eBay’s mission is to be the world’s favourite destination for discovering great value and unique selection
Changing eBay password didn’t stop the PayPal payment email address changed scam
We’ve been contacted this morning by yet another seller who has had their PayPal payment email address changed on eBay and in this case has lost in the region of £6,500.
With typical sales ranging from around £10-£35 and between 100 to 150 orders a day, it really isn’t easy to notice a couple of quid going missing here and there but over a month the sums soon add up.
What’s particularly egregious in this instance is that having spotted the fraud, the seller changed their eBay password, their PayPal password and their email address password at around 8pm yesterday evening. When they came back into work this morning they discovered the PayPal payment email address changed once again on a couple of their listings.
It’s easy to say that it’s the responsibility of the seller to keep their eBay account secured, but having changed all their passwords and not telling anyone what their new passwords were, how did the scammer get back into their account? What can sellers do to protect themselves if scammers appear to have unfettered access to their eBay accounts and the ability to steal funds at will?
We’ve been asking sellers which tools and services they use run their businesses, but in this case as in a couple of others the seller uses no external tools. That means it can not be an external tool which has been compromised and the hackers must have a method of accessing eBay directly (or indirectly via a method that a password change won’t put a stop to once the account is compromised).
Whilst we believe PayPal have questions to answer such as how on earth the accounts receiving the stolen funds are passing European Anti-Money Laundering checks, we believe the responsibility for stopping the fraud where sellers discover that a PayPal payment email address changed and funds diverted into a scammers PayPal account.
There also needs to be some much stronger collaboration between eBay, PayPal and the Police. Currently PayPal are (rightly) blaming eBay as it is on eBay where the PayPal payment email address changed. eBay are shrugging their shoulders saying that as they never had the funds the seller should work with PayPal to recover them. The local Police are powerless and simply direct sellers to Action Fraud. It’s time that when a fraud is reported that eBay use their connections with law enforcement to actively report the cases themselves and give the Police every assistance in tracking down the culprits and for PayPal to assist and if possible track down and recover the funds.
There’s also the question of innocent consumer’s personal data. Tens of thousands of consumer’s names, home addresses, email addresses and a record of a recent purchase are sitting in scammers’ PayPal accounts. What’s to stop these scammers sending out a phishing email saying “You bought that, you might like this?” in a double dipping scam?
eBay need to take decisive action now. They rolled out a seller release yesterday, but if sellers can’t have confidence that they accounts are secure then all the seller releases in the world won’t stop them leaving eBay, either because they lose faith in the security of the marketplace or simply because they lose so much money they go bust and are put out of business.
I’d suggest the seller check for any “authorised apps” in his ebay account.
if the scammer already had an authorisation token then the password change might not (but should) have blocked that.
Otherwise the scammers are totally bypassing ebay security, maybe through a dodgy API, and there’s not a thing we sellers can do about it until ebay sort it.
As James said, once a scammer has access to your account they can then create an authorisation token for the api to use 3rd party software.
Unlike Facebook who do revoke authorisation of api tokens once the password has changed. I can confirm that changing your password does NOT prevent them using the authorisation token on eBay, you have to revoke the access manually.
tried to change my api today after password change, came up with the same code as before, so changing password isn’t protecting us, if this is api hack and not a keylogger on my pc then this is ebay’s fault, seem so simple that suddenly changing the most important field in any listing, might actually send a notification to the owner, seems not, and then ebay will not bother to rectify – I believe this may be an internal theft where you are being asked to change your password, which then gets listing changed 24 hours later, this cannot be brute force as that would take a long time, so ebay need to check why people who are forced to change password, are being hacked immediately after that password change
we were effected by this scam earlier this year. the scammer accessed our account through a phishing scam text message. saying someone else had my phone number and to log into to ebay through the link given in the text.
@Jack, sorry to hear that and whilst I condemn eBay for not having better security, we have to be responsible for our own lack of security and awareness of such scams.
I am sure Jack will have learnt the vital lesson of NOT clicking on email links, please let this be a warning to others. Always log into your accounts from your browser or app.
