Add this to the sacked admins list of revenges
Can't be an accident can it? Oh all right then it was..... honest
Hackers brazenly posted sensitive information including home addresses and phone numbers for 1,200 eBay users to an official online forum dedicated to fraud prevention on the auction site. The information - which also included user names and email, and possibly their credit card numbers and three-digit CVV2 numbers - was …
Can't be an accident can it? Oh all right then it was..... honest
Gee, eBay denies any security issues with their site.
What a surprise!!! Well not to those of use who have tried to help eBay by pointing out problems.
Like something out of "Yes Minister"...
Phase 1: Denial - "There is no problem"
Phase 2: Argumentum ad numerum - "Can't be an issue because no one else has reported it" (except for the 100's in eBay's own support forums)
Phase 3: the infamous eBay "wall of silence" - no response to further reports.
I might be getting an email from Ebay saying there is a problem with my account information.
I can categorically say that eBay doesn't give a damn about stopping fraud. In fact, I would wager they wish there was more of it. eBay only cares about sellers because they get their commission. Who cares if it was from a stolen card or not? Who cares if it was legit or not? As long as they have their money, that's all that matters. So any talk about fraud prevention and security is just that -- talk.
Am I a bitter ex-eBay user? You bet. I've been burned on a number of occasions. Multiple times I purchased DVDs of old movies which were claimed to be the "real thing", at prices you would normally find in discount bins. However, when I received the discs, they were simply DVD-R copies of VHS recordings (yes, the movies in question had been made on DVD, but were out of print). I complained to eBay each time and they never did a thing. I posted negative feedback to the sellers, but as everyone here knows, that does nothing except the retaliatory negative feedback to my account.
On another occasion, Friday night 19-Dec-2003 8:48pm, I used the "Buy it now" option to purchase a PowerMac G4. I emailed the seller right away asking for payment details. The seller replied on 20-Dec-2003 1:57am. Seller sent another email on 20-Dec-2003 11:19am saying that he needed to hear from me by 21-Dec. Seller sent a third email on 20-Dec-2003 11:33am saying "I got another offer from other bidder. He is willing to pay right now! I need to hear from you before noon, if I haven'treceived any payment from you by that time, I will cancel this auction." Noon was fifteen hours after the action ended, and only ten hours after his first email (in the middle of the night). He did not, however, "cancel the auction". Instead, he kept insisting on payment, even after re-listing the item. I complained to eBay, reporting it as fraud, and forwarded them copies of his emails. As you might expect, they did nothing. In fact, he reported me as a non-paying buyer, and eBay had the nerve to send ME a nasty email, warning me that if they received another complaint my account would be suspended. That, after I reported the auction as a fraud. Bitter? Yes. But perhaps a bit smarter now.
eBay cares as much about security as the U.S. government cares about "collateral damage" They'll pay lip service to it, but when all is said and done, they couldn't care less. As long as the incidents don't affect eBay's auctions in a negative way (read: as long as it doesn't decrease the number of auctions), they won't care.
It's more likely that these people are being fooled into visting phishing sites and there is a script on the site which is posting to the forum. As ebay say - not a security breach at ebay but dumb stupid users falling for phishing scams. They deserve to be cleaned out.
"Mark Bruno, one of the users, said he has changed his eBay password "two or three times," only to learn later his account has been breached again."
... sounds like he has a keylogger on his system. Hey Bruno! Scan your machine, and not with S***mantec!
> it's tough to know why someone would go through the trouble of culling information associated with 1,200 eBay users and publish it smack dab under the noses of eBay's security team.
Maybe it's the only way they could do it, they wrote a script which published the details by posting them on the forums.
I would like to see a list of the user-accounts involved in this leak to see if infact my account was involved!
> not with S***mantec
What's wrong with "S***mantec"? What would you recommend?
I eventually managed to shut down my ebay account a few months ago (after dozens of communications with ebay customer service - they really didn't make it easy)
I used to use ebay. Then stopped using it for about 18 months. Didn't even log into the account. Totally stopped visiting the site. It didn't occur to me to request the account be closed down. Then a few months ago I started getting abusive emails from people who'd been ripped off recently, allegedly by 'me'. Someone took over my account and started selling non-existent stuff via it. The punters who'd lost cash obviously got annoyed.
