eBay are to step up security, initially for sellers, by that you normally use for selling on eBay. Starting today they’ll build a database noting which computer you normally use for buying and selling, and in June will commence verifying sellers are logged in on their normal computer when listing items on eBay.
If you log in from a friend’s house, work computer or an Internet cafe it will trigger an automated phone call to your registered telephone number to confirm that it really is you about to list items. They also suggest that users start registering their mobile numbers as well as home/office numbers, if you miss the automated phone call you won’t be able to list.
The big question is what information will eBay collect? It’s unlikely that they’ll rely on cookies as they are transient, however whenever you use a browser your PC already leaks a lot of information including: IP address, Operating System, Browser, Screen Resolution, Colour Quality and Language. eBay don’t state if they’ll be gathering information not generally available, nor confirm/deny if they’ll install stealth software onto your PC.
Most websites already gather this data although it isn’t used to identify individuals. If you have your own website you’ll almost certainly be able to access this type of information in your analytics tools. eBay (for Featured and Anchor shops) also gathers this type of data.
This information is leaked in the “Browser Request” and it will be quite simple for eBay to compare saved data with the profile of the computer you’re currently using.
While eBay are introducing new safety initiatives they are yet to roll them out worldwide. We’re still waiting for and PayPal Security Keys to be available in the UK. It’s unclear if this new initiative will be implemented on eBay.com only, or across all ebay territories.
eBay don’t explain what will happen if you routinely use multiple PCs, many business sellers will already have several users accessing their eBay account. They also don’t explain what will happen when you purchase a new PC.
Many users are likely to be unhappy with eBay turned Big Brother. Should eBay be tracking when you go on holiday or are away from home? I’ll also be interested in the content of the automated calls eBay intend to make – how long will it be before someone discovers that their partner isn’t in the location they are supposed to be?
34 Responses
“If you log in from a friend’s house, work computer or an Internet cafe it will trigger an automated phone call to your registered telephone number to confirm that it really is you about to list items”
How can you answer the phone if you are out 🙄 I am all for security but surely there is a better way to check you are the registered account holder….mothers name, 1st school, 1st girlfriend, favourite car etc etc………what a pile of donkey.
I think “how can you answer the phone if you’re out” is the big question here. Here’s a scenario:
I go to eBay Live to see eBay. I log into eBay on one of the PCs that eBay provide, to list another item on eBay. eBay spot that I’m in Chicago not France, they phone Mr Biddy and ask him if I’ve just listed something, he says “I doubt it, she’s at eBay Live”… and eBay do what? Cancel the listing? Suspend my account? Send the eBay police around to beat me with a feedback star?
Honestly, the whole thing seems as ill-thought-through as – oh, just about every other recent policy. It’s not that it’s a bad idea per se, it’s just that it’s intensely impractical. And yet again, I suspect that the people who have thought this up don’t actually use the site themselves.
I can’t even remember the last time I listed directly on eBay – and I guess a lot of users are the same. If you’re using a listing tool it’ll be a lot harder for eBay to check your PC compared to if you’re logged on and listing through a browser.
I am all for security but come on eBay, this is going to cause no end of problems.
Where I live 20% of the time I have no signal on my mobile phone, so if I am out and about and use a friends PC to list and eBay call chances are they will not get through and my account will be suspended. And can you imagine trying to get your account reactivated, and how long it could take. This needs a re think I think.
And since this is now public, surely if your account is already hacked then the hacker will amend the contact numbers on file to their own 🙄 you have to wonder sometimes…you really do.
That’s one thing they’re unlikely to do Whirly… bit too easy to track someone down if they give a phone number out….
… oh I guess now I’ve said that they’ll be using PAYG or similar 🙄
And I don’t use a mobile, I hate them. So if I’m somewhere else at work for example (in my lunchbreak she hastily adds) or at my Mothers, and there is nobody at home what then?
Re multiple PCs for businesses, wouldn’t the IP addresses show the individual PCs to be on the same network? I do sometimes use my partners PC if there is a problem with mine.
Have ebay completely abandoned their “we’re only a venue” stance, or will they still trot that one out when it suits them?
I was locked out of eBay on Friday night / Saturday morning.
I logged into eBay using my new mobile phone within minutes of logging in on my PC.
About an hour later I got an email saying my password had been changed by eBay to something random as they suspected my account had been compromised.
To cut a long story short, the only people who could send me a new password was live support UK (I didn’t know they existed!)
Well no doubt it’s already decided so its just yet another hoop to jump through when it arrives, when it stops providing me with traffic thats when I’ll stop jumping.
Ohh – you found the elusive Live Support UK did you?
If anyone else needs it it’s here
But they will only help with hijacked accounts, unlike Live help in the US who will help with a range of issues
If you’re using a listing tool it’ll be a lot harder for eBay to check your PC compared to if you’re logged on and listing through a browser.’
Turbo lister uses IE to list anyway and I’m sure the others upload through a web interface which could be fingerprinted just like a browser. Plus its easier for turbo lister to ‘fingerprint’ your computer than relying on a browser, it could check your cpu type, hd size, memory installed and send it to ebay.
‘oh I guess now I’ve said that they’ll be using PAYG or similar’
Ebay UK only allow landline numbers for the automation call, but still trivial for a determined fraudster to bypass.
What about dynamic IP addresses.
I can end up changing my IP address and clearing cookies many times in a day? What happens if one day I decide to list via my desktop PC and on another day list on my laptop using wifi, in somewhere like McDonalds???
I certainly won’t be giving out my mobile number, I receive far too much junk on email, post and landline already.
