eBay’s mission is to be the world’s favourite destination for discovering great value and unique selection
Where are the eBay account alert warnings?
This weekend I got a long overdue new laptop and the difference in account set up was stark. I opened eBay on the new device, logged in and placed an order and it was business as usual. But when I logged in Google just about ever device I have started pinging with account alert warnings on computers and pop ups (and email alerts) on Android, warning me that a new device had logged into my account.
We’ve now been informed of over 20 eBay sellers who have lost money in the scam where sellers’ accounts have had their account compromised and their eBay PayPal payment email address changed on a few listings with low value but high sell through rates. Cases keep coming in and verified funds stolen are now in excess of £350,000 with an average loss of £16.9k.
eBay continue to direct sellers to PayPal to recover their stolen funds. PayPal continue to point out that the fraud happened on eBay and assert that eBay are responsible. The local Police are naturally unable to do much with a fraud of this nature and direct victims to Action Fraud who to date don’t appear to have taken up a single case. What’s needed is for the parties to come together with some joint action but eBay and PayPal won’t release information without a request from the Police and the Police and Action Fraud won’t investigate unless they already have a lead to chase up with contact details.
In the mean time it has to be questioned as to whose fault these scams are. Ultimately sellers are responsible for keeping their account log on details secure, but even a seller who changed their email, eBay and PayPal passwords one evening came in the next day to find more listings tampered with at 9am the next morning.
Unlike Google, eBay didn’t fire off any warnings that a new device had logged into my account when I fired up my new laptop. In fairness to eBay, perhaps they looked at my IP address and other identifying information to be confident that it was me, but in that case why did Google find it necessary to fire off a load of account alert warnings informing me a new device had logged into my account?
Not only should eBay be firing off account alert warnings when a new device logs in, but sellers would greatly appreciate the warning if their eBay PayPal payment email address is ever changed as a warning that the scam is in progress.
Ultimately their needs to be confidence by eBay sellers that eBay is a safe place to trade on. There is plenty of buyer protection to cover consumers if something goes wrong. eBay have recently announced enhanced seller protection for Top Rated Sellers if something goes wrong with a transaction but what use is that when a seller discovers that thousands of pounds have been stolen and eBay and PayPal jointly wash their hands of it (other than eBay refunding final value fees) and, at least as far as the impacted sellers are concerned, jointly take no action to attempt to recover the funds.
Said this right at the start…. Google do, my bank definately do it when i set upa new payment, even if i have used my security device to authorise it, they still send a confirmation email and text.
Ebay of course don’t give two hoots as they know they can hide behind the ebay – paypal ping pong blame game.
What. Is needed is a massive boycott of eBay but I guess that won’t happen
I think that the buyers are boycotting!
Any further losses in site traffic and it won’t matter anyway. By ebays own admission, the category we sell in is down 9.9% from this time last year which is amazing given the previous declines over the years before,
“In fairness to eBay, perhaps they looked at my IP address and other identifying information to be confident that it was me”
Problem with giving eBay this benefit of the doubt is eBay constantly re-prompts to sign-in again from the same device ID and IP throughout the day (sometimes 3-4 times in the same day, though I’m sure this varies).
Question for anyone involved with this: All reported fraud based on this exploit at this time appears to be in the UK.
Is there any reason sellers in the US (or elsewhere) should rest easy and believe that they could not fall victim to the same tactics and methods that these fraudster/s appear to be employing?
If it’s not global or quite as epidemically so, as it appears to be here in the UK, this implies to me that it’s more credible it’s someone within ebay, somewhere ebay has maybe outsourced work to or third party seller services provider with permissions to access the account.
Previously, in my career, as was part of the management team for a very large well known UK chain of pharmacies. One time a fraud technique was uncovered in one branch where an employee had identified and exploited a gap in the security procedures. What we then uncovered was the issue was endemic with the fraud taking place at a very large percentage of all branches. There was never any indication that any communication or sharing of fraud techniques had taken place between those involved so it appeared they had all uncovered and exploited the loophole independently.
This is why I think if it was as easy as bombarding seller email addresses, harvested from ebay listings, with phishing emails or ebay sellers were lax at changing passwords when employees who have account access have left the company, you would see similar levels of the fraud globally.
From most of what I’ve read, and continue to read, it feels to me like the scam is being operated by either one person, or a small number, who have some form of ‘edge’ enabling them to either access the ebay accounts or just edit listings of UK sellers only.
Here in the USA eBay’s stance is that these were all situations where someone exposed their user name and password to a scammer, or an untrustworthy employee.
That it is no different than if a scammer were to get a person’s credentials for any other online banking account, or online trading account, etc.
They are saying that when the scammer was supposedly able change the PayPal address, even after the eBay password had changed, that this was a case where the seller did not actually restore their own PayPal address in all of their listings.
They say that the key to protecting an eBay account is making sure a bad actor does not get ahold of your credentials.
In the case of letting employees work on your account, a seller can now use the recently released Multi User Account Access feature, which eBay launched at eBay open … at least in the USA. (I’m not sure if this is available world wide yet.)