1. Buyer found a car with a Kelley Blue Book Value of $9,970 listed on Craigslist for $2980. (This price with free shipping—too good to be true?)

2. Buyer contacts seller through Craigslist.
3. Seller e-mails buyer and pretends this will be an eBay transaction through eBay Safe Pay Insurer (there is no such program).

4. Seller sends buyer spoofed, or fake, eBay Purchase Protection Membership and seller “certification”—claims coverage up to $20,000.

5. Seller sends another spoofed but official-looking document specifying transaction conditions from the eBay “Vehicle Purchase Protection Department” which does not exist.

6. Seller sends spoofed “eBay payment instructions” and buyer is required to pay immediately with MoneyGram (Instructions contradict eBay policies- MoneyGram is banned on eBay.com)

7. Buyer pays with MoneyGram but doesn’t receive car and is out $2980.
8. Buyer brings complaint to eBay and law enforcement.
9. Buyer is not eligible for eBay Vehicle Purchase Protection Program (VPP) because it was not an eBay listing and eBay does not cover transactions off eBay.

Here are some tips that would have helped the buyer avoid her loss:
• Consider buying on eBay; we have the PayPal Buyer Protection Program and also a Vehicle Purchase Protection Program specifically for eBay Motors. See more tips from eBay Motors at http://www.motors.ebay.com.
• When buying on eBay, look at seller’s ratings and reputation.
• If you are shopping on Craigslist, follow its safety tips: http://www.craigslist.org/about/scams. If you are shopping on eBay, don’t be lured off of the safe confines of the site to complete transactions.
• Research the item as far as model, price, book value etc., read description carefully and look for the eBay VPP if you are buying on eBay Motors.
• Be sure that requests for payment come through eBay channels and are in keeping with eBay policies.
• Never use Western Union, MoneyGram or wire transfer services because they leave you exposed to fraud and with little recourse. You are automatically covered by the eBay VPP for all eligible listings on eBay Motors.

Please see the warning message posted on the eBay Trust and Safety Community Message Boards.

Thanks and have a safe and happy holiday!

- Rich LaMagna
Online Safety Advisor, eBay

UPDATED 1/6/2009

Hi Everyone,
I hope that you have all enjoyed a pleasant holiday and wish you a safe and prosperous New Year!

I’d like to address some comments and emphasize that my goal is to provide information and advice to allow eBay customers to make informed decisions and have a safer online experience. I am a paid consultant to eBay and not an eBay employee. While I fully support and agree with eBay and PayPal policies, my job is to promote online safety.

As for the suggestion that I need to get out into the world more—during 28 years of federal law enforcement experience and almost 10 years in the security field in the private sector, I’ve lived and worked in four different countries and traveled to about another 30 on business; I also try to keep up with the latest in online safety issues. Here are a few points I’d like to make:

Although @Laura Greenfield’s question pertained to bank and wire transfers I’d like to address other payment forms since they were also raised.

Some people indicated that they often use money transfer services or bank wire transfers as sellers and have had no problem from regular corporate clients and wholesale customers. Granted that the risk is greater for the buyer than the seller and dealing with known clients does reduce some risk. However, suppose the buyer makes a claim that the item was not received or otherwise flawed? For both buyers and sellers, taking the transaction off eBay leaves you with few protections and options. This could also result in a dissatisfied buyer, who might leave negative feedback which is harmful to your DSRs. Why risk it? I recently attend an industry meeting where a Western Union security official stated that he does not recommend their service for payments to other than known and trusted individuals.

If you use PayPal, the buyer is protected for the full purchase price of the item plus shipping costs on eligible transactions? The seller is protected for unauthorized payments and “Item Not Received” claims. Credit card companies also offer recourse and protection that bank and wire transfers do not offer. That is another reason why wire transfers are no longer legal on eBay. Buyers expect safe, convenient and fast transactions, which PayPal and other online payment services offer– there is a good reason why 90% of eBay shoppers prefer online payment services, as do most eCommerce buyers.

