| Hi, and welcome to my page. I have a couple of pretty active buying and selling accounts here on eBay, and use this couldabeenworse ID primarily for posting messages on ebay's Trust & Safety Discussion Board. Stop there for a visit and you'll see some very interesting discussions on how to protect yourself as buyer or seller..
|
JMHO: HIJACKED!!!!:
What to do if someone steals your account! |
If someone else is using your account to bid, leave feedback or especially to list auctions without your permission:
1. Attempt to sign in and change your password. Start with the standard change password link. If you can't sign in directly, try your Password Hint, and the Sign In with SSL options. If you are able to sign in, change your password and hint immediately, and begin to undo any damage done by the hackers - including removing any bogus auctions, contacting bidders and sellers, and so on. Whether or not you are able to regain control of your account, please follow the remaining steps.
2. Contact eBay. eBay has just set up a new link for HIJACKED ACCOUNTS. Look for the Live Help link 2/3 down that page. Some people manage to get excellent, immediate help there, while others are merely told to use the web form. If you get the latter response, try again later; maybe you'll get a better helper. If Live Help is not available or not helpful, there are options to email ebay on that same page.
3. Install and/or update AntiVirus, AntiSpyware and Firewall software. Some hackings are the result of virus attacks and/or Trojans being on your computer. Update all virus definitions and run a full scan, and confirm every connection your firewall allows. If your system appears to have been compromised, fix it and then change your password again, since you may well have transmitted the new one to the hacker.
4. Check your other accounts! The hackers may have helped themselves to more than your eBay account. Check PayPal, your email ISP, any banking institutions and everything else you use online passwords for. There's no good reason not to change all your passwords right now. In addition to looking for any obvious account changes, make sure no new sub-accounts were added to your paypal or email accounts. If any of these have been altered in any way, contact the appropriate customer service center as soon as possible.
5. Help protect others. Very often, accounts are stolen to fraudulently list non-existent auctions, or purchase items and "pay" with stolen credit card numbers (possibly yours). Please contact all bidders (NOT just the winners) of any bogus auctions and the sellers on any items you've "won". Con artists quite often make side offers to underbidders. Some hijack victims even go the extra mile and create another ID to bid on the bogus auctions. Unless the auctions can be ended by Buy-It-Now, it wouldn't seem likely that this is terribly effective - it probably just generates more side offers to the other bidders.
6. What to expect next. If you were unable to regain control of your own account, eBay will likely suspend it for a while until they complete the investigation. This may take days or even a week or two, and you may not get much contact during that time. Their initial focus seems to be putting out the fire by freezing the account, and it may take some time for them to get back to sweep up - probably because they are busy putting out a lot more fires. Even if you wrestled back your own account, you may need to contact billing if any auctions were listed by the scammers.
7. Find your vulnerability. While waiting for your account to be straightened out, try to ascertain how the hijacker got your information in the first place. While it's possible that someone hacked into eBay or elsewhere to get your password, most of us are much easier targets. In addition to virus/trojan attacks mentioned previously, many people give away information when they get a phony email (supposedly from eBay) that takes them to a phony website (that looks like eBay) to update information. If you fell victim to that, the thief has every bit of information you posted, so change or cancel any accounts affected. Many hijackings now seem to take place at the victims email address first: the crook gets the email password (sometimes by creating a false email log-in page), swipes the email account, then gets eBay to send a new password link to the email account they now control. It's also possible that any account might be wrestled away by either guessing the password - either manually or by a computer "dictionary attack". There are some great tips for selecting and using passwords here.
8. Beware of Symbiosis. Some hijackers don't completely steal the victim's email or eBay accounts, but prefer instead to share them. They often change email and/or eBay settings so you no longer receive emails such as listing and end of auction confirmations, then post their listings right along side your others. Check your listings and accounts regularly, and investigate anything that looks out of order.
|
JMHO: Phony emails from "eBay":
The Bad Guys want your passwords,
bank info and whatever else they can get! |
Bogus emails claiming to be from eBay have become very common, and are certainly the method used in many account hijackings. Most warn the recipient that their eBay account is about to be suspended, and that they must click on an email link to update their Contact Info. The link takes them to a page that looks just like eBay, with all the familiar graphics and format - but it's really a phony site set up to hand over your info to scammers.
