Hijacked eBay account reminds about need for vigilance
By DAVE GUSSOW
© St. Petersburg Times
published March 31, 2003
The e-mails set off an alarm as soon as I read them.
One "verified" that the password change on my eBay account had been successful. A second message reported that the "hint" question to recover my password also had been switched at the giant online auction site.
I didn't do either. Someone had hijacked my eBay account.
Over the next 15 days, I would be informed that I had bought an 18.1-inch LCD monitor ($459) and that I was watching bids on a $99 office computer desk with keyboard tray.
I immediately reported each of these bogus moves to eBay. Its responses were neither swift nor reassuring.
Automated form e-mails thanked me for reporting the problems. Finding a human to talk to at eBay was almost impossible. Trying to figure out what, if anything, eBay was doing with the reports was impossible.
And it reinforced the lesson for those who think they have taken all necessary security precautions: The people who pull these schemes are relentless and have a lot of tools at their disposal.
"We began noticing the practice last year," eBay spokesman Kevin Pursglove said. "We think the perpetrators have undertaken a number of different methods to get eBay user information."
That includes spam e-mail. An eBay user responds, inadvertently giving away some account information. Or a buyer or seller may share information with a third party.
Scam artists can buy so-called "dictionary" or "gaming" software. They'll go to a site such as eBay, find a subscriber's name, then use the software to test various password combinations to crack an account.
And sometimes, as Tom Kiehl discovered, users will get an e-mail that appears to come from eBay and has a link to a Web site that mimics eBay. But it's a fraud, too, trying to get you to reveal personal information. (Other sites have been victimized this way, too, including PayPal, according to a recent report.)
"I had just changed my e-mail address," said Kiehl, a former president of the Tampa Bay Computer Society. "I had not used that address for anything."
But Paula Current, his sister-in-law in Pennsylvania, had been victimized shortly before he received his e-mail, and Kiehl thinks that may have led the identity thief on eBay to him.
Current, who has sold thousands of items on eBay, had been getting a steady stream of messages.
"Most of the time, I just ignore them," Current said. "I kept getting the same one over and over. I clicked on it. Nothing came up, and that was it."
Or so she thought. In reality, someone used her careless click to take over her account and delete all the items she had listed for sale. When she went to post new items, she could not get into her account.
Current, though, had access to a special customer service phone number reserved for eBay's top sellers. She got it fixed, at least for a few hours, before it was hijacked again. Again, eBay helped her straighten it out, and she hasn't had a repeat.
"They were very helpful," Current said. "They understood the problem. One kid was nice enough to say that if you get an e-mail from eBay, it won't ask for personal information."
Of course, if someone breaks into an account such as Current's, that would give the scam artist access to at least some information about buyers or sellers.
None of the e-mails I received asked for personal information, and I did not respond to them. Nor did I warn the would-be sellers who thought they were dealing with me, not knowing whether they were legitimate. I used, or attempted to use, eBay's much-touted Safe Harbor system for reporting problems.
However, I found it to be an almost impenetrable maze. It was difficult to figure out exactly where to go to report this kind of problem.
"We definitely have to do a better job of establishing the terms we want to use with our users," eBay's Pursglove said. "It's not the first (problem) I've heard. A user will have an issue, go to the help board, and can't quite figure out how to describe or how to fit (the question) in a category."
EBay also has an unlisted phone number, and none posted on its site, making it even more frustrating. When I did get a number and called, I got nowhere. The complaints have to be sent online.
More than a week after my first complaint, someone from eBay called my house to verify my phone number, but refused to leave a callback number with my wife.
The only hint I had that something was being done came 15 days after the first bogus e-mail. I received a blank message from eBay with the word "suspension" in the address. I went to eBay, did a member search and found that the account had been suspended -- finally.
Pursglove said it shouldn't have taken that long for my problem to be handled, and I should have gotten some official response after the account was suspended. "In most instances, we will work with the authorized registrant and clarify the situation and try to rectify it within that business day," he said. "It's possible that something slipped through the cracks."
EBay won't give details of its investigations. Pursglove would say only that the site works with law enforcement "and we feel progress is being made."
He also said eBay is working to improve Safe Harbor to make it easier for people to report such problems. As for tips people can use: I was correct in going directly to eBay and not responding to the e-mail or sellers, Pursglove said. He also suggests that people make regular checks of their accounts, maybe weekly, to make sure nothing is amiss.
In my case, the account was one I had long forgotten. Dormant accounts should be closed, Pursglove said. If people have problems, the best way to report them is to send an e-mail to firstname.lastname@example.org.
-- Dave Gussow can be reached at email@example.com or (727) 445-4228.
Personal Tech today
Hijacked eBay account reminds about need for vigilance
Solutions: Support should be key feature in antivirus purchase
The Buzz: FDLE unveils cyber-security Web site
Scam casts doubt on eBay's antifraud software
Video Game Reviews
Online ads getting noisier