I’ve done bank wire transfers for my own business and they are costly and inconvenient—I’ve wasted valuable time sitting in front of a bank employee doing a wire transfer which often takes 24 hours to complete. Recently, I had to go back to the bank a second time because they made an error on the transaction and the recipient had to wait another 24 hours for the money. As for trusting PayPal, as a buyer, I recently filed claims with PayPal on items and services that were not as described—they responded immediately and I had my money back within 12 hours.

Here is what Western Union and the Federal Trade Commission say on their sites about money and wire transfers as well as other payment methods:

Western Union

Remember, Western Union recommends against using the Western Union Money Transfer® service to pay for online auction purchases. It is important to note that Western Union does not offer any type of purchase protection or escrow service and is not responsible for the nonreceipt
or quality of goods or services.

Federal Trade Commission(OnGuardOnline.gov)

Carefully consider your method of payment. Don’t send cash, and don’t use a money wiring service. To protect both buyers and sellers, some auction sites now prohibit the use of wire transfers as a method of payment.

Online Payment Services. Online payment services are popular with both buyers and sellers. They allow buyers to use a credit card or electronic bank transfer to pay sellers. They also may protect buyers from unlawful use of their credit cards or bank accounts because the online payment service holds the account information, not the seller. Many sellers prefer online payment services because the services tend to provide more security than, say, personal checks.

Wire Transfers. The FTC recommends that buyers not wire money (via a money transmitter or directly to a seller’s bank account). …..In fact, to protect both buyers and sellers, some auction sites now prohibit the use of wire transfers as a method of payment.

Finally, I’d like to address the issue of personal checks:
• Checks can easily use a forged signature
• Checks can be easily written when there are insufficient funds in the account
• Bank accounts can be opened in bogus names (see identity theft)
• Checks contain personal information that should only be given to trusted merchants
• Banks will not make good on bad checks and will charge fees
• Checks take longer to clear
• Checks on foreign currencies take very long to clear and require fees

Frankly, as a buyer, seller and business person, I can’t imagine why anyone wouldn’t want to use PayPal or another approved electronic payment method.

To file a complaint with the Federal Trade Commission go to FTC.gov.

Thanks for your comments and Happy New Year!

Rich LaMagna
Online Safety Advisor

Two more General Announcements went up today that caught my eye…

***A Message from John Canfield: Update on our Fraud Prevention Efforts***
John Canfield, Senior Director of eBay’s Trust & Safety team, made an AB post earlier today updating folks on eBay fraud prevention efforts. On the whole, the post makes for a one-stop repository of all things related to fraud prevention on eBay (I count over 12 links to various best-practices, FAQs and announcements) and think it would be worthwhile for folks to bookmark the post for future reference when faced with a question or concern related to fraud and/or T&S.

I had written about the anti-phishing partnership with Google at the beginning of this month and received a seemingly straightforward solution to email phishing right off the bat from Henrietta:

The simplest, safest and most secure way to put an end to PayPal phishing would be for PayPal to cease putting clickable links in emails. Any customer communication requiring input from customers should be on the secure site: “You have a message from PayPal which requires response, please log in to your account to access it.”

I think John’s team should be applauded for all their efforts in helping fight for trust and safety on the site. Having said that, Andy Geldman of The Auction Software Review had this to say on the subject of Phishing overall when responding to our earlier post on Ink, and it’s pretty right on:

Phishing detection, like Spam detection, is an inexact discipline. There is always the risk of false positives… as well some malicious emails failing to get caught. It’s been a long time since Bill Gates predicted the death of spam (he said in 2004 it would be eradicated by 2006!), but a proper technology-based solution is still nowhere in sight. So come on technology companies, give us a modern email system!

***Coming Soon — Category Changes***
August certainly promises to be a busy month for folks on eBay.com. The category structure will be updated in mid-August and will contain:

“some significant changes for Jewelry & Watches and Electronics, as well as many additions to Antiques, Entertainment Memorabilia, and Clothing, Shoes & Accessories. If you sell in these areas, please be sure to take a look at the new category structure on Seller Central here. In many cases, coordinating Item Specifics updates will also be made.”

