Saturday, September 30, 2006

eBay Account Hijacked

Identity theft comes in just som many varieties these days. A few days ago I discovered that I had fallen victem to a mild (compared to what can happen) although very annoying and frustrating form. Some ass clown out there hijacked my eBay account.

I'm not sure when the hijacking took place. I'm a fairly infrequent eBay user. I have never listed anything for sale and have only bought a multitude of pretty but relatively inexpensive junk. In fact I think the last time I was on was back in march when I bought a really nice handmade happy sun clock from a nice lady in California to go with the tropical motif in my office. Like I said, I'm an infrequent user. Thursday night I was attempting to purchase some fabric for a Halloween show I'm doing costumes for. Fabric is one of those things I like to buy in person so I can get a feel for its texture, stretchiness, and other aspects but, let's face it, my choices for stretch mesh and wet look vinyl are limited in this state. When I tried to log in to bid, my password didn't work.

Well, that's odd. I tried it again. Still didn't work. I tried a third time , paying extra special attention to the keys that I hit. Still doesn't work. Did I change my password and then forget about it? It's possible. After all, I haven't been on since March. I went through the forgotten password process. Everything worked fine right up to the confirmation email. I never got it. I tried again. Still nothing. I then looked at my email setup to make sure it wasn't being blocked by the spam filters.

Now here's where things got interesting. There was a filter set up in my email account that deleted messages containing the word 'ebay' and forwarded them to a yahoo account. That's got to go. I removed those filters and changed the password on my email. After that I was able to receive the forgotten password confirmation email from eBay. When I got back into my account I found that my personal information had been changed. I seller's account had been set up complete with credit card number. I can only assume this was a stolen credit card. More disturbing was the fact that several auctions had been put up for gold watches. eBay put a hold on the seller's account because of complaints. And the topper was that bids that were placed without my knowledge. One was for a lot of 100 stainless steel men's watches totaling $4,095 excluding shipping. This scenario just made me think someone was buying stainless steel watches, applying a cheap electroplating, and then selling them as gold watches. I do hope no one actually gave this rectum ranger any money. I would be suspicious of someone who has never sold anything on eBay and then all of a sudden is selling a dozen gold watches. Sounds fishy to me.

I was not happy. While I am an infrequent user, I have been using eBay since about 1999 and have wracked up a good amount of positive feedback. I didn't want to have to start over. And the kicker is you can't re-register with the same email address. Also, I didn't want to be responsible for the gobs of money this sphincter dart decided to bid. So now, the dreaded contacting of tech support. Eek!

eBay doesn't have a phone number listed anywhere on their site. What I did find was a live chat support for security and account theft. It isn't intuitive to find, especially when you're in 'What The Fuck' mode. The live chat can be found by navigating the menus at the very bottom of most eBay pages. You need to click on 'Security & Resolution Center' and then 'eBay Account Protection'. On Thursday evening I waited a little over half an hour to chat with someone. Once I actually able to talk with an eBay security agent, the problem was resolved quickly. One of the ways eBay verifies your account is to call and speak with you and a nice feature of that is that you can ask questions to the agent over the phone instead of typing everything. I was assurred that I would not be responsible for the auctions that were put up and the bids that were placed without my knowledge. Yay. It was all rather painless.

The next day I received a notice from eBay that said an unpaid item strike had been placed against my account (for the watches). I also noticed that the seller had left me some lovely negative feedback. Wait a minute. Wasn't this all supposed to be taken care of? The email alerting me to the strike had a link to an appeals page. I appealed the strike and it was removed. Now to remove the negative feedback. Back on to eBay live help chat. I again explained the situation again. The negative feedback was removed.

eBay seems pretty good at resolving the symptons of account theft. My concern is that I will need to keep a close eye on my account for any additional fallout. When I was assurred that everything was taken care of the first time I contacted eBay, I took that to mean everything was taken care of and I won't have to worry about additional problems stemming from this event. I thought that this would include everything that transpired from my last legitimate purchase in March until Thursday evening when I discovered the problem. This is not actually the case.

There are a few security loopholes that I wish eBay would close. First, they do not lock your account after so many unsuccessful log in attempts. This allows someone to just run random strings of letters and numbers until they luck out and find your password. Most places will lock your account after 3 tries. There is also the problem with third party authorizations. Neither security tech that I spoke with mentioned these and I found out about this through some message boards. The eBay account gets hacked somehow and then some sort of 3rd party software is used to post the automatted auctions.

If you have an eBay account, go to your Account Details, then Preferences, and then scroll down and look for 3rd party authorizations. Check that to be sure anything listed is valid. Many things (contests, etc) can apparently add entries here. In my case, I had an entry from AuctionWorks, a company that makes auctioning software. It is very important to make sure you remove 3rd party autorizations because when using the eBay API, once you get added to the 3rd party authorizations, you can continue to access the eBay account even after the password has changed.

The tech support people didn't mention this at all. It is not mentioned anywhere in the documaentation about securing your account. I got the usual security spiel from the live chat techs. My password is a combination of letters and numbers that is not easily guessed. I haven't answered any of those annoying spoof emails I get asking me to verify account information or my eBay account will be terminated. I have a current anti-virus software and a firewall. Somehow someone was able to gain control of my eBay account.

Consider this your public saftey announcment of the day.

1 comment:

chris said...

Hi,

We have recently launched a {designer handbag | designer watches | designer
jewellery } (choose one which is most appropriate) blog and we are looking
to spread the word and get in contact with similar websites to ours to
promote relevant blogs and websites.

Please email me at chriss714@gmail.com

Thanks
Chris