Sunday, May 20, 2007

eBay Members Crying Out for Better Security


It has been more than a month since Rob Chesnut, eBay's Senior Vice President of Global Trust & Safety, announced to the eBay community that new fraud prevention initiatives were implemented on eBay's platforms. However, this blog has mentioned many times since Chesnut made his announcement that we have not seen any signs of the new initiatives. Nothing proactive has occurred, eBay member accounts are still being hijacked and fraudulent listings continue to appear on eBay's platforms 24/7/365.

However, there is a simple solution to instill member confidence in eBay, and that is for eBay to require all of its members to use the PayPal key fob that was rolled out onto PayPal's platform in March. Called the "PayPal Security Key", PayPal gives it free of charge to all users that have business accounts and charges $5 to users that have premiere or personal accounts. The "PayPal Security Key" can also be used on eBay, and eBay gave the "PayPal Security Key" to eBay PowerSellers at a certain level for free.

Although the "PayPal Security Key" does not stop fraud, by using it, members have some comfort knowing that they have added an additional layer of security to both their PayPal and eBay accounts. PayPal spokesperson Sara Bettencourt told CNET News.com in January that "If a fraudulent party somehow got hold of a person's username and password, they still wouldn't be able to get into the account because they don't have the six-digit code."

Just as eBay does not want to require new members to take tutorials to learn how to protect themselves from fraud, eBay does not want to require all of its members to use the "PayPal Security Key". However, we have a few solutions to at least instill buyer and seller confidence on eBay's platforms, and an additional enhancement for PayPal to implement. Moreso, the solutions are simple because PayPal and eBay have already rolled out and implemented the "PayPal Security Key".

If an eBay/PayPal member obtains the "PayPal Security Key", the member must activate it on either PayPal or eBay and must register the unique alpha/numeric serial identification number on the back of the key. The member would then also activate the "PayPal Security Key" on the other platform. To use the key on both PayPal and eBay, the member has to log on with his user ID, password, and input the 6-digit number that is randomly generated by the "PayPal Security Key". Once the member successfully logs onto PayPal or eBay he can fully access his account. Members do not need to log into eBay and use the key if they only wish to surf eBay.

The unique alpha/numeric serial identification number on the back of the "PayPal Security Key" is solely assigned to the PayPal/eBay account for a specific person or business. Presently, only one PayPal account can be associated to one eBay account; therefore, if a member has a combination of two or more PayPal/eBay accounts, each PayPal/eBay account would require its own "PayPal Security Key".

If a "PayPal Security Key" is lost, it is of no value to anyone else because the alpha/numeric serial identification number has already been registered with PayPal/eBay and cannot be reassigned or transferred. Should the key become faulty or is lost, the "Paypal Security Key" will be disabled by PayPal/eBay once the member it is assigned to reports such to PayPal/eBay. Members who may leave their "PayPal Security Key" at home, while wanting to access their PayPal/eBay accounts from another location, and those who are waiting for a replacement "PayPal Security Key" are still be able to access their PayPal/eBay accounts, but must answer security questions of which the answers are only known to them. Hijackers are unable to gain access to any PayPal or eBay accounts that are activated with the "PayPal Security Key" because the hijackers are unable to successfully answer the security questions.

The bottom line is that hijackers cannot tamper with PayPal/eBay member accounts that have activated the "PayPal Security Key".

Click on the thumbnail images below to enlarge them for a visual illustration of the PayPal and eBay log on pages when the "PayPal Security Key" is activated.



On a side note, we would like to mention that the estimated life of the battery in the "PayPal Security Key" is approximately one to two years. The battery cannot be replaced, so a member must obtain a new key from either eBay or PayPal.

We suggest that both PayPal and eBay create an icon that will appear as follows:

PayPal

• The new icon will appear on the PayPal message sent to the seller that the buyer accessed his PayPal account by using the "PayPal Security Key" and has paid for the transaction.

• The new icon will appear in a new column on the PayPal transaction register only for transactions in which the "PayPal Security Key" was used.

By implementing this new icon in these locations, it will give the seller confidence that the buyer did indeed authorize payment for the transaction. Although thieves can copy and use the icon in spoof messages, users will be able to verify the authenticity of a payment/receipt by accessing the transaction register on their PayPal accounts.

Click on the thumbnail images below to enlarge them for a visual illustration of the proposed changes to PayPal.



eBay

• Listings that are created and uploaded onto eBay platforms where the seller has logged in to his account with the "PayPal Security Key" will display the key icon in the blue listing box and in the location where the PayPal buyer protection information is located. It will also be necessary to use the "PayPal Security Key" to upload listings through Turbo Lister and any other third-party programs.