The only way this could have happened was if ebay themselves lost control of the account. To anyone who suggests "keylogger": why is it that ebay is the only organisation that I have ever experienced this with (out of over 100 online accounts that I have with various organisations including shops, banks, building societys and credit card providers)?
I'm not saying there aren't idiots who click on phishing links and have keyloggers installed, but don't assume that all ebay fraud is down to that. In my experience ebay is totally sh1t at both customer service and security. My ebay experience is the main reason I will never use paypal either.
Considering I've barely used it for 3 years, I don't think it's worth the hassle, especially after it got hacked into during the "Massive botnet attack" at the beginning of the month:
Shortly after receiving a "TKO NOTICE" from eBay someone then started buying online games using my PayPal account. Though I have managed to get all my money refunded I don't think I'll bother using either service again.
"Bruno was at work when contacted, and could not immediately confirm if he owned a credit card with the number contained in a post. The other user was also unable to say if the credit card number attributed to her account was hers"
I assume they were rang about this ? Now I know if anyone rang me asking me to confirm my credit card details I'd be a little less pleasant in telling them where to go.
...and I would also point the finger at a keylogger and the possible reason they only pick on ebay out of all the other secure shopping/payment sites, is it's the easist to reconfigure once they have your email account password. Why bother with ripping off your bank, they will have to transfer that money to another traceable account. Why buy something through your online shopping accounts, majority prefer/will only send to the cardholders address, so why hijack someone's account only to have to enter other card details (presumably stolen), hence eBay is an easier target.
Those that have been compromised, get rid of McAfee or S***mantec, install AVG Free edition and do a scan, if that doesn't find it, run a rootkit revealer. Once you have a AV software install, let it do a full scan at least once every couple of weeks (at least, mine does a full scan every 2 weeks and a partial every friday while I'm eating my dinner).
No, the presence of eBid doesn't mean it's not a monopoly when 99.9% of all deal go through eBay.
eBay is expensive, arrogant and has a crap interface - you can't hcange such basic things like time zone: eBay @sstunnels are in Pacific so EVERYBODY stays on Pacific and so on.
eBay is full of these stunningly arrogant crap.
eBay better hope that these numbers are ones hackers have managed to phish from outside ebay.
Under the strict PCI compliance schemes brought in, you are not allowed to store the CV2 (last 3 digits) number from the back of the card.
If they are storing this information, isn't the fine equivalent to £5,000 per breach - a cool £5million / $10million USD at a thousand users.
I do hope Mark Bruno was a fake person, else I would ask if he is satisfied that this stuff was repeated on El Reg?
I mean, offering his 3-digit number now just needs somebody who knows the other bits and was missing that. Congratulations!
all this information was stolen from morons who blindly enter their password/credit card info into any old email that happens to land their way. 99.9% of all ebay 'hacking' is simply this trick of phishing for your information.
i love it when morons get all uppity and blame everybody else when they're the one's who handed out their info to a fraudster with a pathetic looking scam in the first place.
Yahoo superiority shifted to Google. MySpace superiority shifted to Facebook, Ebay superiority shifted to ... watch this space (I hope so, their ethics are rooten).
Given that ebay allow low(ish) level access to their processes via details published on the developer.ebay.com site, I'm wondering whether there is an as of yet undisclosed vulnerability that a group of people are able to carry out on Ebay systems allowing password grabbing or user details straight from Ebay servers - all you need is the hash of the password, you then apply a brute force/dictionary attack on it. Hell there might even be some kind of a vulnerability route straight onto the database servers totally avoiding their mid/front ends.
Given people have reportedly not used accounts for months only to find it hijacked, plus others who have changed their pwds regularly but have been hijacked, I'd say this is a distinct possibility.
If you knew how to do this, would you tell the world or keep it to yourselves for personal gain?
As for this list of over 1000 names and accounts details, this would likely have been collected 'on the sly' over a period of time via such hacks to avoid detection. The motives for publishing them though are indeed very peculiar.
Might close my Ebay account over this one. Just because there are 204Million users doesnt mean safety-in-numbers where the internet + scripting is involved.
We had someone blatantly selling our products on ebay (aftermarket lotus elise upgrades and "bits") - even linking to photo's on our server - claiming to be reseller of our products (we only sell our products and don’t franchise) and offering the products at ~50% discount. Was pointed out to use via one of the Elise Forums (some people thought it was happy hour - even though we pointed out from hour one this was a scam) - emailed fleabay - nothing - tracked the guys down ourselves - spoke to them on the phone - emailed fleabay multiple times proving the products were ours/ that photos were hosted on our server / that the address on the fake account was mail drop.
