebay or Paypal that his account has been canceled.


Edit: I went back and looked up his account. Looks like it has been shut down. He had his feedback set to private so that you can't view the comments. I don't think that Ebay should allow that, frankly.

I think most ebay security problems are created more like that (getting people's passwords through shady tactics).

 

[Danny R]

I think Patrick Sun has had problems with people stealing his ebay account a few times.

 

[Patrick Sun]

Yeah, and it seemed to take around 2 months to clear things up with Ebay. It's quite a nuisance.

 

[alan halvorson]

Patrick: Do you have any idea how your account was hijacked?

 

[Patrick Sun]

Nope. Not at all.

My gut feeling is that some of these creeps have found a backdoor super-user account on Ebay and hack into user accounts with spotless feedback records, and then abuse those users by hijacking their accounts.