Slashdot Mirror
An Inside Look at eBay Security
daria42 writes "This in-depth interview with eBay's Australia/New Zealand security manager is fascinating reading for anyone interested in online security and how the online auctioneer interacts with law enforcement agencies. "Normal people don't get up in the morning and wonder how they can steal or trick someone. I won't rest until we can eliminate wrongdoing," says eBay''s Alastair MacGibbon."
All that I got out of this article is that they have a phishing toolbar, an email address to test spoofs on, and that they are "committed" to a bunch of crap. This is not an in-depth look at anything.
Sample "in-depth" response for those who didn't RTFA:
I read the article.
:)
I've never seen a more PR-fluff article in my life.
(Okay, that was an exaggeration. I follow the SCO saga as much as the next guy
"Normal people don't get up in the morning and wonder how they can steal or trick someone."
That's amazing that this guy can define a "normal" person since psychiatrisys and psychologists have been trying to do this for many, many years. I happen to disagree with him, in fact.
There's been numerous stories about the security aspects of browsers. Would you recommend Internet Explorer or other browsers such as Firefox and Opera for eBay members?
MacGibbon: eBay does not endorse any particular browser.
Is Linux really more secure than Windows?
MacGibbon: eBay does not endorse any particular platform.
Then he really will not be able to get sleep, promoting a browser with some anti phishing techniques in it would help his job, and people listen to him based on his role.
On the other hand, I understand his reasoning behind the remarks: If you promote something, and it still goes wrong, people will try to blame it on you.
My wife's sketchblog Blob[p]: Gastrono-me
An Inside Listen to eBay Security:
"Hellloooooooooo.....!"
"llloooooooooo.....!"
"lloooooooo.....!"
"loooooo....."
"oooooo...."
"oo....."
On reading this it seems eBay haven't got a blue. Basically the whole thing can be summed up by saying:
:(
1) We work closely with law enforcement agencies
2) Less than 1/100th of 1% of cases are fraud
No new information. No techniques the rest of us can use to prevent on-line crime. No reason to read it
hayalci
Q: How much (in dollar terms) and how many subscribers have made claims to eBay's buyer protection program?
A: I cannot put a dollar amount on this figure.
Q: How does eBay weed out unscrupulous sellers on your site?
A: We have zero tolerance for wrongdoing and are committed to making eBay as safe as possible for our members.
Q: Is Linux really more secure than Windows?
A: eBay does not endorse any particular platform.
And so on.
"I won't rest until we can eliminate wrongdoing," They'd best eliminate paypal (which they own) first then, if they're talking about wrongdoings. http://www.paypalsucks.com/ for the few who don't know about it. Taking the easy road out and getting money from the person they know is in the right just because it's easier then getting it form the scammer is the name of the game with Ebay and their wholely owned paypal.
"I won't rest until we can eliminate wrongdoing,"
Someone give this guy a lightsaber...
(Or a gun and a map to an Al-Quaida training camp)
For the perfect anti-Unix, write an OS that thinks it knows what you're doing better than you do and let it be wrong.
Yes. That confirms it: he thinks he's Batman.
"I won't rest until we can eliminate wrongdoing," says eBay's Alastair MacGibbon.
That's going to be one tired fella. I think I just heard the price of coffee, Mountain Dew, and Jolt cola going up slightly in his locale.
And they said zombies weren't real!
I was recently looking to purchase a VHS tape of a classic TV show off eBay. I know this one exists as a regular commercial release, and I wanted to buy the legit copy. I found a certain seller listing it, and was poised to bid until I looked at his feedback.
In the feedback, I found several negative feedback complaints that the seller shipped the buyer a crappy tape taped off of TV. The vague wording in the listing I was interested in (and lack of an image) implied that this, too, was just a copy off of TV. I asked him him if the tape was legit, but got no response.
After this, I would look for this episode, and always find the guy selling his pirated copies. His negative feedback which mentioned the copies being pirated grew. I reported him to eBay a few times. They did nothing. At one time, they said they had no policy against anyone taping commercial shows off TV and selling them.
Where were you when the voynix came?
Which will I believe in the future? A fluffy piece about how much eBay cares about security ("We weally weally do care about security! Trust us!") which gives me no solid information ("Our toolbar does such-and-such to protect our customer.", "We have X technologies to assist victims of fraud.")
