Hijacking & Fraud Plague eBay Users - Page 2

In fact, these criminals can sometimes get money out of more than one buyer by e-mailing some of the losing bidders and saying that the winner backed out.

That's what almost happened when the eBay account of a user that we will call Janice in the Atlanta area had her account hijacked.

"Somebody had guessed my password, got into my account and completely took it over," she said.

One morning she went to look at her listings and to her surprise could not access her account, where a $2,000 computer had just been sold to an unsuspecting eBay newbie.

The hijacker had actually sent the buyer a link to the listing. "They found her because she was a runner-up in another auction," Janice said. "She wanted this exact computer."

The newbie buyer hadn't noticed that Janice is a seller of decidedly non-electronic items. Janice said she knew immediately what was going on and e-mailed the buyer, who was able to cancel a Western Union money transfer to someone in the Philippines.

"eBay said there's really nothing they could do," Janice said, and the FBI eventually told her the amount of money involved was too small to warrant an investigation.

Account passwords can be obtained in a variety of ways, but one of the more common is the sort of scam that was run against PayPal recently, in which very legitimate-looking HTML e-mails are sent out to users asking them to re-enter their data for an innocent-sounding reason. Usually they are redirected to a spoof Web site put up solely to harvest account data.

eBay account passwords can be obtained in the same way. In fact, some eBay users report that the fake e-mails threaten to suspend their accounts if they don't "reverify" their information.

"The (spoof) site looks just like an eBay site but it's on different server," Steiner said.

Even sophisticated and experienced Internet users can sometimes be taken in -- the forgeries are that good. And Steiner said that some of eBay's users are not particularly Net savvy -- some of them learned just enough computer skills to start selling at the auction site. They're businesspeople, not tech heads.

"eBay is in a tough position," Steiner said. "A lot of people are accessing the site all the time, and auction sellers are accessed by a lot of people with less than good intentions. You have to be smart about your password."

Some hijack attempts against eBay sellers come via bots -- automated robotic programs that generate a variety of passwords from a "dictionary" trying to crack an account. A quick and nearly effortless search on Google turns up all kinds of such programs out there, with names such as "HackOffice," "HotMailHack" and "Brute 2.0." One program, called "4Digits," is described as "a great dictionary file of four digit numbers. Good for cracking things that ask for the last four digits of a CC# or SS#."

The step up in the frequency of password cracking attacks prompted eBay to take steps last spring to combat the scam artists, Pursglove said. But it's no easy task.

eBay wants "to balance our design to protect accounts with the openness of the community" that makes eBay more than just another e-commerce site, Pursglove said.

"We created a new page on the site instructing people how to select a password - use upper and lower case, do not use passwords from other sites, mix letters and numbers, etc., " Pursglove said.

"We have also increased our efforts should a (scam artist) try to change an account -- our confirmation e-mails now go to the new e-mail address as well as the old address," Pursglove said.

"And we're developing some tools to check that after a certain number of (attempted ) entries, a user will be rerouted into the password information system, which bots can't get through."

eBay's new security feature kicks in after a certain number of failed log-in attempts. A screen pops up asking for the User ID, password and a special Security Code that appears on the screen. The Security Code is a picture of a number, requiring a human being to be at the computer to enter the code.

About a year and a half ago all new registrants at eBay had to use something other than their e-mail name as their ID. Pursglove said that move also cut down on the ability of bots to extract information.

Still, he advises users to check their listings frequently via the "my eBay" function. "Check your listings, see if they're all yours," he said.

And keep your account active. "Sometimes they go for accounts that have been dormant for two to three months," Pursglove said.

"I think it's really education," said Larry Jordan, vice president of marketing at AuctionWatch.com, which sells auction software for sellers.

"What people really need to do is think about these e-mails logically," he said. "If you get any e-mail asking for sensitive data, think about it. Look at the URL to make sure it's really the right Web site. Look for dummy links. If you have any bit of concern, send a note to that company, rather than fill in a form. Be diligent with your passwords."

Steiner at AuctionBytes says buyers should be cautious if they see some of these tip-offs that an account has been hijacked:

• Accounts that suddenly begin selling high priced items.
• Accounts that used to list items in one part of the country and suddenly start listing items in another part of the country.
• Accounts where the person is mainly a buyer. (You can tell by looking at the letters next to their feedback - "S" = seller, "B" = Buyer)
• Accounts that asks you to "e-mail me" for payment methods.
• Sellers that want you to send only Western Union, and especially to a foreign country.

"The community of online merchants on (auction sites) is overwhelmingly honest as a group," Steiner said. "They care. It's a great way of making a living. Some are disabled or elderly. They may have learned their computer skills solely to sell on eBay. When (an account is hijacked) there's a big void of information about what to do."

"It would help for eBay to have a phone contact and not make sellers wait for canned e-mail messages from Safe Harbor," he said. "But eBay is trailblazing - nobody else has ever had to determine how to handle all these problems that are unique to the Internet. They're in a very difficult position."

"It's a different kind of retail experience because it's so personal," Steiner said. "Which also tends to make people trusting. And that's probably where they can be taken advantage of."

Janice would agree with that. But despite having her account hijacked, she's back on eBay and making nice money as a seller-- although with new, longer, complicated passwords that she changes frequently.

And she still loves the auction site.

"I think eBay is the perfect business model for the Internet," she said. "But they need to fix this ... I just don't know how."

If you have been duped, what can you do? eBay offers some tips to help.