• If an existing listing that displays the key icon is revised, the eBay member must log in to access his eBay account with the "PayPal Security Key". If the member does not log into his account with the "PayPal Security Key", he will be unable to revise the existing listing. The member also will be unable to cancel the listing by himself. The member will have to contact eBay's Live Help for Fraud group to have the listing canceled and will also be required to provide verification information to the Live Help agent. eBay will not refund the listing fee to the member, as it will be considered canceled and not TKO'd. The eBay member will be able to list items without the key, but the "PayPal Security Key" will not appear in the listing. By only allowing members to revise listings with the "PayPal Security Key" this further prevents hijackers from accessing accounts and revising genuine listings for their own illegal benefit.

• The key icon will appear for all listings that are uploaded with it in a column on the eBay search results page.

• Just as members may search for listings that have PayPal as a payment option, the key icon will be added as a search function on the left hand side of the search page.

• The key icon will be added as a search function on the Advanced Search screen.

• The key icon will appear on the My eBay Summary screen for all applicable listings sub-categorized under "All Buying" and "All Selling" that are uploaded using the "PayPal Security Key" and paid for through PayPal with the buyer's "PayPal Security Key".

• We also suggest that because PayPal is not accepted by every seller, available in every country, or available to every member, that on eBay's platforms the key should be renamed the "eBay Security Key". eBay should also add its own logo to the existing key (which only says "PayPal") or create a key solely with the eBay logo on it.

Click on the thumbnail images below to enlarge them for a visual illustration of the proposed changes to eBay.



eBay Member Confidence

• eBay members will have confidence in these specific eBay listings, as they can only be uploaded to eBay platforms by the true member that is assigned the "PayPal Security Key".

• Buyers will have more confidence that listings are genuine because they will be able to search for listings containing the "PayPal Security Key."

• Buyers will continue to have confidence when obtaining general search results. They will be able to immediately see the "PayPal Security Key" icon related to each item and know, without having to click on the listing, that the listing is genuine.

• Instilling buyer confidence in eBay listings will generate more sales and higher sales dollars for sellers that use the "PayPal Security Key," and will also increase the average selling price (ASP), final value fees and increase revenue for eBay.

• Should an eBay member be assigned and have in his possession a "PayPal Security Key" and then be NARU'd, eBay will automatically disable the key for all eBay accounts associated with that particular key until the member is again in good standing. PayPal accounts will remain unaffected. However, because eBay and PayPal are considering allowing the "PayPal Security Key" to be used for multiple accounts in the future, this safety mechanism will prevent NARU'd members from having the opportunity to log in to eBay with the key.

• The more exposure the "PayPal Security Key" icon receives through eBay marketing, promotion, and announcements, the more it will convince other members, and specifically, sellers to obtain the "PayPal Security Key" for their own use.

Site Key

There may be some eBay members that infrequently use eBay, and therefore, might find the added security by using the "PayPal Security Key" to be cumbersome or not worth the $5 investment. Therefore, we suggest that to accommodate these eBay members and to provide further security, eBay also implement a site key.

A site key is a small image, chosen by the member to "individualize" his account. Each member will select an image from a random array of 50 images, and set up a security question. Each time a member logs in to his account, after entering his user ID, he will be directed to a second screen showing a random set of images. The member must choose his preselected site key and input his password to complete the login process. If the member does not choose the correct site key, he will be allowed a second attempt. If again unsuccessful, on the third attempt he will be asked to answer the security question. If the security answer is incorrect, the account will be completely disabled for 4 hours. The member will be sent an email message addressed to his eBay registered email account notifying him of the three unsuccessful attempts to log in to his account, and that the account is disabled for 4 hours. The email will also provide instructions on how to contact Live Help for assistance to have the account reactivated, though no action will be required by the member if he did not access his account and if he can wait through the 4 hour disablement period.

• The security question choices will be out of the ordinary. For example, questions with common answers will be easy to guess at. However questions such as "What is your eldest sibling's middle name" and "Name your first employer" will be nearly impossible for a thief to answer.

• Site key images will always appear in random order, and because the member will have two attempts to select the correct image to log into eBay prior to answering the security question, hijackers will be unable to determine which image is correct through keylogger programs.

• We further suggest that eBay create a library of 3000 site key images to choose from, although it only needs to offer a member an array of 20-30 images to choose from to initially activate the site key account protection. By implementing the site key and security question precautions, a hijacker would be unsuccessful in leading a member to a fake eBay login page.

• Since we are aware that there are millions of dormant accounts in eBay's database, we suggest that if a member has not activated either the "PayPal Security Key" or the site key within 30 days of the site key being rolled out, that eBay temporarily disable such accounts and require verification of membership when accessed. In the alternative, at a minimum, eBay should disable the selling privileges on the dormant accounts so hijackers already having access to an undetermined inventory of user IDs and passwords are unable use the dormant accounts to create fraudulent listings for their own purposes.

Click on the thumbnail images below to enlarge them for a visual illustration of the proposed changes by adding a site key.



Email Messages, Hyperlinks and Member Registration

• Both eBay and PayPal will remove all hyperlinks from its messages and only send messages to members stating they have new messages to read in the My eBay My Messages/PayPal accounts.