OR
stories from my brother *in Australia* about how he was ripped off by an eBay scammer? Or stories from coworkers and friends that have been ripped off by an eBay scammer? Or the author of a national bestseller telling how he was eBay scammed? [1]
Here's a tip, eBay. Word of mouth goes a lot farther than a fluffy article that tells me nothing. I read a long time back a dissatisfied customer tells ~3x the number of people his experience than a satisfied customer.
I'm honked off because I had to sit through that article, feeling patronized and advertised. Sheesh. What a waste.
[1] _The Paradox Of Choice: Why More Is Less_
by Barry Schwartz ISBN:0060005696
(I think it was the first few paragraphs of chapter 7.)
-- said Alastair MacGibbon as he donned his cape and dashed out the door for another day of crime fighting.
PayPal is a black mark against financial theives everywhere. My experience with them is about like this:
1) Realize purchased item is missing & seller not replying to email & contact number is bogus.
2) Report it to PayPal
3) Get canned response that you have to wait untill the getaway is made (3-4 weeks?) before you make the report.
4) Wait & re-make the report.
5) PayPal Sits on the investigation for two weeks.
6) PayPal Makes investigation
7) PayPal says: "The seller appears to be fradulent, but has withdrawn all funds from their account so we have no recourse: file a claim with your insurance."
If Ebay had any thought about fraud, they would start with PayPal. This is just PR fluff.
Consider the fight against regulating some types of Ebay Sellers (drop off points) like Pawnbrokers. Pawnbrokers are regulated so that their is a paper trail of who sold what (possibly hot) items. Some high crime areas have what are essentially Hot Item ebay resellers: They take items, and sell them on ebay. They then return ~66% to the "owner" who requested their services. Florida (god help me for using them as suggesting a good law) attempted to regulate this type of drop-off store, but was beaten down.
oh, yes. PayPal bad.
"I won't rest until we can eliminate wrongdoing," says eBay''s Alastair MacGibbon."
Who talks like that? I can imagine Batman or Judge Dredd coming out with some heroic gibberish, but the guy works for eBay. What is he going going to do? Wear his underwear on the outside and stomp out crime in time for tea?
"Normal people don't get up in the morning and wonder how they can steal or trick someone."
Right, they call it "portfolio management" or "marketing" instead, or use any other term for acceptable theft and trickery.
I've seen some - and worked in - a few perfectly legal businesses which had all the trappings of a scam operation, except that they weren't illegal.
Assorted stuff I do sometimes: Lemuria.org
Phishers Steal Trust From Ebay Sign In Pages
"Fraudsters have exploited a flaw in the eBay web site that allows them to orchestrate phishing attacks using eBay's own Sign In page. ... By including special parameters at the end of the URL, the fraudster has changed the behaviour of the Sign In page so that when a user successfully logs in, they will then be sent to the fraudster's phishing site via an open redirect hosted on servlet.ebay.com."
Because of the "borrowing" of ebay's web site, the EBay toolbar reports the phishing site as legit.
RichM
Data Center Knowledge
If they really wanted to eliminate the problem, which they dont really care about by all signs, then they would pay a bounty on fraud reports. They would establish some sort of trust network, simmilar to the feedback system, to cull the whiners from real fraud reports. Finally, they would require all sellers for new items over $100 to either post a 30 day bond with e-bay for cash/western-union payments, or conduct the transaction via VISA credit card. They would post an actual method of contacting pay-pal.
If tehy were serious, they would do some sort IP address localization, and post not only where the person said they were from but also where their IP says they are from.
If they were serious they would not allow first time sellers to use western-union on new items over $100.
If they were serious they would bar private auctions for first time sellers.
ergo, they are not serious
Some drink at the fountain of knowledge. Others just gargle.
I like the "less than of transactions are proven fraudulent". If you look at Ebay/Paypal's protection policies, it's not worth pursuing in most cases. With the combination of all the hoops to jump through and the limits on what Ebay will refund, you could earn more per hour at McDonalds. Meanwhile the fraudster has left you negative feedback just before switching to a new account.
If Ebay really cared, they'd make it easy to report fakes and frauds, and they'd set up software to triage the reports most likely to result in a real finding and real people would work on those.