This weekend I got a long overdue new laptop and the difference in account set up was stark. I opened eBay on the new device, logged in and placed an order and it was business as usual. But when I logged in Google just about ever device I have started pinging with account alert warnings on computers and pop ups (and email alerts) on Android, warning me that a new device had logged into my account.
We’ve now been informed of over 20 eBay sellers who have lost money in the scam where sellers’ accounts have had their account compromised and their eBay PayPal payment email address changed on a few listings with low value but high sell through rates. Cases keep coming in and verified funds stolen are now in excess of £350,000 with an average loss of £16.9k.
eBay continue to direct sellers to PayPal to recover their stolen funds. PayPal continue to point out that the fraud happened on eBay and assert that eBay are responsible. The local Police are naturally unable to do much with a fraud of this nature and direct victims to Action Fraud who to date don’t appear to have taken up a single case. What’s needed is for the parties to come together with some joint action but eBay and PayPal won’t release information without a request from the Police and the Police and Action Fraud won’t investigate unless they already have a lead to chase up with contact details.
In the mean time it has to be questioned as to whose fault these scams are. Ultimately sellers are responsible for keeping their account log on details secure, but even a seller who changed their email, eBay and PayPal passwords one evening came in the next day to find more listings tampered with at 9am the next morning.
Unlike Google, eBay didn’t fire off any warnings that a new device had logged into my account when I fired up my new laptop. In fairness to eBay, perhaps they looked at my IP address and other identifying information to be confident that it was me, but in that case why did Google find it necessary to fire off a load of account alert warnings informing me a new device had logged into my account?
Not only should eBay be firing off account alert warnings when a new device logs in, but sellers would greatly appreciate the warning if their eBay PayPal payment email address is ever changed as a warning that the scam is in progress.
Ultimately their needs to be confidence by eBay sellers that eBay is a safe place to trade on. There is plenty of buyer protection to cover consumers if something goes wrong. eBay have recently announced enhanced seller protection for Top Rated Sellers if something goes wrong with a transaction but what use is that when a seller discovers that thousands of pounds have been stolen and eBay and PayPal jointly wash their hands of it (other than eBay refunding final value fees) and, at least as far as the impacted sellers are concerned, jointly take no action to attempt to recover the funds.
7 Responses
Said this right at the start…. Google do, my bank definately do it when i set upa new payment, even if i have used my security device to authorise it, they still send a confirmation email and text.
Ebay of course don’t give two hoots as they know they can hide behind the ebay – paypal ping pong blame game.
What. Is needed is a massive boycott of eBay but I guess that won’t happen
“In fairness to eBay, perhaps they looked at my IP address and other identifying information to be confident that it was me”
Problem with giving eBay this benefit of the doubt is eBay constantly re-prompts to sign-in again from the same device ID and IP throughout the day (sometimes 3-4 times in the same day, though I’m sure this varies).
~~~~~~~~~~~~~~~~~~~
Question for anyone involved with this: All reported fraud based on this exploit at this time appears to be in the UK.
Is there any reason sellers in the US (or elsewhere) should rest easy and believe that they could not fall victim to the same tactics and methods that these fraudster/s appear to be employing?
Here in the USA eBay’s stance is that these were all situations where someone exposed their user name and password to a scammer, or an untrustworthy employee.
That it is no different than if a scammer were to get a person’s credentials for any other online banking account, or online trading account, etc.
They are saying that when the scammer was supposedly able change the PayPal address, even after the eBay password had changed, that this was a case where the seller did not actually restore their own PayPal address in all of their listings.
They say that the key to protecting an eBay account is making sure a bad actor does not get ahold of your credentials.
In the case of letting employees work on your account, a seller can now use the recently released Multi User Account Access feature, which eBay launched at eBay open … at least in the USA. (I’m not sure if this is available world wide yet.)