EBay's success makes it a huge target on the Internet. Scammers are attracted to eBay like moths to a flame; the problem is that it's the eBay buyers and sellers who wind up burned. While unsuspecting bidders are the main prey of the crooks, sellers are also bilked when their accounts are hijacked and when scammers hack into and clean out PayPal and linked bank accounts. EBay sellers pay an additional price in the general loss of trust in the site as it becomes increasingly perceived as riddled with flim-flam artists, driving away buyers.
It Can Happen to You
Sellers are often the last to know when their accounts have been hijacked, as I discovered. One morning, about a year ago, I received an eBay e-mail inquiring about shipping costs for a John Deere tractor being sent to North Carolina. Since I only sold books on eBay and have never even sat on a tractor, this caught my attention. But I had been selling on eBay for six years without a problem, I never responded to phishing e-mails, and experience taught that occasionally such buyer e-mails went astray on the site's server, so I paid it no mind.
Several days later, the hammer dropped: eBay closed my account, and I was told that a scammer hacked my password and was piling in high-ticket items under my name. Since it is virtually impossible for anyone but power sellers to talk on the phone with an eBay rep empowered to solve problems, (generic phone reps, the only phone help available for the rest of eBay's members, always steer the caller to live chat or e-mails,) the road back involved changing my password and a multi-e-mail/live chat, week-long process of having several hundred dollars in scammer-generated listing fees reversed.
Common Scams and How They Work
While fraud on eBay comes in many forms, I was victimized by one of the two most prevalent methods: identity hijacking — hacking the password and stealing the identity of an eBay seller with solid feedback, then listing nonexistent items under the seller's good reputation, charged to the seller's account, until discovered, at which point the thief vaporizes into cyberspace, untraceable.
The other classic and more common scam is when the thief establishes a phony identity on the site, offer goods he or she does not possess, collects money until discovered and pursued, and then vanishes. Scammers use multiple IP addresses and domains. Crooks can easily establish a new domain for under $10, be online within 24 hours and disappear in 48 hours.
Account hijacking can result from PC firewall breaches and wi-fi intrusions using sophisticated probing techniques such as port scans, keystroke logging on Web sites, and ping sweeps, among other expedients. But most often it results from phishing e-mails, those designed to look as though they come from eBay and warning you that, "If you do not update your account information within the next 48 hours your account will be closed." A hyperlink appears at the bottom of the page directing the unsuspecting to a Web site that harvests passwords and other account data, often including credit card and other personal information.
Many of the early phishing e-mails were initiated from overseas in fractured English, riddled with spelling and syntax errors and usually had a washed-out looking eBay logo, if any appeared at all. However, those early crude attempts have been replaced by slick presentations with mirror-image eBay logos, copyright statements and proper English — to the point that they can give momentary pause even to savvy eBay veterans.
Despite increased public awareness, phishing attacks are hardly passé. Symantec, producers of Norton Anti-Virus, had identified over 150,000 unique phishing e-mails in the first half of 2006, up 81 percent from the previous six months. David Jevans, president of the Anti-Phishing Work Group, an industry association that includes eBay, points out, "It's easy to send out a billion e-mails; if one in 10,000 hits, they're in business." While phishing attacks now target clients of every major bank and financial institution as well as all large Internet companies, eBay and PayPal users remain constantly barraged by fraudulent e-mails.
Mutating Scams and the Bot Factor
Still, for every account and identity hijacking there have been many more eBayers ripped-off by "ghost sellers" who offer expensive items at low-ball prices, deliver nothing and abscond with the buyer's money. Blinded by the pursuit of a bargain, victims ignore the obvious red flags, for instance, that the seller has zero feedback and registered the account within the previous several days.
However, bidders have become savvy increasingly eschewing new sellers with little or no feedback or transaction records. Today a seller's good feedback reputation is more important on eBay than it has ever been. But scam artists are wise: when an antidote is found for one flim-flam expedient they mutate into another form and attack again. Now eBay scammers have taken this classic larcenous model — sell something you do not have, pocket the money and scram — and updated it to the times, with the use of "bots."
