We are pleased to report that there is a new eBay Business Polices Change notification being sent to sellers, warning when a change is made to their vital account information.
Earlier this year there were a number of sellers impacted by hackers changing their eBay PayPal email payment address and syphoning funds off into dodgy PayPal accounts and stealing their money. Some of the sellers impacted lost tens of thousands of pounds over periods of months before the news was broken by the one of the first victims, Richard Crisp, who was brave enough to go public and warn others of the danger.
Once Richard went public, it was quickly established that his wasn’t a one off case and, in the weeks that followed, we identified dozens of impacted sellers who collectively lost many hundreds of thousands. Whilst eBay and PayPal never admitted liability for the losses, each blaming each other (eBay said they never touched the funds, PayPal said it was eBay’s problem as that’s where the fraud took place), eBay have been working behind the scenes to secure accounts.
We are pleased to report that we have had no reports of further instances of fraud of this type over the past couple of months and so are hopeful that eBay have now closed the loophole and put measures in place to protect eBay sellers’ accounts. This is further confirmed as we have now seen a new eBay Business Polices Change notification being sent to a seller, who in this instance made a change themselves to their own eBay Business Polices. What this should mean is that if your account is compromised you should at least receive warning if your eBay Business Polices are tampered with.
eBay Business Polices Change notification
In the last 24 hours, we noticed that at least one of your Payment Business Policies has been updated. Please review the changes and confirm the payment details. If you are using a PayPal email address, then carefully review, character by character (i.e., ensure that “l” hasn’t been replaced with “1”, or “0” with “O”, or lowercase “l” with uppercase “i”, etc.) to confirm that it is indeed your correct information.
If this change was made by you, then there is no need to do anything. However, if you do not recognise the changes, then please follow the steps outlined here as soon as possible.
Thanks for helping to keep eBay a safe place to trade.
Thanks, eBay
There are two things we would strongly encourage you to do to keep your eBay account secure and prevent a hacker from changing your eBay PayPal email payment address:
- Use eBay 2-Step Verification
- Use eBay Business Policies to manage your eBay PayPal email payment address
You can opt in to use eBay Business Policies here
7 Responses
Does this mean they are accepting liability? Shame they won’t pay out to people that have lost alot due to hack! Makes you wonder if this would have
been done if a big store like currys had not been hacked?
This is terrible solution to fix terrible problem. There’s few better ways to improve it and potentially stop the hack happening again. An “email notification” is not the required solution. It’s easy for the email to be missed by its receiver, classed as spam, never delivered, or opens another way for hackers to go “phising”.
This is not a resolution to the problem. We set up policies when we were hacked for the first time this year. When we were hacked for the second time they simply created a new policy with their email address. They then just switched between ours and theirs until we discovered it a short while later. No pat on the back for ebay sorry. Maybe they should start to listen to sellers and put something in place that will actually stop this from happening. We are still no more secure now than we were before they introduced this. Good show ebay!!
if eBay use serif fonts like Courier or Times New Roman for email addresses then it would be impossible to mistake seeing a capital i for a lower case L. They would look different. So visual inspections could have identified if the email address is incorrect if they used a serif font. Unfortunately use of modern sans-serif fonts show these letters exactly the same.
Of course this would not resolve how they got changed in the first place but had the font been a serif font then at least we could visually inspect the email address regularly or make sure we haven’t inadvertently typed in the wrong letter – which would still be possible with the other solutions.
Good point Nick.
I personally check our policies at least 5 to 6 times per day now to see if I can see any changes or new policies added. Unfortunately when we were hacked again in October it was when I was away on holiday for a week and I was not able to physically check this myself, they simply came in a nd set up a new policy and took what they wanted over that time. When I first heard of these notifications I thought great, that is one less thing to worry about. How wrong was I.