It is becoming clear that eBay are contacting sellers who are victims of the changed PayPal address on their listings resulting in funds being diverted to scammers. We have now identified some three dozen sellers who between them have lost over £600,000. These are really significant sums for the sellers who have been scammed on eBay and we have no idea how many more may have been impacted. Some may not have come forward whilst others may not even have discovered the losses yet.
We believe that eBay could be assisting sellers more, whilst they are contacting sellers they are generally forcing a password change and delinking PayPal accounts. Delinking the genuine PayPal account does nothing other than mean eBay bills can’t be automatically paid until the account is relinked. What eBay haven’t been spelling out in initial contacts is that the problem is with PayPal addresses in individual listings. However they appear to be forcing sellers to telephone after the password reset and in some instances have been trying to reach sellers by telephone. eBay also appear to continue to refund fees for transactions where the funds were stolen.
The good news is that with eBay actively contacting sellers that we should soon stop hearing of new cases and whilst this is a crippling impact for sellers who have been scammed on eBay, when you consider that there are 200,000 businesses trading on eBay the number of sellers impacted is relatively low.
The bad news is that eBay are still telling sellers to contact PayPal to recover funds. PayPal shrug and point out that the fraud took place on eBay. Both suggest contacting the police who direct sellers to Action Fraud who some say is misnamed as they haven’t taken any action whatsover on cases reported to them.
How to protect your account from being scammed on eBay
Today we wanted to share the steps we believe will best protect your eBay account.
eBay 2-Step Verification
eBay have been clear in the short comments they have made that they are recommending the use of 2-step verification. 2-step verification involves sending a one time code to your mobile as a text message or a notification in the eBay app every time you log into eBay.
The issue with 2-step verification is that only the owner of the mobile gets the one time codes and in many businesses multiple people need access to the eBay account. There is a fudge where once the notification has been sent you can ignore it and request a follow up via email which is accessible to anyone with access to the email address registered on the eBay account. If you give employees access to this email address then as many people as you like can access the account through 2-step verification, although that does ask how effective it is in the first place and means you need to ensure your email account is never compromised.
We’ve set out eBay 2-Step Verification set up instructions here.
Business Policies
Advice from eBay customer support to some sellers has been to bulk edit their listings on a daily basis to ensure that the PayPal address is reset to the correct one. Apart from this advice being a bit barmy as you will then never know if a hacker is changing it back five minutes later, if you have thousands of listings it’ll take forever editing just 500 listings at a time.
A better solution is to use eBay Business Policies and check them daily to ensure that the only payment policies are the ones you’ve set. Most sellers will only need a single payment policy as they’ll only ever use one PayPal email payment address. Those who also have a PayPal micro-payments account might need two payment policies, but it will still be easy to see if a third or fourth has been created by a hacker.
If you haven’t opted in to Business Policies previously, when you opt in eBay already create payment, shipping and returns policies in the background each time an item is listed for sale. These remain hidden until you opt in to eBay Business Policies at which point they become available for you to manage. You’ll see a policy for each set of payment, shipping and returns terms that you’ve used recently and the first one to check is how many payment policies appear – if there are more than you are expecting then you’re being scammed on eBay and you’ll want to look more closely. If you see two payment policies that look identical, remember that hackers have been swapping an ‘l’ for an ‘I’ (lower case ‘L’, upper case ‘i’) as they look identical.
You can opt in to use eBay Business Policies here
40 Responses
I have a friend who works for a very large IT company, which provides support for lots of VERY large internet companies, the likes of eBay.
He said that if a scammer worked for an Internet Provider, it is possible for him to gain remote access to a person’s computer directly via their internet connection.
Because of this, it would not matter if the eBay Seller changed their eBay password every day or even every hour. It would not matter if they signed up for 2 step identification.
The fact that £600,000 or more in losses have already occurred suggests that this is not a lone hacker behind the fraud, rather possibly a crime syndicate.
The fact that is it currently APPARENTLY only happening in Britain, could mean that all of the victims are using the same Internet Provider(s).
It is unconscionable there is not someone investigating this line of possibility. If Action Fraud in not the correct agency … does not have the training or authority to investigate this type of crime, then you’d better hope that SOMEONE in a government agency understands how these IT crimes work.
Because the fact that they are getting away with the crime and no one seems to be able to stop it, will only embolden them.
Is that a typical Ebay way of working go to the section above which says,
We’ve set out eBay 2-Step Verification set up instructions here.
and it goes to a 404 page. That is typical of anything ebay, not working.
