A timely message from John Canfield

SandiOn 04.14.2008 at 6:07 pm Said:

This is a good thing, but

“Is this where Skype comes into play?”

Oh no - when I read that I thought, here ebay is actually doing something good to protect it’s users then I read that and think uh oh and envision next ebay will making Skype a seller requirement

Question though - how will they protect when a seller’s account is hacked and the fradulent scammer only revises listings?

Patricia 1On 04.14.2008 at 6:39 pm Said:

“He went on to say that “to protect the Community against this type of fraud, beginning today, eBay will start noting which computers members typically use to conduct their buying and selling activity. After our data collection phase, sometime in June eBay will begin verifying our sellers when they list an item to ensure they are logging in from the same machines they have successfully used previously – usually a home or business computer.”

Maybe its just me and I don’t really understand. I have three computers in my house. One on DSL, one on cable and a backup on dialup. I can list from any of these computers now…so what are they saying? That I have to list from only one computer all the time? I don’t think I’m alone in having more than one computer/ISP in my home. Right now all I have to do is put my name and password into any of them and I can list away.

If they want to do away with scammers getting account information thru phishing - then they should start educating users. And ebay should NEVER send out an email with any kind of links in it. They still do!!! The answer to stopping account takeover thru phishing is NOT in restricting sellers from doing their work but by educating them! There’s no excuse - ebay sends out mass emails for stupid things and many of them contain links - why not emails reinforcing the fact that nobody should click on a link within an email! Too simple???

permacrisisOn 04.14.2008 at 7:25 pm Said:

I used multiple computers for many years, but would have picked the fastest one if forced to choose.

This measure could really kill off fraud for good, and I welcome it with open arms provided it supersedes some of the dumber, older security ideas-

like SMI.

(nothing personal Rob Chestnut)

DawnOn 04.14.2008 at 8:22 pm Said:

This is a step in the right direction, but there are several major drawbacks:

1. A scammer who knows about this new policy can easily change the phone number on the hacked account to his own before creating fraudulent listings.

2. What steps will be taken to serve the hearing impaired, who are unable to verify their activity by telephone?

3. Will people who do not have a cell phone, or other alternate number that can be used while listing away from home, be able to verify their activity in some other way?

4. What about ISPs that assign a different IP address for each session, or those that change the IP address each time the modem is rebooted?

5. How will listings submitted through a listing service like Auctiva be handled?

Hopefully, these questions, as well as others I’ve surely forgotten to mention, will be addressed at the workshop.

Patricia 1On 04.14.2008 at 8:27 pm Said:

Number 4 bothers me. I know my IP changes on my DSL line and that is the computer I use the most. I’ll have to see this in action but I have doubts about it.

DaveyOn 04.14.2008 at 10:13 pm Said:

It will be interesting to see how they make this work with managing IPs/MAC address logging/cookies. Also interesting will be the interface with third-party services as mentioned.

I’m wondering why a key device approach like Paypal’s was not considered or tried. This requires physical possession of the device as well as the password, and the device can travel easily.

If the scheme works, great. This will eliminate more fraud on the part of hijacked seller accounts. That can’t be bad for buyers at all.

Now, let’s hear how this team plans to tackle the big one–verification of buyers!

DaveyOn 04.14.2008 at 10:14 pm Said:

The fact that eBay has a past history of releasing code that’s buggier than heck, BTW, does not inspire confidence. Let’s hope that they launch it against higher-risk IP blocks first to see if it works.

Scott @ TradingAssistantJournalOn 04.14.2008 at 11:52 pm Said:

This is not a good thing for trading assistants or people who make a living by managing other businesses eBay accounts online.

We use web based listing software like Auction-Logic because the software allows us to manage multiple accounts on-site or from any location in the world.

If eBay will limit this ability because we use a different internet connection and/or computer than our clients do… And if eBay T&S only uses a phone confirmation method, I can see my management business will have a difficult time maintaining our ability to help our customers with their listings. We make sure our customer have their own accounts with eBay and Paypal and we do not have our own telephone numbers listed as contacts for either. What will happen when sellers use Wi-Fi internet cards on Laptops? Those are different connections every where you go.

Many corporate intranets use key code identifiers to grant access to sensitive data, possibly eBay could look into this option?

I mean, even without a business model such as I describe above, which I admit is a rare instance in the eBay world… Many eBay sellers run their businesses from multiple computers at multiple locations around the world. What happens when someone happens to buy a new computer? Will they have to clear it and themselves before checking their my eBay console?

Just some food for thought…

Security is good, but as the VERO and T&S issues have shown, eBay presumes the guilt of its members and shuts them down before ever asking a question.