I am a computer programmer, I never click a link without hover, so this isn’t the sellers problem, i don’t believe he has done anything wrong, ebay internal emails asked me to change password on the 4th sep, since then i have been hacked on 4 listing, mmm see what i mean
Just wondering if anyone has managed to recover any of the lost money from the scam at all, we are victims too 🙁
Only realised today I had been scammed to this method…eBay’s advice “go to paypal”….PayPal’s advice “please email the fraudster and request them to forward the payments to your PayPal account”……eBay and PayPal, you deserve to have sh*t thrown at you
@Al Why are you blaming PayPal?
You tell them you have been scammed but are they meant to take your word on that?
Have you reported it to the police? Do you have a crime number?
All Paypal know is that somebody has set up an account, that account has received money from eBay. As far as they are concerned there is nothing wrong with that, it is quite normal.
Paypal do not have access to your account information on eBay.
eBay are the ones passing the “buck” and not fixing a flaw in their system.
Lastly, how did the scammer get access to your eBay account? Who is to blame for that?
I an frustrated with this whole situation. PayPal should not allow new accounts to acquire money so quickly and withdraw. Yes eBay have got a flaw in their system. Ultimately PayPal can claw back the fraudulent payments and rightfully return them back to us. Otherwise how on earth can they justify their payment cut?….PayPal promise to keep our money safe
@AL I understand your frustration but you need to apply a certain amount of logic to the problem.
How do you know how long the PayPal account has been established?
You are guessing at best and even suppose it was a new account, if it has passed all verification checks why would they?
I know I would feel frustrated if I opened a business account and then had problems accessing my funds, as you probably would.
PayPal promise to keep your money safe, but unfortunately until you prove otherwise it was NOT your money, it belonged to another Paypal account holder.
Have you had money go missing from your PayPal account? If the answer is no then they are protecting your money.
PayPal have a requirement to do Due Diligence and part of that would be to protect an account holder from somebody, like you, trying to claim money from another account.
You did not confirm if you reported it to the police or have a crime number?
Do you seriously expect Paypal to take your word that the money in somebody else’s account is yours?
And, Who is to blame for the scammer getting access to your eBay account?
eBay have a complete lack of security on their system, that is who you need to blame. I have just setup an Amazon account for a friend, they want two forms of 2step verification setup, using either mobile numbers or an app and would not let me proceed with the setup until I had completed that security.
Agree..eBay are at fault here…
we have just been hit with this as well
changed password on the 4th September due to ebay locking us out and requiring password change, then that password change is used to get into our account, emails are from within ebay message system, 4 listings changed after that to siphon monies, it does not show up on the revisions as having been changed, but quantities were changed, luckily noticed it today only because we went to check an address, both paypal and ebay will do nothing about this, just cancelled over 20 orders to try to ensure people got refund, they may not re-order, wedding items, can imagine we will be getting lot of angry buyers of next few weeks, i believe this may be internal fraud inside ebay, or a unknown keylogger (although they have not attempted any other fraud on paypal etc) this is a huge mess, I am a computer programmer, and i could have spotted this in seconds with the recorded IP address of logins, all of which is recorded – this type of scam was first recorded over a year ago on ebay forums, they have done nothing to make it easy to find, ie text alert to that field being changed, alert email within their system to ask if you intentionally changed where the monies are going, they don’t give a s*&t
ebay have just sent an email locking us out and stating the 4 listing I had to get THEM to find for me 24 hrs ago as being hacked, we sorted back to our proper paypal 24 hours ago, they have just reversed a sale on one of those items through paypal despite the fact that we had sorted this issue, talk about closing the barn doors after the horse has bolted, Ebay has sent an internal email through their messages centre stating that we should “work with paypal and your buyers to recover any other lost funds” but nothing about alerting all these buyers to the fact that their details have been sent to fraudsters who can target them, looks like ebay is playing catch up after 2 years, not impressed, can’t imagine their customers will be when they find plenty of them have just given detail to fraudsters