I don’t think those behind the fraud are interested in all 200,000 ebay sellers though they are only interested in really quite high volume sellers of low value items and seemingly also those who have a paypal email addresses to fraudulent domains like hotmajl instead of hotmail they already have set up.
If you say they are only interested in sellers who aren’t going to readily notice £20k going missing over a 6-12 month period you’re looking pretty much only at sellers doing turnover in the hundreds of thousands of pounds most likely. Then from that you’ve got to cherry pick ones with large volume lower value transactions and also with active listings numbering quite a lot. Then they need a paypal email they can spoof.
If you apply those parameters the total pool of sellers would reduce enormously and be a much, much higher rate of compromised accounts. If, as it looks, it could end up being more than a hundred sellers affected it then seems that if you are a high volume low value seller that fits the profile the fraudsters are targeting you have a very high chance indeed of being affected.
I love ebay BUT this leaves a lot to be desired.
A few weeks ago I tried looking into this business policies thingy and it opted in.
I then kept getting the page that there were issues and to come back in a few days etc.
When I go to the https://www.bizpolicy.ebay.co.uk/businesspolicy/policyoptin page now, it just times out.
I phoned ebay and they were looking into it. No response since and that was a week ago.
At the time I also asked for a report of all my listing’s attached paypal email
addresses. Again that would be looked into but still nothing.
The two factor authentication is good, but last week it took me over an hour to receive a text message to be able to log in. Since then I installed their app and turned off all other notifications, just so I can “securely” log in.
I am no programmer but I know through their API, it MUST be possible to extract the listing ID or title and associated email address, and I wish someone wouldn’t mind creating that one as it would a massive help.
The good thing about the different paypal email addresses, when I had a need, was that I could set the paypal address as I needed. I used to use one account for micropayments and low value and another for higher value, this way I saved on the paypal fees.
I think the key is discovering the specifics of each crime and building a picture that will help identify how they are happening.
If @Chris is able to, and obviously with permission from the affected that he has discovered, the details could be published anonymously and others can have a lookee see.
Ebay are obviously keeping tight lipped but the educated readers of Tamebay may be able to help other avoid this issue.
very much above my head
but I cant help thinking if its a high level access ebay or paypal insider
no amount of password jiggery pokery will help
Surely the easy way for ebay to prevent this, is to not allow the changes to the paypal payment account address for a live listing. If someone had a need to change the paypal address this could be done via a telephone conversation, where further security checks could be carried out.
Ebay should be able to identify any ongoing problem accounts by looking for multiple paypal destinations
@Nick
This is what I don’t understand.
It’s quite simple for ebay to do.
Make a magic button that exports all your listings as a csv.
Most people can then have a look and easily see with filters if there is anything amiss.
I understand that they don’t want ALL information to come out to make it easy to import into other market places but the basic information required is not going to hurt.
Well, I’ve been ‘done over’ to the tune of £255. Whilst not in the same league as other big losses, for me it is significant. eBay wash their hands which is a big error on their part. Their platform has failed and they have left a security vulnerability running that would be simple to stop – either require additional levels of security to alter a payout address/account or, at the very least, send out an email of a change to such a critical piece of data, as they do when changing the password. eBay are 100% liable. Since I have so little explanation from eBay I have had to guesstimate the methodology of the fraud and will be suggesting to the serious fraud office that it is an inside job and the lack of corporate action to close the security loop-hole may indicate corporate compliance in the fraud. This may be entirely inaccurate and the fraud be an external problem against solid robust eBay security but only a detailed investigation by the serious fraud office will reveal the truth. Meanwhile I am also going to assume that the lower to mid levels of eBay are hiding the issue from the lovely high level eBay executives and, once they are alerted, will fall over themselves to compensate and see any security vulnerability is closed immediately and be proactive with any serious fraud office investigation. My deep searching of all and any senior executives in eBay, irrespective of their title, begins tomorrow following my formal response to my account’s fraud today. These senior executives will be a start, Devin N. Wenig Stephen Fisher Scott F. Schenkel Raymond J. Pittman Jae Hyun Lee and of course Wendy Jones who, “As Senior Vice President, Global Customer Experience & Operations at EBAY INC, Wendy Jones made $11,786,755 in total compensation.” By the end of October, most of the top brass will know my name. It is unfortunate to come to this kind of action. As I told the first contact at the customer services, I don’t care who, how, or why, I just want my £255 back. It should have been a simple compensation matter to cover a systems error and I would never have started digging .