How to tell a scam email. The first thing that catches many people's attention is poor grammar or spelling - probably the result of sloppy translation from the scammer's native tongue. But what should really be the big giveaway is that eBay just doesn't ask for this sort of information to be given through an email. If your Contact Info or Credit Card Expiration really does have a problem, the legitimate eBay email explains how to start at My eBay to update your info - it does not provide an email link to a webform. In addition, those familiar with headers and hidden links quickly see that the email originated from and the link points to somewhere other than eBay.
How to protect yourself. The simplest way to avoid getting suckered is to make it a habit never to click on any links in any email - and that does mean ANY email. You can enjoy eBay and most of the World Wide Web without ever having to click on an email link, so there's really no good reason to roll the dice if you aren't certain where a link will take you. In addition to password scams, avoiding the use of email links will cut down on your exposure to virus, trojan, spyware and spam attacks as well.
If you get a suspicious email - forward it with headers on to spoof@ebay.com promptly. Make sure your email begins with "fwd:" and that any hidden links are exposed. eBay does take this very seriously, and the spoof email address currently gets quite rapid results. They will confirm whether or not it's truly from eBay, and attempt to get the bogus websites and email addresses shut down ASAP. You may well spare some poor soul the agony of having his account hijacked. If you receive a phony email claiming to be from paypal, forward it to spoof@paypal.com.
How to reveal headers. Headers are the gobbledegook attached to every email that give details on where the email originated and where it went along the way to the recipient. They are very important to the possible investigation of fraudulent use of email. The problem is, headers are not normally displayed in most email programs, since the average user really doesn'y need them. Each email program has its own directions for how to display full headers; if you can't figure yours out, spamcop has a great list to help you..
If you filled out a bogus form - OUCH, you may have your work cut out for you. Start by changing every password that you've given (plus any password hints), and check all your online accounts for any tampering - and especially for the addition of secondary accounts. Some of these webforms go for broke and ask for banking info, PIN numbers, Social Security Numbers and whatever else they can dream up. If you've given out banking information, contact your financial institutions immediately, and discuss whether or not some of your accounts should be closed. You may also wish to study .
If you "just" clicked on the link - STOP THAT! Most of these pages appear to be fairly harmless if you don't fill out the form, but some have been reported to plant a virus, worm, or other critter in your computer. The rogue program might record keystrokes and send them to the hacker, or otherwise cause you grief and plenty of work. If you've already clicked on a link, start by updating your antivirus software definitions and running a full virus scan. Then update your firewall software and reset it to ask permission for every Internet access attempt. As each permission is sought, make sure you know what program is requesting access before allowing it - when in doubt, say "no" and see if you really need that permission. Some users think that a spyware/adware program might also help protect against some attacks..
|
JMHO: eBay's Change Password email:
A real one that's probably not as scary as it looks. |
What's it look like? The subject line is "Change Password", and the body looks like this:
Forgot your password?
If you did not forget your password, please ignore this email.
To choose a new password, please go to the URL below: (please use it exactly as is including all trailing fullstops)
http://cgi3.ebay.com/aw-cgi/pass/$1$2xxxxxxxxxxxxxxxxxxx
This request was made from:
IP address: xxx.xxx.xxx.xxx
ISP host: xxxxxxx.xxxxxx.net
Thank you for using eBay!
http://www.ebay.com
How do you get this email? The only way I've been able to generate this email is to actually click on the "Forgot your password" link on an eBay Sign In page, and follow the next couple of steps. Some claim you also receive it if someone repeatedly tries your password, or if someone attempts to register a new ID with the name you've already taken - but I've never been able to reproduce those results.