Another well thought out idea from Ebay Towers! Next we will all have to have webcams on live to ensure we look the same as when we first listed an item.
“Ebay UK only allow landline numbers for the automation call”
Oh dear, I’ve only ever given them a mobile number 😯
I’m not unhappy at all. If it makes eBay safer then do it. Who cares if I have to answer the rare call when I am travelling.
WTF, this should be a bundle of laughs here. 3 PC’s, two phone lines, three potential ISP’s all on dial up with dynamically allocated IP addresses, and how are they going to phone me when the PC’s are using both phone lines on dial up.
This is plain and simple nuts. 😈
hahaha!
btw, the first link is broken.
anyway.. as a certain Michael Winner would say:
Calm down dears.
The security on eBay is so 1999. It’s good to see some improvements on the way. Keep your hair on until they break it.
I’d like to see something like the mastercard securecode, or verified by visa thing. I like that. There are a bunch of others, but I wont bore you all.
Cheers Biggles, eBay appear to have pulled the announcement and reposted it so I’ve updated the link 🙂
Just another example of how out of touch the decision makers at ebay are with their sellers.
Just because you work in an office with your own dedicated PC doesn’t mean that everyone does.
Typical ‘one cap fits all’ approach.
It is another amazing piece of stupidity from ebay. Clearly very little or no thought has gone into how this will work in practise.
What I find strange is that they’re going to make security checks when you list an item for sale. Ok, hands up, how many people who’ve had their ebay account hacked have had items listed for sale by the perpetrator?
I’ve never thought that would top of the list of things to do once you hack an account? Ok, I’ve gotten into XX’s account and now they’re going to pay. I’m going to list 1000’s of items for them!
I personally think this might have more to do with shill bidding and stopping that which would be a good thing in my humble opinion.
The way I read it eBay will verify you against a list of machines rather than just one?
Hey Ed, that’s right… but you’d have to use an awful lot for it not to spot a new config 🙁
They must be having more trouble with highjacked accounts than we realised.
Surely if they wanted to put IP addresses to good use they could prevent members NARUd for fraud etc. setting up again in different names and also when you block one member they should not be able to get round the blockby using a different ID. To me that would solve quite a few of the problems they have got.
Then they could think this one through properly.
Providing, that ebay will still allow multiple PC access for companies that have more than one pc, then I don’t see the problem. Yes it may cause some inconvenience, when traveling, but if it increases the site security then I’m afraid it’s almost inevitable.
Stuff changes, full stop. We used to all leave our front doors open and know the names of all our neighbors, we used to throw our bank statements away in the rubbish, we used to be able to take “Value Bumper Packs” of suntan lotion on the plane. But developments in criminal activity changed the way we behaved in those circumstances. Locked doors, shredding, little crappy bottles of shampoo etc are now the norm. So we should all take a chill pill, and breathe, in 6 months months time, we won’t even be talking about it.
We will indeed be verifying sellers against a number of PCs, and not just one.
I take the points of many of the people above who have mentioned specific situations where this may cause inconvenience, but I think Jade has summed it up well – it’s a necessary step.
Cheers
Richard
Perhaps the answer for when the computer doesn’t match with the information that eBay have garnered previously is for the logging in sequence to be more complex, with a variety of pre-set replies to be answered, in a similar way to the log in sequences used by banks.
Hopefully, the computer information would be dynamic so that as new machines are used they can be logged as occasional useage and not trigger the verification process.
For anyone that wonders how a PC can be profiled take a look at https://www.danasoft.com/ for a quick example.
If ebay only use the information danasoft’s showing there, ie. the information available from any HTTP GET request, then its pretty pointless, why ?
Because I’d guess that most hacked accounts come from phishing sites, which get exactly the same information from your browser. So they can easily log it with the user id and password to use later, easily defeating ebay security.
Maybe ebay could issue all of us with PIN sentry devices like the banks use. That would increase security.
Richard, thanks for your comments. I agree that increased security is a good thing. Are you really telling us though that criminals who hack accounts then list items? I just don’t buy that. There has to be another reason for doing this. It cannot be about verifying sellers who are listing items.
It could also be to identify what other accounts had being used from a computer, for example, if one account was being used fraudulently to identify other accounts that the same person was using or new accounts linked to them when they set them up.
It’s almost certainly being used against shill bidders and known fraudulent accounts right now, Super Max. The new part of this is the active verification, not what’s being done (IMHO, obviously).
Andy: hack accounts then list items
It does happen. Fake SCOs is undoubtedly less effort though.
Hey Andy – PIN Sentry devices? You mean like the damn PayPal security token that I picked up at eBay live! last June and still can’t use on PayPal or eBay because they’ve not implemented it in the UK?
It would be perfect for verifying that I am I when i logged in from a different PC… but ONLY if they let me use it. Hell by the time they implement it the battery will be dead 🙁
Yes Chris, but sadly we don’t all get to go to ebay Live and get nifty devices. 😆
I wouldn’t mind paying for one if the darn things were useable. They don’t cost much 🙂
Well The Chatter (Don’t you just love those guys 😀 ) has some more information on how it’ll work.
“Q: How will you track which computer I’m using?
A: We generate a unique ID that identifies the computer you’ve used to connect to eBay. This unique ID is stored on your computer using cookies and Flash objects so that the next time you visit eBay, we’re able to confirm that you’re using the same computer.
This unique ID doesn’t include any personal information, such as your email address or eBay transactions, and won’t be shared with anyone else.”
There’s a ton more info re the phone calls and multiple PC use and it’s well worth a read.