Sorry that you have become yet another victim. I agree that it would be easy for eBay to do something about this.
I can’t figure out how it’s being done other than by someone on the inside who can bypass any security.
I’d be interested to know whether or not you are using business policies. I think that these email addresses are being changed on individual listings rather than through business policies.
I have also noticed a substantial drop off in sales for Friday and into today. This is often a peak sales time. There are a couple of other significant dips and each one coincides with my calling and chasing eBay for updates into the prior investigation into missing payments. I think it is quite clear that shops are taken offline whilst they examine any claims and it takes a good 12hrs, possibly 24hrs before the sponsored listing algorithm starts placing my sponsored listings (i.e. all of them) in search results.
” 2-step verification is on
Hi Darren,
You have successfully set up 2-step verification for your eBay account. You now have an added layer of security when you sign in to your account.
If you didn’t just sign up for 2-step verification, please contact us. ”
They can send me an email to tell me I have made a change to my security details, but not to tell me if the PayPal payment address has changed. I would be interested to know how many hacked accounts had 2 step verification. That would give a strong indication that the fraud is internal to eBay and indeed their denials are classically indicative of a coverup over such a possibility. Another component for the serious fraud office to examine. Note, if YOU do not report the theft and breach in data protection to the police, they will not take action. They must have a complaint to pursue so it is incumbent on every single victim to contact any police contact address and report the crime. You will be directed to the relevant place to lodge the crime formally.
Incidentally, are these the ‘business policies’?
Third-party authorisations,
You have authorised the following third-party applications to perform certain actions on eBay on your behalf.
eBay Bulk Listing Management (created 26-Jul-18) Revoke this authorisation
eBay Business Policies Management 2 (created 14-Oct-18) Revoke this authorisation
Parcel2Go (created 15-Mar-19) – Parcel2Go.com Revoke this authorisation
eBay Asynchronous Bulk Relist (created 20-Jul-19) Revoke this authorisation
Developing IT Ltd (created 08-Aug-19) – app.optiseller Revoke this authorisation
eBay Marketplace (created 03-Oct-19) Revoke this authorisation
Lithium Technologies, Inc (created 04-Oct-19) Revoke this authorisation
I have no idea what these do and so reluctant to change anything.
The hack on my PayPal addresses seems to have dated from the 19th July, approximately two weeks after turning off holiday settings and the same day that the ‘eBay Asynchronous Bulk Relist’ appears. What is this bulk re-list? What happens when it is turned off? Is it a coincidence of the dates? Is this a regular updating authorisation? When and how did I authorise these (I only know of the optisource)?
Another recent activity has been the changes to listing rules for certain categories. Like many, I used the ‘free’ optisource tool to check any listings I have for compliance, none found. Was the security breach to do with opitsource? What access was given to our listings to check the compliance with listing rules? Was the PayPal address knowingly or accidentally exposed and released? It seems the compliance check only worked by searching listings on the basis of a logged in user within the account rather than as an external examination of a listing as you would do as a buyer. Was that a backdoor to the PayPal addresses? Again, given eBay have failed to reveal any information it will be down to the serious fraud office to investigate more angles within the corporation and any contractors associated with eBay. Big job, but this is a big crime. eBay’s statement that they will assist in full with any police inquiry will be fully tested.
“If you wish to pursue this matter further, I suggest you report this incident to the police. eBay will gladly help the police with their investigations if needed. Please ask the investigating officer to email us by using the ‘report information to eBay’ link on the following page:
https://pages.ebay.co.uk/safetycentre/lawEnforcement.html“
EBay Inc. (NASDAQ: EBAY)
Can anybody point me to an eBay RNS where the company informed the market of the discovery of a significant security violation where pay to PayPal accounts can be altered without notice in individual listings? This would be market sensitive information and the intended action to take. Therefore eBay must have released some information to the market to allow investors to make informed decisions as to whether or not to invest in the company.
If they have not issued information about the discovery of the unauthorised altering of PayPal payment accounts, then they are in significant breach of listing regulations. That will be one for the FCA in London (0R3D EBAY INC EBAY ORD SHS ) and NYSE Regulation (“NYSER”) for EBay Inc.
It would have been so much easier for them to simply have stopped the security failure and compensated sellers in the exact same fashion they expect sellers to compensate buyers.
Another things just occurred to me and is worth taking note.