What's it for? If you actually forget your own password and click on the (Forgot Your Password" link, eBay sends this email to your registered email address. Clicking on that long link in the email allows you to reset your password without knowing your old one.
Sounds Scary! It sure is - if you let it. Anyone with access to that email can change your password and swipe your account, so make sure no one can get it - and certainly don't post it in a public place to find out if it's legit!
So some scammer probably requested it, trying to access my account? Maybe, but probably not. I only see a couple of likely vulnerabilities in this email. First, as above, if the scammer has access to your email, he can certainly use the link to swipe your account. In fact, no doubt many hijackings start with theft of the email account, then the hijacker uses this feature to get your email account as well. Of course, if the hijacker has your email account, YOU wouldn't be getting this email, he would. It's also possible that a hijacker could plant a trojan on your computer that could relay this link to him, but that seems rather far-fetched.
The other vulnerability is the same as with any email - it might not be from eBay at all. In theory at least, a scammer might send you a copy of this email, but the links may take you elsewhere to give away info. I don't see this as a particularly useful email to mimic, but play it safe, and just don't click on any links.
So who did request this email - and why? The overwhelming majority of these are probably simple honest mistakes - someone with a similar userID to yours mistyped and tried to log into your account. Since their password wouldn't work, they eventually gave up and click the "Forgot your password?" link. Of course, since the email is sent to YOU, they never receive it, and may click that link a few more times, generating several of these emails. Another, less likely scenario could occur if you accessed ebay from someone else's computer. Internet browsers can be set to automatically fill in forms (including ebay's Sign In form) from a dropdown list of names recently used on that form. If the regular user isn't paying attention, and your name is suddenly in his spot on the list, he could accidentally be trying to log into your account.
What to do if you receive this email. As both the email and eBay's help file say, you can probably just ignore it. To be extra careful, change your password - but NOT through the email link (start at My EBay or Site Map from any eBay page). This will make the link useless, and probably give you peace of mind. And as long as you're thinking about security, now's a good time to update your antivirus and firewall software.
|
JMHO: Safe and Unsafe Ways
to Pay a Stranger |
The Second-Least Secure Payment Method is to leave a paper bag full of unmarked, non-sequential, small bills in the trash can next to the lagoon in the park.
The Least Secure Payment Method is to use a Wire Transfer. This especially includes Western Union payments, which take a non-refundable cash withdrawal from the sender's credit card, then give it to practically anyone in the world who claims it. Other services such as BidPay at least require the seller to have a real address, but still offer no protection to the buyer whatsoever.
The Safest Method to Pay a Stranger is usually to use a VISA or MasterCard credit card (not debit or check card) directly or through payment services (like PayPal or eBay Payments) that treat it as a charge. Be aware that some payment services take a "cash withdrawal" on your credit card, then pay a seller with that cash.
Special note for 2003: several fraud victims have recently claimed that Discover refused to chargeback against PayPal, essentially treating it as a Cash Advance. A recent MSNBC article stated that American Express takes the same stand. If this is true, then paying for an eBay item through PayPal with Discover or Amex can leave you with no protection.
|
| JMHO: The Perfect Feedback for a Seller |
The Perfect Feedback for a Seller would show a
- long-time member (check date of registration)
- with many (check overall rating)
- recent (check for recent selling gaps)
- and long-term (check a month or more)
- selling (look for the "s" after item numbers)
- positives (of course)
- including some from experienced buyers (with high feedback)
- for items similar to the one I'm looking at (look at items)
Of course, few sellers have perfect feedback, and how closely I follow my own terms depends on the cost of the item, payment methods accepted, and whether or not there are a lot of red flags in the listing. For example, I would ignore a lot of the above if the auction was for a $5 used pencil sharpener, but even one would send me scurrying away from an auction for a plasma tv from a international seller that requires payment by wire transfer.
|
|
|
) 