eBay users: You really oughta check this out

[CapnK]

Take a look at this web page. Basically the blog story was about how eBay is (or isn't) having some serious security issues with a Eastern European cracker that goes by the handle of "Vladuz".

An interesting enough story in it's own right, there are also some Official Words of eBay printed there that claim "EBay officials... say fraud remains a tiny fraction of the million or so transactions the firm facilitates each day." OK, fine and dandy.

So how does that explain the 423 comments in just over 12 hours which are probably 99% *negative* against eBay, or have at their core how the comment author was a victim of eBay policies/scams/scammers??? Putting that into perspective: Even the most inflamed and vitriolic threads on any of the boards I frequent rarely get over 100 replies, and if the number even approaches that, it takes days to get there.

What I hear from eBay, and what I see in this public reaction, just don't jibe at all. And that's why I wrote this.

I very, very rarely use my eBay and PayPal accounts. If, right now someone had 100 items listed for sale under my name, and was at the same time committing to buying $20K of merchandise, I wouldn't know for hours, or maybe even days (weeks?). And from some of the comments I read after this article, proof that I wasn't involved would have to come from me, at my own expense in time and money and peace of mind.

I use the tool so little it just isn't worth the risk or the worry. For some few people, they probably use the site / their accounts enough that they would become aware of fraud within minutes (assuming they are awake). But I'd bet most of eBay's users are more casual, like me.

I think I'll be cancelling my account after I finish writing this.

That said, read on, please, and be informed, whatever you decide to do for yourself. :)

http://redtape.msnbc.com/2007/03/how_far_has_vla.html

[Godot]

Comparing the message boards you probably frequent to the comments on this article is not a fair comparison.  Assuming you are like me (a big assumption, true) the message boards you frequent probably have hundreds of users.  I'm guessing that ebay has millions of users.  Also, it is entirely possible that those who have been scammed have been searching for articles like this.

This story is about a negative aspect of the internet.  People are commenting on that negative.  You wouldn't expect many people to have positive comments about a negative feature.

That being said, I've had no problems (outside of slow shipping) with ebay since I started using them back in 2001.  Is there risk?  Yep.  But I don't feel it is an unreasonable one.  At least not yet.

BTW, I know people who never buy things online because they are too afraid of identity theft.  My wife and her entire family won't touch computer banking (my wife doesn't even trust the ATM machine).  I use my credit cards for everything, so when I review my monthly statement I mostly just make sure that the purchasing patterns match what I typically buy.  I know where I mostly shop.  My wife spends hours accounting for every single transaction and will flip out if she can't remember a $12 purchase three weeks ago.  She (and her entire family) are very risk adverse.  Me, I'm willing to accept some risk if there is a reasonable benefit.  Different philosophies, I guess.

[Lynx]

If a pawn shop sells stolen goods it gets closed. What happens when ebay does it?

How is it different?

[Godot]

Ebay doesn't sell anything.  They are a service for other people who are selling stuff.  Neither does a newspaper get shut down if someone sells stolen goods in their classifieds.

[CapnK]

Your points are both good and valid, Adam. I know plenty of people who use eBay regularly that haven't had a problem. Personally, I haven't had a problem either - but keep in mind that I use the service so rarely that I can barely even qualify as a statistic to them. ;) In fact, add me to all of the folks I know who use eBay, and our total would barely qualify as a statistic, eBay is that large and active of a company...

That said - when a BadGuy can get deep enough into your system to post on your message boards as a company representative, you have some ***serious*** security issues.  :o

So I think it is prudent to be _very_ conscious of your eBay account, if you have one. Especially now that they *require* you to tie into it with a real life Bank Account via PayPal (which they own and is a part of their system). It seems that this architecture is a top-heavy house of cards, and at least one known BadGuy has been seen poking around down there at the bottom of the pile. Scary stuff. :)

[AdriftAtSea]

One of the best things to do if you get any e-mails from any company is to go and call the company's customer service people and ask.... "Did you send an e-mail regarding....?"

As I've worked with the FBI on several fraudulent e-mail cases, the advice I gave to their agents about checking e-mails includes: 

Another thing you can do as a check is to look at the "long headers" or "message raw source" in your e-mail program to see what the originating e-mail server is.  The received line should have an e-mail server of the originating domain or ISP as a general rule.  Large companies generally host thier own e-mail servers on their domains, so if you see an e-mail from BankofAmerica.com coming from an ISP's e-mail server, it is likely to be bogus. 

Also, look at any of the links that are embedded in the e-mail, to see if they go to the website they say they do.  Most will have a straight IP address xx.yy.zz.aa and some directory and file listed that points to a bogus version of the page in question.  The better fake e-mails use very similar domain names and use the actual graphics and links from the real page to lend authenticity to thier fake page.

Generally, clicking on an embedded url link in an e-mail is a bad idea, unless it is from a trusted source.  If you have any suspicions about the e-mail, type the url you know for the company yourself, directly into your browser, rather than clicking on the link.

[mudnut]

It's very obvious that first off,anybody who puts 100% trust in anything related to the web as far as private details,needs their head read.The old world is spinning a little to fast,If you jump into the game you ARE subjected to the rules.Those people cannot access information which is not there.For some it may be to late.Personaly I have never put secured numbers of any accounts on or thru my PC,and never will.In a lot of instances I have put false information as to Id.Mudnut.