This post comes just a few days after last week’s tease of changes to Jewelry and Media categories.

I’m scheduled to travel to UK and Germany next month to blog directly from the different regions… Something tells me I’ll have a lot to write about whether or not I meet with folks while I’m there!

Cheers,
RBH

The press conference was an opportunity for eBay to publicly commend and thank the dedication and hard work of Romanian law enforcement in helping bring Vlad to justice.

Following the press conference, I was fortunate to get some time on the phone with Dave Cullinane and his team of security experts to discuss the arrest further. Unfortunately, because the Romanian authorities leading the prosecution have not finalized charges, I was unable to address specific allegations. However, I do plan on pursuing further when that time comes.

I was impressed to learn the extent to which the investigation stretched across many different agencies in different geographies. Dave explained that the arrest was due to a formalized collaboration between eBay and the Romanian General Directorate for Combating Organized Crime, the DIICOT and in cooperation with the US Secret Service and the FBI. In addition to those police agencies, authorities in Romania and the US Department of Justice played significant roles in gathering electronic evidence across multiple jurisdictions.

The eBay Fraud Investigations, Information Security, and Legal teams work in a cross-functional, global capacity and have a current headcount of 50 specialists that have formalized relationships with crime and investigation agencies both in the US and abroad to help investigate cases such as this. Given the intricacies of the relationships formed, I would think that the multi-year investigation, and subsequent arrest, will make for an excellent case study in cybercrime detection – and one that eBay can build upon for future cases.

Cheers,
RBH

“We are delighted that Vladuz is in custody thanks to the hard work of Romanian law enforcement,” said eBay’s CISO Chief Information Security Officer, Dave Cullinane, in a formal statement made here.

I’ll update this page as I receive any further information regarding the arrest.

Cheers,
RBH

In the announcement, John talked about a common fraud practice in which individuals access another user’s account and set up listings in that person’s name. He said, “they gain this access often through a phishing email that convinces an unsuspecting member to click a link and enter their User ID and password.”

We all know that the threat of identity fraud is with us all the time (I’ve received 9 such attempts in the first week of eBay Ink going live). However, I’m glad I read the message from John before clicking on all of my email earlier this morning because the latest attempt sent my way was yesterday, and I almost clicked on the link this time around.

He went on to say that “to protect the Community against this type of fraud, beginning today, eBay will start noting which computers members typically use to conduct their buying and selling activity. After our data collection phase, sometime in June eBay will begin verifying our sellers when they list an item to ensure they are logging in from the same machines they have successfully used previously – usually a home or business computer.”

This new level of security / identity confirmation process is only going to be applied to the seller side of the transaction to begin with. If you are a seller, and you attempt to list an item from a different computer, eBay will make an automated call to the phone number you have registered to confirm it is really you. They may also prompt you to verify your identity in other ways.

I think its obviously beneficial that we continue to improve secure and safe transactions but what if my account is registered with my home phone number but I’m trying to list an item from a library or hotel PC (as is the example given in John’s message)? Do I need to be able to answer the phone directly in order to proceed?

From what I can tell, the answer is yes. John recommended that all sellers should register their cell phone or mobile device as a secondary phone number so that you can be reached wherever you may be attempting to complete a listing. I realize nearly everyone has a cell phone these days, but I’m pretty sure this means that those without a cell phone will only be to able to make a listing from a) one location and/or b) the same PC. Is this where Skype comes into play?

Are there sellers out there that fall into this category? How would this change the way you list items? Would it?

If you check out the message from John, you’ll see some quick recommended steps to help with this new security initiative. There will also be a workshop about Trusted Selling with Identity Confirmation on May 6 in which the security team will be taking member questions.

For now, I’ll continue to view and open any emails from unknown sources with a due sense of scrutiny.

Cheers,
RBH