What if an eBay seller has 8500 items listed and tries to sign into his/her account from a trip to New Zealand on a hotel computer… Will Trust and Safety shut down that account and cancel all of the live listings because the seller was not at home to answer the confirmation call? A mistake like that is well within eBays realm of possibility as it has happened to multiple sellers in the past and the lost listing fees and customer revenue would not be a concern to eBay. The poor seller could do nothing until they return from holiday because eBay has no customer service department to speak of, and they just put a seller out of business in the name of security.

When a simple unverified VERO complaint can cause this type of situation, who says logging in from an “unverified” computer would not do the same?

Be very careful with this policy eBay, it sounds like good intentions, but could go horribly astray.

SandiOn 04.15.2008 at 12:33 am Said:

“Number 4 bothers me. I know my IP changes on my DSL line and that is the computer I use the most. I’ll have to see this in action but I have doubts about it.”

Most ISPs who do that have a block of IPs assigned to them. It is fairly easy to tell you are still the same person.

As an example my company owns multiple servers, we have blocks of IPs that are assigned to us, and recorded as being used by us.

Internet providers are just the same as all IPs are regulated and recorded.

Additionally, they would be recording all your IPs, so there would be a record of your dial up service, cable modem, etc. The only time it would be an issue is if you moved and had 3 all new IPs - then it would require a one time call.

Additionally many computers leave a trail, e.g. computer name if you configured your windows as direct when you got it, the default, etc. There is a great deal of data readily available to ebay, it should not be a problem for you.

This is really a very good thing, actually the best out of all the things ebay has done (most bordering on ridicilous) - this one is actually logical and actually does curve fraud on the site.

I would hope the new phone number and new IP address would raise flags and have a system in place before implemented. That is a good catch on a possible flaw. Especially with the invention of throw away cell phones that are not traceable.

Today most hearing impaired have the capability of phones, I would hope ebay would already have the system for that population given their membership base. If not, shame on them.

Kevin_TOn 04.15.2008 at 2:41 am Said:

“For now, I’ll continue to view and open any emails from unknown sources with a due sense of scrutiny.”

If using Outlook Express - Rather than opening emails that could possibly be suspect, right click and click on properties. This will often reveal in itself that the email did not come from the source it purports to have come from. If not certain then click on details, and then “message Source” at the bottom. This allows you to read the message without enabling any malicious script which may be in an email.

Never enable the “viewing pane” which shows the email as soon as you click on it, as you can not stop from opening it, even when trying to delete it.

If looking at a link in an open email wave your cursor over it and check that it actually is the same as the link purports to be in the bar at the bottom.

There is probably much more, but even this should be in tutorials to help users stop being caught by phishing and trojan scripted emails.

Kind Regards, Kevin

BenOn 04.15.2008 at 3:13 am Said:

Surely a text message rather than a phone call might be a good idea especially if you were in a library.

They could text you a verification number to input to complete the listing.

Only the registered person would get it, if it was a voice call then the verification number would be read to you over the phone.

Ben

permacrisisOn 04.15.2008 at 5:10 am Said:

Your computer has enough other tracking garbage in it (example: Tacoda profiling software) that ebay put there, I am pretty sure they’ll know it’s you.

I wonder how this will affect those who get a new computer.

InternetauctionnewsradioOn 04.15.2008 at 5:29 am Said:

John Canfield’s announcement is truly a double edged sword. While I do agree that the effort to reduce hijacking is needed, the policy as described will be a real hardship for those conducting eBay educational courses. These courses are normally taught in a library, hotel meeting room, or school type environment. The announced security measures will make it difficult for those attendees to either create accounts or access their current accounts from these facilities.

I once instructed at an event where we signed up over 200 new users from a hotel. Within 48 hours 90% of the accounts were suspended because all the regsitrations came from the same IP address.(This was confirmed by eBay)

A much simpler solution might be the security key that eBay introduced last year for PayPal at eBayLive 2007. Simply provide the key to new users when they register. Yes, they might have to wait 5-10 days after registering on the site, but this would enable the user to access their account anywhere.

Concertposters.bizOn 04.15.2008 at 11:02 am Said:

Ebau can NOT be trusted with cell and mobile phone #’s they already regularly SPAM me with unwanted sales calls about my seller acount on my land line. Now they get to double the spam on my cell phone too! Outrageous!

SandiOn 04.15.2008 at 2:54 pm Said:

Concertposters.bizOn, you do know you can set your marketing preferences not to get any calls/emails don’t you?

It is located in your my ebay, account preferences >> Notification Preferences