The bot, or roBot, is a program used on the Internet to perform a repetitive function, such as posting messages to multiple parties or searching for information, among many other tasks. Used by legitimate sellers to power their sales, bots automatically notify winners and generate generic, positive feedback They are particularly used by high volume and low end 1-cent sellers for whom it would be economically unfeasible to perform these functions manually. Bots are also the scammer's newest best friend.
Bots talk to Bots
According to Guillaume Lovett, a researcher for the California-based security firm Fortinet, crooks can use bots to set up multiple, legitimate looking accounts on the cheap, both for scamming and feedback farming. Scammers first use bots to create a large number of fake accounts, with stolen but yet unreported credit cards, or Visa's anonymous "gift" cards in most instances. Then, using a spider to scour eBay for 1 cent "Buy It Now" sales, (there are typically hundreds, offering Windows wallpaper images, e-books and digital photos, all delivered electronically so there are no shipping charges,)they buy. The 1-cent seller ironically also uses bots to generate positive feedback for the buyer/crooks user profile.
"With the 1-cent rate building 100 accounts with 15 positive feedbacks each can cost just $15," says Lovett, who first discovered the scam this past summer. The 1-cent seller is an unwitting accomplice to the crook via their mutual use of bots--each getting what they want, the seller gets a sale, the scammer gets positive feedback and transaction records for very little expenditure of time or money.
Sometimes the accomplices are not so unwitting. According to Christos Faloutsos, a computer science professor at Carnegie-Mellon, quoted in the Wall Street Journal, the sellers and buyers can be one in the same person. A fraudster creates separate eBay identities then sells to himself. The "buyer" ID sends positive feedback to the future "fraudster" ID. When the crook eventually uses his fraud ID to cheat someone out of an item he never delivers, eBay shuts down the scam page but leaves the accomplice "buyer" ID up to shill feedback for future frauds or as a platform to launch future scams.
Proposed antidotes to the bot-scammers can be complex. One involves network analysis of "biparte-cores," or patterns that con-artists create as they go about their schemes. A biparte core is a computer science term for situations where members of Group A deal with members of Group B but never with each other.
The eBay theory, explained by Duen Horng Chau of Carnegie Mellon, holds that all the crooks are connected to all the accomplices, but the accomplices never deal with each other — just with the crooks and a few honest people; this pattern is a biparte core. "Honest people interact in more arbitrary patterns," says Chau. "There is none of the very clear separation and compartmentalization that we see with fraud."
He claims that running the algorithm over a large set of data from eBay located obvious cases of fraud that had not been spotted before. However even proponents acknowledge that network analysis involves a lot of work as the process has to filter through much "noise," or an over-abundance of data, and that fraud-generated connections would only be visible after the fact.
In any case, while network analysis of biparte cores may work for computer scientists and is possibly a way for eBay's security apparatus to make progress in mitigating fraud, it is hardly useful in the trenches of everyday commerce on the site. The average eBay user would have neither the inclination nor wherewithal, not to mention the time required, to launch a network analysis for site fraud.
In chat rooms eBay users suggest a myriad of fraud remedies, some equally complex, such as registering "mac" addresses, (media access control addresses that uniquely identifies each node or PC, printer, etc., in a network,) others that are intrusive, such as listing seller and bidder contact information on the sale page, and others that are implausible, such as prepaying bids or charging a reneger's credit card for failing to pay for a purchase.
EBay is in something of a Catch-22 situation when it comes to fraud. Publicize the fraud and they run the risk of stirring-up the media, alarming stock analysts and scaring users away from the site. Play down the problem, keeping awareness down, and it becomes worse, mushrooming into an epidemic. For years eBay has tried to walk a middle ground, initially burying help and fraud-avoidance cues on the site, and occasionally sending all users warning e-mails that were often blocked by spam filters or flushed, unread.
Some disgruntled users feel that eBay is basically content with the status quo regarding fraud: the site continues to grow despite instances of fraud, many of the crooks, in fact pay fees, so why risk the wrath of Wall Street and its users, and incur the added expenditure of hiring more help, writing more code and so on by drawing attention to the problem with a well-publicized, full-blown frontal attack? In fairness, eBay's security staff numbers about 800, its security has improved over the past several years and is considered very good by industry standards.