International platforms.
I seem to have magically just got access to my policies and just looking at the hundreds of old ones with no listings associated.
BUT then I wondered if there was one for every country – ebay platform.
https://www.bizpolicy.ebay.de/businesspolicy/manage?entriesPerPage=25&pageNumber=1
I know of old that different ebay platforms have different “WAYS”. You could do some things on the old Irish (IE) ebay site that you couldn’t with others, that WOULD affect international sales in different ways.
Another thing I used to have to try and do was stop packets going to pack stations in Germany.
https://www.ebay.de/ship/prf/excludeRegions
If I did anything to the UK version on ebay.co.uk then it allowed packstations on the German one again. and I would have to do the German one all over again to block pack stations.
Anyway, best check all the platforms to see what’s lurking.
Should be a matter of changing the domain name end from “.CO.UK” to “.IE” “.DE” “.FR” etc etc
eBay themselves allow scammers to do whatever they want. It says on the money back guarantee policy, a buyer is not entitled to their money back if the item was posted to a third party before being posted back to the seller. Yet a damaged item has been returned to me, the buyer told me they posted it to a third party, got it back then posted it to me and eBay say I have to issue a full refund. If not they will give the buyer a refund themselves on the buyers request. I mentioned the money back guarantee and was told they will still pay out the buyer as the return was delivered back to me and a return sent back to the seller will get refunded by eBay. I also mentioned the buyer admitted to breaking the item so the condition had changed but was told the buyer will still get refunded. Someone has suggested I try an appeal with eBay and if they still will not pay me out to take eBay to the small claims court. Just disappointed in the whole thing.
eBay don’t do enough to protect sellers. I am receiving abusive emails from a buyer. They broke an item, returned it to me and because I am refusing a refund are being abusive. I provided photographs of the item condition prior to dispatch and they are not happy I can prove the difference in condition to what has been returned.
Spoke to eBay about the abuse they said keep talking to the buyer. They were not interested in the abuse at all.
When I mentioned the condition of the return they just said refund the buyer. Someone needs to start regulating the likes of eBay so sellers have right. They just don’t care about the sellers.
How come the subject of the discussion has been neatly moved to quite a different topic. The original issue is still there and nobody affected or concerned is in the slightest deflected.
The 1 st poster claims the ebay account could be hacked at the ISP. Given the triple handshake in ebay data streams this would be impossible. In fact virtually every parcel of data has at least a double lock now since bandwidth and speed are so high the user barely notices the time for the double or triple handshake. Furthermore, they would never know which server port is being used with the ebay server and keep track of the changing nodes as traffic is automatically rerouted several times a second to handle traffic. ISP hacking is more conspiracy theory promoted by people who wear tin foil hats so that the CIA can’t read their thoughts.
I’m against over handed regulation of business but eBay has needed some sort of regulatory governance for years- it’s trodden on sellers for far too long.
This scam is currently happening to me right now & I call ebay every day to get put through to the Philippines and have to explain myself every time to be told “we will log with our fraud team and get back to you “I have spent at least 2-3 hours a day on the phone & go round in circles.The “fraud team ” are oblivious to thisand say theyhave never heard such a scam happening.Which is obviously from the research ive done there is hundrds of thousands if not over 1m been stolen this way.
The 1st day it was noticed paypal were informed aswell & again yesterday as they still not closed the paypal account down.I feel theyalso have a duty of care although its clear the issue is on ebay.
A full week has passed and every day at multiple times the paypal email address is changed on our listings.Of course we notice this & bulk change the listings back.Within an hour or so its back to the fruadulent email.
They must have some sort of software that can bypass ebay security as its the exact same listings that are changed.
We have 2 step on changed email changed passwords/ changed sername. We have even closed down all computers / turned off the internet and worked off a brand new computer on a complete different ISP to rule out an issue at our end.
Im not sure what to do as getting no help from ebay!!!!!!!!!!!!!!!!!!!
What is the easiest method to check if you have been scammed?
Yes we revoked all apps aswell but they still got in so still not sure how they are doing it.
Its 100% some software whether it be a file exchange or something im not sure
I changed password & email and revoked all accesses again last night been 12 hours and no listing been changed hopefully this is them away or they have gave up as I was constantly checking every 30 mins if the listings were converted .
Ebay to have this in the listings easy to corrupt is beyond me seems they are not investing in security enough.Simple solution when a listing is created the paypal email address is locked in for that listing.No changes can be made.