Keep internet fraudsters at eBay

Nicholas Mann learns a lesson on internet safety.

I have written often about the steps that one should take to ensure ones security when making transactions on the internet. So you would quite reasonably think that I was pretty confident about not being defrauded - certainly I was pretty confident.

But last month I had an experience that reminded me that one can never be complacent about online security - a lesson which, I'm embarrassed to say, I needed reminding.

My story starts when I decided to purchase a new mobile phone. Nowadays it is common for people to keep their existing mobile phones and try to sell the new ones, sent to them by their network operators for renewing their contracts.

Knowing this and being a keen eBayer this was the first place I looked. Sure enough there were hundreds of phones on offer, however there were only a couple of lots that combined the phone that I wanted with the network that I needed.

Since there were only a couple of suitable lots, I hurriedly started to perform my usual checks in my normal way. I considered the offer price, assessing whether or not it was too good to be true - which it wasn't.

I looked at the vendor's eBay rating - which was extremely high, and at their feedback - which was positive. A high rank and positive feedback are my acid tests; if a vendor passes both then I'm happy to assume that they are legitimate.

Happy that this vendor was genuine, I initiated communications. The vendor replied announcing that they wanted to complete the transaction outside of eBay's systems, instead using Western Union's money transfer service.

This did set my fraud radar twitching, but my suspicions where allayed when they explained that this was simply to avoid having to pay eBay's commission. And I wanted that phone!

I wasn't familiar with Western Union's service - if I had have been, and if I knew then what I know now, I would have run a mile! One of their first questions was whether this transaction was connected to an internet auction.

When they heard that it was, they issued a dire warning about the lack of security using their money transfer service. They told me that it should only be used to transfer funds to people that you knew and trusted.

But I really wanted that phone! I kept on going over it in my head, and I kept on coming back to the fact that the vendor's eBay rating was really high, and that their feedback was really good. It was only after the Western Union operator virtually guaranteed me that this transaction would be fraudulent that I reconsidered.

I was annoyed that in spite of the warnings I had still considered proceeding with the transaction. I mused at how a single lack of knowledge and an overwhelming desire to purchase an item can so drastically affect one's powers of judgement. Or maybe it just demonstrates that I'm stupid!

But one thing I was sure of was that if an expert internet user with nearly 15 years experience can very nearly get caught out then there must be hundreds of other poor souls that have been - so I decided to research further.

Western Union say that they are not interested in participating in transacting payments for internet auctions, preferring to concentrate on its core customers who use the service to send funds to relatives and friends overseas.

Indeed Peter Bucher, Western Union's vice-president of operations for Europe, the Middle East, Africa and South Asia is on record as saying 'I want to highlight the fact that money transfer should never be used for sending money to a stranger, someone whose identity cannot be verified.'

Another reason why money transfer services are such a great vehicle for scammers is that they are also hard to trace. Very little is required to identify the recipient, beyond a piece of identification that can easily be forged.

If one contrasts this to a bank transfer going from one bank account to another, indelibly leaving a paper trail you'll understand the attraction to scammers.

But one thing was still puzzling me. How could my vendor's eBay rating be so high, and their feedback so good? My answer came by way of an email from eBay.

They had received several fraud reports relating to this vendor and their systems were automatically alerting all users that had been in negotiations. Their email warned me not to proceed with any transaction with this vendor.

It also cautioned me against conducting transactions outside of eBay's systems, as they could not then be underwritten by eBay.

I told them that the only reason that I had got so far with the transaction was because of the vendor's high rating, and asked how this could be? Apparently:

  • If a legitimate eBay user (with a high ranking) has a very easy password, then it might be guessed (or brute forced cracked) by a fraudulent user.
  • The legitimate user might have been duped into divulging their login details via a phishing scam.
  • Lastly (but probably not finally) certain computer viruses can capture the typing of usernames and passwords and send them back to criminal gangs.

In each case the legitimate user would be completely unaware that their name and their ranking were being used fraudulently. So it would appear that my acid tests mentioned above are not enough. I needed to add to them: never complete transactions outside of eBay's systems.

A timely footnote to this saga was provided a couple of weeks later when news broke that a trio of Romanians had just been sentenced for defrauding £300,000 from unsuspecting eBayers, using pretty much the MO described above.

In summary I should applaud both eBay and Western Union for the steps they are taking to prevent their clients being conned. True; it's not completely altruistic as neither organization needs bad PR, but without their diligence I would almost certainly be several hundred pounds poorer now!

The Office of Fair Trading, together with Western Union, estimate that fraud victims have been conned out of nearly £1 billion in this sort of way, so the problem is far from trivial.

But at the risk of sounding like Nick Ross, one should also remember that for every fraudulent transaction there are thousands of valid ones. If you remember some simple rules you should be able to avoid being duped yourself.

Further reading

http://news.bbc.co.uk/1/hi/business/4338400.stm
http://news.bbc.co.uk/1/hi/uk/4385956.stm
http://news.bbc.co.uk/1/hi/uk/4386952.stm
http://www.abcmoney.co.uk/news/1620051140.htm
http://www.theregister.co.uk/2005/11/02/
ebay_phishing_scam_gang_jailed/

http://www.theregister.co.uk/2005/10/28/
ebay_scam_sentencing/

http://www.theregister.co.uk/2005/10/27/
get_safe_online/

http://www.theregister.co.uk/2005/10/31/ 
http://www.getsafeonline.org/

http://www.interdirect.co.uk

September 2006

Blueprint for Cyber Security

Our vision is a world properly protected from cyber threat. This blueprint sets out how we can deliver that solution, starting in health and care.