Be Proactive: Tips for Prevention
But regardless of precautions, the site is simply too large to catch all the thieves and their evolving tricks. This leaves the lion's share of vigilance to eBay users. The best defense is personal awareness. Here are several red flags and common-sense precautions to consider before buying and selling in the bot age; those for bidding can be posted at your site to show you are legitimate and build trust with potential customers:
- Beat-artists seldom bother to accrue more than 10-20 feedbacks before launching their scams. Check the pattern of feedbacks and transactions. If the seller falls into the 10-20 feedback range and the feedbacks are all or mostly for 1-cent sales, and suddenly they are offering multiple high-ticket items, assume the worst and avoid the seller, period. If the item is expensive, (and if it's a scam, it will be,) check long and hard before bidding with any seller with less than a few years and a few hundred feedbacks under their belt.
- Beware of any seller who asks the potential bidder to contact the seller before bidding using an e-mail address rather than through eBay's "Ask the seller a question" link. This is almost always an attempt to get the bidder off of eBay's monitoring system. Instead, before bidding, send the seller an e-mail via eBay in any dubious situation, particularly regarding payment and shipping terms. If the seller does not reply or asks you to bid first, don't bite.
- Do not bid with or pay sellers with greatly delayed shipment dates. Paypal's liberal rules prohibit sellers from shipping more than 20 days after receiving payment. In fact, if shipment is to be delayed more than a week after payment is received, the seller better have a very good reason.
- Scams will most often be one-day auctions with a "Buy it now" price.
- Often fraud sales are miscatagorized to avoid eBay's own fraud detection bots. For instance, plasma TVs or computers might be listed under children's clothing.
- Thieves will never offer PayPal, credit card or any other verifiable payment system, usually insisting on Western Union transfer payments instead. Never pay for any eBay transaction via Western Union money transfers or international money transfers; with these the crook collects the money and vanishes with no means of being traced.
- Most home wi-fi or wireless Internet fraud problems stem from errors of omission. Nearly all wi-fi routers come with security features that conceal the connection from outsiders, require passwords for network access and encrypt data sent over it. The problem is that few routers leave the factory with the security features on as the default setting, requiring users to change the setting themselves.
Failure to do this allows anyone with a wi-fi empowered computer to tap into an unsuspecting user's base station from within 200 feet away, and with special antennas, up to a quarter mile and further. Even with a secured home system there are wi-fi perils. Inquire about network security before using a wi-fi connection in any retail store, hotel, college campus or any other institution that does not monitor its users.
- Sellers should avoid using birthdays, middle names or other potentially linkable hints in the password, and more importantly, change passwords every several months.
- Always keep in mind: if it seems too good to be true, it probably is bogus. Beware of sellers who are offering goods at prices far below fair market value or seem to have many copies of hard to find items
- If you fall victim to any form of eBay, PayPal, or general identity, credit card or bank account fraud there are several non-profit organizations offering advice and counseling, two of the largest are The Privacy Rights Clearinghouse and Identity Theft Resource Center, both located in San Diego.
Frank Fortunato is a regular contributor to ECommerce-Guide.com.
|Do you have a comment or question about this article or other e-commerce topics in general? Speak out in the SmallBusinessComputing.com E-Commerce Forum. Join the discussion today!|
This Message Will Self-Destruct: The Power of Collaboration with an Expiration Date As more people move toward collaboration methods that incorporate revocation or expiration, the enterprise file sync and share (EFSS) space appears...
Voice Trunking in an IP World: Charting a Practical Path for PRI and SIP IT leaders understand the real-world road to all-IP means leveraging existing technology investments as well as intelligently integrating...
The Holistic Approach to Preventing Zero Day Attacks The news has been full of attacks on retailers. Target lost the data of more than 100 million customers, as wily attackers located unguarded...
10 Features Every Web Application Firewall Should Provide Web application firewalls protect data and applications against online threats. Because Web application firewalls are strategic, every organization...