• By removing hyperlinks from messages and educating its members that neither eBay nor PayPal send email messages with hyperlinks, members will learn that any messages that look like they appear from either eBay or PayPal with hyperlinks in them are spoof and phishing attempts to obtain member IDs and passwords. By removing hyperlinks and educating members, the members will be less likely to be spoofed or phished, and thus not give up their private information.

• eBay will no longer allow members to register member IDs that are at all similar to their eBay registered email addresses. In this way, members will be less likely to receive fake Second Chance Offers from scammers who use random generator matching programs to detect member email addresses for their scams. This is extremely important because eBay's SMI initiative only obscures member IDs when a listing with bids reaches the $200 threshold.

• eBay will no longer expose any member's email address in Ask the Seller a Question and member to member messages. eBay will allow sellers to answer bidder questions that request additional images by creating eBay generated disguised links through the eBay messaging system similar to the way TinyURL works. Furthermore, eBay will perform malware scans on the links and images to ensure that neither the links nor the images are infected. Bidders wishing to see the images will click on the links to view them.

Click on the thumbnail image below to enlarge it for a visual illustration of the proposed changes to email messages.



If eBay requires its members to either use the "PayPal Security Key" or the site key, thieves will be unable to hijack eBay member accounts and existing listings, therefore, thieves' activities will be limited to the listings on the brand new accounts they create for themselves.

By implementing the above security processes as a complete package, eBay gives its members options, along with offering true security and assurances, that listings on its platforms are created by the true account holders and not hijackers. Member confidence in eBay being a safe marketplace will increase, members will be able to properly evaluate other members through feedback, the public's perception of eBay will be positive, and eBay will be proactively taking action to combat fraud on its platforms. Transparency will return to eBay's platforms.

Implementation of the security processes will allow eBay employees assigned to removing fraudulent listings, securing accounts, and assisting members with fraudulent activity due to hijackings to spend their time doing better things than repetitively removing listings, securing accounts, and advising its members how to keep their accounts secure. eBay's Trust & Safety team will become more effective and have the manpower and opportunity to concentrate its efforts on the problems with the Chinese counterfeiters, shilling violations, and other important trust and safety issues.

By no means will these security processes eliminate all of the fraud on eBay, however, it is a step in the right direction and a way to remove most of the fraudulent listings from eBay's platforms, while keeping its venue status, and protecting its members. We urge eBay's and PayPal's management teams to evaluate these security processes and implement them immediately.

The Nekkid Truth blog thanks the administrator of the Company Exposed website, eBay member "thepursesboutique", Team Whack a Hack, and the many eBay members wishing to remain anonymous for collaborating on this blog entry and providing the illustrations.

For press/media contact, please write to the blog administrator at always.the.nekkid.truth@gmail.com. We welcome all reader comments and questions. Please feel free to post your comments directly to the blog or email always.the.nekkid.truth@gmail.com for further information.

***NOTE***

We believe that we are proposing viable security solutions that eBay can easily implement, which will benefit eBay and its members. On Sunday, May 20, 2007, email messages were sent to eBay executives Bill Cobb, Philipp Justus, Rob Chesnut, Matt Halprin, and Dave Cullinane requesting that they review the proposed security suggestions and respond to this blog entry (see email message below). We will keep our readers updated and let you know if and when we receive a response from eBay.

Date: Sun, 20 May 2007 12:04:18 -0700 (PDT)
From: "The Nekkid Truth"
Subject: Security Proposal to Reduce Fraudulent Listings on eBay's Platforms
To: billc@ebay.com, pjustus@ebay.com, robc@ebay.com, mhalprin@ebay.com, dcullinane@ebay.com
CC: ina@auctionbytes.com

Dear Messrs. Cobb, Justus, Chesnut, Halprin, and Cullinane:

A group of eBay members that have been critical of eBay's lack of security have taken it upon themselves to find solutions to reduce fraud, and increase security and member confidence on eBay's platforms. Implementation of our proposed security enhancements are solutions to the issues eBay faces daily, and, will ultimately increase sales and revenue on eBay. Please review the proposal posted at http://nekkidtruth.blogspot.com/2007/05/ebay-members-crying-out-for-better.html.

We believe your IT group is technically capable to write the required code and perform the beta testing in order for these security enhancements to be implemented on eBay's platforms prior to the Christmas 2007 listing/buying season.

Further, by implementing these solutions, eBay returns transparency to its marketplace. Our proposed security solutions have merit and not only will solve eBay's security and fraud issues, but will strengthen eBay and give eBay members confidence in eBay. This is a win/win situation for eBay.

If you are in favor of implementing our proposed solutions this would be a wonderful announcement you can make at eBay Live. eBay's upper management will be getting the message out to a very large audience that it is proactively pursuing solutions to increase security and reduce fraud on its platforms.

We welcome your comments.

Sincerely yours,

The Nekkid Truth Blog

Company Exposed

Team Whack a Hack

Anonymous eBay Members