Net result ?? were asked to fill out multiple forms and no help while the "Buy Now"s were left to run - in the end we set up multiple fake accounts and "brought" everything ourselves and with the help of others on the forums that had *cough* test *cough* accounts and changed all the relevant pictures on our server to .jpg informing people the auction was a scam.
The only people that were remotely interested in the whole episode were lloyds TSB who were the bank that users were offered as a way of paying by direct bank transfer. Our local plod and the plod from the region the scammers were from told us that as we were not directly affected as a company financially there was nothing they could or would do.
Then Fleabay had the gall to send us "how was your experience with our fraud protection team" type questionnaires - I wasn’t allowed by my boss to respond in an appropriate way
Fraud protection my skinny white arse - as long as they get listing / final value fee's they don’t give a flying recreational intercourse about their users
This was clearly a hack and not phishing. These people coming out claiming so strongly that it was not eBay's fault, no hacking occurred and it was members fault for giving info by way of somebody phishing are clearly closely attached to eBay and trying the denial routine.
Just look at this....
Explain how Phishing could obtain the full names, user ID's and passwords of eBay staff, lock out the staffers from the forums and go whoopee posting members account and CC details at a rate of greater than 20 per minute, and make posts using the actual User ID's of eBay Forum moderators and lock them out for 90 minutes????????.
Phishing?? Do you believe in fairies too. This was clearly a hack. Time to sell your eBay shares, value soon to plummet.
Of course it was phishing. What do the images prove? Anybody could write down some random usernames, passwords ad made-up names, emails in a spreadsheet. It is just kiddies obtaining credentials from clueless users. eBay application is solid as rock. eBay application developers rock too. No way in, no way out! Come and get it if you can!
All too often I see people say 'no way was hacking, its silly users'. In all fairness, only the culprit and ebay know the truth. People can show images all they like - be they real or doctered. The point is 1200 is a pretty good bounceback of a phishinh email sent to maybe 300-400k users. This to me says phishing. HOWEVER. The fact of the forum where it was posted, the method and rate of the posting and the circumstances around it (mods and staf flocked out) suggest that it was a hacking and not just a phishing.
So what bothers me about all of this reporting is that surely the reporters know that the presence of CVV and other indicators shows this is about people giving up their information to "phishers" because they are stupid. With all the warnings out there we constantly see customers on our financial site giving up their information whenever they are asked apparently.
They then get frustrated when their accounts are compromised and then they fix the PW with the company and they get comrpomised again. why? Because these people have the same password for their email account that they do for their financial account and the fraudsters know this. So they go through password change processes and the bad guys play along and get the new passwords too.
Alternatively little mom and pop ISPs will have their mail servers compromised and changing passwords on your account does no good because the BGs are now reading your emails. Several more reasons I am sure you are all aware of.
Anyhow my point is the tech media is not helpful when they publish this garbage and leave out important facts that could calm the public down. Why? Well obviously they want the exposure and sensationalism.
Why is the media not sitting down with experts and writing the easy stories that would show the public how to protect themselves? Not as exciting.
Anyhow after having helped put a few of these dirtbags in jail it is painfully obvious that they are winning because our media would rather raise a false alarm, worry the public and create sensational scary stories than help be part of the solution.
So now this fool in Bucharest or the Ukraine, wherever he may be, gets the attention he craves but does not deserve with these stories.
The guy is pardon the pun a talentless hack that has done nothing of great imagination and will continue to do so as long as the stories are written in a way to make him look like a super box breaker.
For Ashley, waaaay back up there:
The website that was updating the lists of IDs people captured off of eBay was http ://www.shenemanfamily.com/ comp.html. [Just delete the spaces]. However - these are only the IDs people managed to capture. Some of the posts were made and pulled early and did not get captured, and the hacker was interrupted by the temporary closure of the Trust & Safety Board, so there may be additional IDs he was prepared to post and couldn't. Not finding yourself on the list is not a guarantee that your account is secure..
Here's what I woulk like to know more about: One person on the Seller Central Board at eBay and one poster to the Yahoo eBay finance discussion board have stated that the list repeated two or possibly three times. I didn't see enough pages to tell. Could anyone verify that?